From: eFax [email@example.com]
Date: 17 July 2015 at 10:42
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655
Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.
* The reference number for this fax is atl_did1-1400166434-67874083637-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:
The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis    shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
22.214.171.124 (C2NET, Czech Republic)
126.96.36.199 (TTNET, Czech Republic)
188.8.131.52 (Time Warner Cable, US)
184.108.40.206 (Content Delivery Network Ltd, Ukraine)
220.127.116.11 (Telekom Srbija, Serbia)
18.104.22.168 (Navega.com, Guatemala)
22.214.171.124 (AgaNet Agata Goleniewska, Poland)
126.96.36.199 (AgaNet Agata Goleniewska, Poland)
188.8.131.52 (Computer Sales & Services Inc., US)
184.108.40.206 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].