From: eFax [email@example.com]I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.
Date: 11 September 2014 20:35
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:
The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:
Overall, the web hosts involved are:
22.214.171.124 (Swift Trace Ltd, Crimea)
126.96.36.199 (GoDaddy, US)
188.8.131.52 (Daiger Sydes Gustafson LLC / Peer 1, US)
184.108.40.206 (OVH, France)
220.127.116.11 (PE Intechservice-B, Ukraine)
18.104.22.168 (Ivanov Vitaliy Sergeevich, Ukraine)
I would recommend blocking the following: