MX Lab, http://www.mxlab.eu, started to intercept quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is send from the spoofed address “Fax <firstname.lastname@example.org>” and has the following body:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: hxxp://challengingdomesticabuse.co.uk/myfax/company.html
Documents are encrypted in transit and store in a secure repository
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe.
The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ.
At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.