Sponsored by..

Tuesday 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)

Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

The link in the email goes to a hacked Sharepoint account, in this case:


It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named


that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:


A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:


The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:


1 comment:

Unknown said...

I seem to have received a fake eFax today 12/19/16 or 12/20/16 that must have had a virus or malware. It is presenting me from opening links in my email. It only opens the new tab page in Chrome, but not the link. Anythoughts?