From: eFax [message@inbound-efax.org]
Date: 29 November 2016 at 16:01
Subject: eFax message from "61 2 97855412" - 2 page(s)
Fax Message
You have received a 2 page fax at 11/29/2016 5:01:13 PM.
* The reference number for this fax is syd1_did12-5405183509-083357256-5.
Click here to view this fax message.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
The link in the email goes to a hacked Sharepoint account, in this case:
https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1
It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.
The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named
Fax_11292016_page1.js
Fax_11292016_page2.js
that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:
siliguribarassociation.org/images/staffs/documetns.png
A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:
stengeling.com/20aml/index.php
The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:
4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212
Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:
butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com