From: Sarah [email@example.com]The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Attached are the return documents.
Call me if you need anything.
See you soon. :)
According to various automated analysis tools    it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:
This is hosted on a SoftLayer IP of 126.96.36.199 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.
The payload is Pony / Fareit, which is basically a password stealer.