Sponsored by..

Monday 17 November 2014

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax [uk@interfax.net]
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:  01616133969@fax.tc
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
CSID:
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

3 comments:

Unknown said...

Good for you for taking action. I received your email with a link to your site. I certainly didn't send the offending message. blanchas@telus.net

Unknown said...

There's a newer one new, but still based on Interfax and fax sending/receiving. It notifies the user of receiving a new "fax" which is a ".doc.js" packed in a .zip archive. Full writeup here.

CU,CO;) said...

Yes I'm also receiving packed js files from Interfax lately.
Obviously, there's no reason to send a fz as an executable.
Legit faxes would be pdfs or even jpgs.