From: Trinh [email@example.com]In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.
Date: 27 October 2015 at 18:30
Signed by: 163.com
Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 126.96.36.199 (EuroByte LLC, Russia) and being POSTED to the following:
The first three are on 188.8.131.52 and the second two are on 184.108.40.206 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.
The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.
This Tweet indicates that the payload is Cryptowall.