URL in fake email from eFax Drive “You’ve received a new fax” leads to malicious ZIP archive


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You’ve received a new fax”.

This email is send from the spoofed address and has the following body:

New fax at SCAN9106970 from EPSON by https://*******.com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI

You can secure download your fax message at:

hxxp://nm2b.org/bhnjhkkgvq/ufqielyyva.html

(eFax Drive is a file hosting service operated by J2, Inc.)

The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr.

The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: d8b1d64ae49b437df163061af11c8f0f0e5dad338c37cfedd4e6f30e37f6499c

One thought on “URL in fake email from eFax Drive “You’ve received a new fax” leads to malicious ZIP archive

Comments are closed.