From: Interfax [firstname.lastname@example.org]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to email@example.com<00441616133969>
Transmission Results Destination Fax: 00441616133969 Contact Name: firstname.lastname@example.org Start Time: 2014/11/13 20:05:27 End Time: 2014/11/13 20:29:00 Transmission Result: 3220 - Communication error Pages sent: 0 Subject: 140186561.XLS CSID: Duration (In Seconds): 103 Message ID: 485646629
Thank you for using Interfax
Home page: http://www.interfax.net
Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe
This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:
It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53.
If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 18.104.22.168 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.