Email notification regarding received fax message from J2 is fake and leads to malicious file on Dropbox


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fax Message at 2014-05-06 08:55:55 EST”.

This email is send from the spoofed address “Fax Message <message@inbound.efax.com>” and has the following body:

Fax Message
You have received 7 fax page(s) at 2014-05-06 08:55:55 EST.

* The reference number for this fax is airw_byl38-1900025563-6891008917-11.
* The transmission start time for this fax is .

Click here to view this message in your web browser

Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

This account is subject to the terms listed in the jConnect Customer Agreement.

Screenshot of the email:

The embedded URL leads to hxxps://www.dropbox.com/meta_dl/**SHORTENED**

The downloaded ZIP file has the name Fax-932971.zip and contains the 146 kB large file Fax-932971.scr.

The trojan is known as PE:Malware.XPACK-HIE/Heur!1.9C48.

At the time of writing, only 1 of the 51 AV engines did detect the trojan at Virus Total so this is a potential risk.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 03467f231a3fce6795545ae99a6dad161effa3bf681031693815eabf1648ee66.