From: ALERT@police.uk [ALERT@police-uk.com]Weirdly, the message comes from a police.uk email address and the link goes to a driving school in Australia. And it comes from 126.96.36.199 which is an IP address in Kansas City.
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version: 852065
The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):
The Adobe Reader (from Adobe.com) will display and print the bulletin best.
You can Not reply to the bulletin by clicking on the Reply button in your email software.
Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55. The Anubis report shows that the malware phones home to santace.com which is probably worth blocking or monitoring. Other analyses are pending.
I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day.