Email “Employee Documents – Internal Use” from leads to malicious Zip file

MX Lab,, started to intercept quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is send from the spoofed address “Fax <>” and has the following body:

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents


Documents are encrypted in transit and store in a secure repository

This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

The downloaded file contains the 26 kB large file fax8127480_924.exe.

The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ.

At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb