From: eFax [email@example.com]
Date: 29 November 2016 at 16:01
Subject: eFax message from "61 2 97855412" - 2 page(s)
You have received a 2 page fax at 11/29/2016 5:01:13 PM.
* The reference number for this fax is syd1_did12-5405183509-083357256-5.
Click here to view this fax message.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
The link in the email goes to a hacked Sharepoint account, in this case:
It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.
The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named
that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:
A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:
The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:
Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking: