Thursday, 23 April 2015

You have a new eFax from 639-469-3635

You have a new eFax from 639-469-3635 emails arriving with a clickable malware link.

Headers:
From: "eFax.com" {no_reply@inbound.efax.com}
Subject: You have a new eFax from 639-469-3635 - 1 pages
Message body:

eFax Message [Caller-ID: 639-469-3635]
You have received a 3 pages fax on Thu, 23 Apr 2015 14:52:54 +0100 .
You can view your eFax online, in PDF format, by visiting :

https://www2.efax.com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=639-469-3635

* This fax's reference # is 18389822

Thank you for using eFax!
The fake link in the message body takes you to download:
http://91.194.254.239/fax_33663232.pdf.zip
Inside the Zip file is a Windows Executable file:
df_fax_33663232.pif
Sha256 Hashes:
05bd60347ac7df715a2a8ca36fba996392424879804c552a2aef1d31d019147e    [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

No comments: