Date: Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From: Administrator [voice8@victimdomain]
Subject: Voice Message from Unknown (553-843-8846)
- - -Original Message- - -
From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee
Date: Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From: Administrator [voice3@victimdomain]
Subject: Voice Message from Unknown (586-898-9333)
- - -Original Message- - -
From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject: Employees Only
Date: Wed, 23 Oct 2013 16:40:22 +0300 [09:40:22 EDT]
From: Administrator [voice2@victimdomain]
Subject: Voice Message from Unknown (998-948-7548)
- - -Original Message- - -
From: 998-948-7548
Sent: Wed, 23 Oct 2013 16:40:22 +0300
To: [recipient list at victimdomain]
Subject: Employees Only
In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.
Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46. Automated analysis [1] [2] shows an attempted connection to glyphs-design.com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it.
Added:
The mail goes as far to include fake mail headers to suggest that the spam comes from inside the victim's network (when it does not). For example..
from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530