Email “Internet Fax Job” with attached ZIP archive contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Internet Fax Job”.

This email is send from the spoofed address “Jos Van Elslande <JVE@notvanelslande.be>” and has the following very short body:

Image data has been attached.

The attached file fax34242.zip contains the 29 kB large file fax34242.exe.

The trojan is known as Trojan.Email.FakeDoc or Win32.Trojan.Inject.Auto.

A new process teminstall.exe will be created in the system and the following connectiosn on port 80 are established:

checkip.dyndns.org
recfilm.linuxpl.info
thamesvalleychess.org

The following files are accessed:

  • index.html
  • factc.pdf
  • documents/factc.pdf

At the time of writing, 2 of the 43 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 0a42de4b9ec4e9101a602560d3a04d6eabb0e40e571e87455e0958a5ad03ea0e

2 thoughts on “Email “Internet Fax Job” with attached ZIP archive contains trojan

Comments are closed.