From: firstname.lastname@example.orgThe attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
Date: 5 September 2015 at 03:50
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Protected DocumentFollowing these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.
Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
126.96.36.199 [Eurobyte LLC, Russia)
Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)
This further references another bunch of domains that you might want to block, especially in a corporate environment:
This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:
Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.
The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.