MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject ” eFax message from “Booking.com – HylaFa” – 1 page(s), Caller-ID: 031207944200″.
This email is send from the spoofed address “eFax <email@example.com>” and has the following body:
Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word.
Please visit http://www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
Screenshot of the email:
The attached file FAX_20151028_1445421437_89.doc is a Word file with malicious macro file that will download the payload.
The Word is detected as LooksLike.Macro.Malware.gen!d3 (v), VBA/TrojanDownloader.Agent.AGB or W2KM_DRIDEX.XXH.
At the time of writing, 11 of the 56 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.