Date: Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From: Local Scan [scan.614@victimdomain]
Subject: Scanned Image from a Xerox WorkCentre
You have a received a new image from Xerox WorkCentre.
Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: victimdomain
Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.
The Comodo CAMAS report shows that the malware downloads components from the following locations:
There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 126.96.36.199 (OVH, France) IP before.