From: email@example.comInterestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.
Date: 10 August 2015 at 19:40
Signed by: yahoo.com
Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter
As far as I can tell, it appears to download a disguised JPG file from 18.104.22.168/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..
So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
It also directs the visitor to various personalised ransom pages hosted on 22.214.171.124 (Agava, Russia).