Archive for January 27th, 2017

Second email I've received today (some headers omitted):

Return-Path: <>
Received: from unknown (HELO (
by with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (
by with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

(HTML omitted)


Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)


As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

Bad Behavior has blocked 924 access attempts in the last 7 days.