Sponsored by..

Tuesday, 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553


Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:


This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:

No comments: