Sanesecurity ClamAV blog: zero hour malware, phishing and scams: You have a new eFax from 639-469-3635

Thursday 23 April 2015

You have a new eFax from 639-469-3635

You have a new eFax from 639-469-3635 emails arriving with a clickable malware link.

Headers:

From: "eFax.com" {no_reply@inbound.efax.com}
Subject: You have a new eFax from 639-469-3635 - 1 pages

Message body:


eFax Message [Caller-ID: 639-469-3635]
You have received a 3 pages fax on Thu, 23 Apr 2015 14:52:54 +0100 .
You can view your eFax online, in PDF format, by visiting :

https://www2.efax.com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=639-469-3635

* This fax's reference # is 18389822

Thank you for using eFax!

The fake link in the message body takes you to download:

http://91.194.254.239/fax_33663232.pdf.zip

Inside the Zip file is a Windows Executable file:

df_fax_33663232.pif

Sha256 Hashes:

05bd60347ac7df715a2a8ca36fba996392424879804c552a2aef1d31d019147e [1]

Anti virus reports:

VirusTotal Report: [1] (Detection 3/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Thursday 23 April 2015

You have a new eFax from 639-469-3635

No comments: