In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [email@example.com]
Date: 7 September 2013 14:04
We have prepared a quotation, please see attached
With Kind Regards,
DNV KEMA Energy & Sustainability,
DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 18.104.22.168 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.
The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:
Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46.
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.
I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 22.214.171.124 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist: