Fake incoming fax report from a Xerox Workcentre contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “INCOMING FAX REPORT : Remote ID: 883-933-3496” (number may vary with each mail).

The email is send from the spoofed address “Xerox Workcentre <Scan6@yourdomain.be>” – note that it appears to be coming from your own company by using the domain of the recipient – and has the following body:


Date/Time: 09/18/2013 01:35:12 EST
Speed: 43985 bps
Connection time: 04:07
Pages: 8
Resolution: Normal
Remote ID: 883-933-3496
Line number: 883-933-3496
Description: Important – August Documents .pdf


This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

The attached ZIP file has the name Incoming_FAX_yourdomain.be.zip and contains the 18 kB large file Incoming_FAX_0819.exe. This trojan has capabilities to download other files over the internet.

The trojan is known as TR/Crypt.XPACK.Gen2, W32/Trojan.YBHL-9309, Trojan.DownLoader10.16987, Trojan.Email.FA, Win32.Troj.Generic.a.(kcloud) or Trojan.Win32.Bublik.bfla.

The process hhcbrnaff.exe is being created and a connection is made with talonstamed.com op port 443.

At the time of writing, 13 of the 49 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 93329d886ae6b63e1be3dafd0c404e3eac69ee2300e157dfb934b5e29889ebbf.

One thought on “Fake incoming fax report from a Xerox Workcentre contains trojan

Comments are closed.