From: Sarah [firstname.lastname@example.org]The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Attached are the return documents.
Call me if you need anything.
See you soon. :)
According to various automated analysis tools    it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:
This is hosted on a SoftLayer IP of 18.104.22.168 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.
The payload is Pony / Fareit, which is basically a password stealer.