Corporate eFax message with ZIP attachment contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “Corporate eFax message from “739-566-5544″ – 5 pages” (note: number will vary in each email).

The email is send from the spoofed address “eFax Corporate <>” and has the following body:

You have received 5 pages fax at 2013-08-29 10:24:18 CST.* The reference number for this fax is latf1_did11-1944268383-7063244220-63.

Please visit if you have any questions regarding this message or your service. You may also e-mail our corporate support department at

Thank you for using the eFax Corporate service! 2013 j2 Global, Inc. All rights reserved.eFax Corporate is a registered trademark of j2 Global, Inc.

The attached ZIP file has the name and contains the 17 kB large file Fax_08292013_821.exe.

The trojan is known as Trojan-Downloader.Win32.Agent (A) by Emsisoft.

At the time of writing, 1 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: e8c67da9c5d3bf233e8918a8b364ce65b7756e146217e36b6728193cf14072d6.

7 thoughts on “Corporate eFax message with ZIP attachment contains trojan

  1. I received the same email today. The To: entry was blank which made me suspect it, Glad you can confirm it is a scam.

  2. i received the same as well. unfortunately i did not know this was a scam email, however i was smart enough to NOT open it because it looked odd and did not say who sent it. I called the company to inquire and they were as helpful as… well let’s just say they were of no help at all and really didn’t seem to want to help.

  3. I got a similar email this morning, although not exactly the same.
    It appears to be a spoofed address, which looks like it came from .
    The subject line is “eFax message from 15189808302 – 1 page(s), Caller-ID: 518-980-8302”

    I went to the website told them about the email, and that I don’t have an account, and they said right away that it’s a phishing spam email. They said that authentic fax message always come as a pdf attachment. This was just a link to the supposed pdf.

    The link in the email was spoofed, and appears to go to but actually goes to this domain: “cpag.tmf” (remove space)

    The file inside the zip is named pdf_efax_5189808302.scr which appears to be Windows executable. This file is 389KB. The zip file is 329KB.

    Hope this info helps someone… I’m on OSX, so the file did not execute. This as far as I checked it out.

  4. hi there, i did click on the link and when I realised it was a download I closed Chrome. how do i know if I am safe or not?No idea. I have AVG virus protection

  5. Check your downloads folder for the file… It’s a small file, so it probably would have downloaded very quickly.

    If you’re on windows, I would start by doing a virus scan and hopefully it will pick it up if you’ve been infected. It’s possible that the zip didn’t open, if so, then you’re safe… If you see the .exe or .scr file in your downloads along with the .zip, then it did open and you may be infected. If it’s not there, then you may be safe, although it’s possible it could have deleted itself from downloads folder, then you’d have to depend on AV to find it.

    I’ve been using Mac for a number of years now, so I’m really out of touch with Windows systems… just watch the computer for anything strange going on, or out of the ordinary. Perhaps someone else with more PC experience has further advice…

Comments are closed.