From: Agent Feather [firstname.lastname@example.org]Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.
Date: 6 May 2014 02:12
Subject: Do something before it's too late!
Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.
What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.
You are to note the following and observe them, contrary to these, you will never hear from me again.
1. You are not to reply me on this email address.
2. You are not to call me on the above given number for any reason.
3. You are to text only your newly created email address to me.
4. The newly created email address must be used just for the both of us alone
4. If you know the voice in the recorded message, never approach the person until I tell you to.
5. You must not disclose anything relating to this information to another person.
Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.
Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.