Email “Employee Documents – Internal Use” from no-replay@my-fax.com leads to malicious Zip file


MX Lab, http://www.mxlab.eu, started to intercept quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is send from the spoofed address “Fax <no-replay@my-fax.com>” and has the following body:

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: hxxp://challengingdomesticabuse.co.uk/myfax/company.html

Documents are encrypted in transit and store in a secure repository

———————————————————————————
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe.

The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ.

At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb