eFax message from “Booking.com – HylaFa” – 1 page(s), Caller-ID: 031207944200

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject ” eFax message from “Booking.com – HylaFa” – 1 page(s), Caller-ID: 031207944200″.

This email is send from the spoofed address “eFax <message@inbound.efax.com>” and has the following body:

Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.

* The reference number for this fax is lon1_did14-1445421403-1407880525-89.

View this fax using your Microsoft Word.

Please visit http://www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home Contact Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

Screenshot of the email:

The attached file FAX_20151028_1445421437_89.doc is a Word file with malicious macro file that will download the payload.

The Word is detected as LooksLike.Macro.Malware.gen!d3 (v), VBA/TrojanDownloader.Agent.AGB or W2KM_DRIDEX.XXH.

At the time of writing, 11 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8