Second email I've received today (some headers omitted):
Received: from unknown (HELO mail.bsme-mos.ru) (184.108.40.206)
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (email@example.com@220.127.116.11)
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
This is a multi-part message in MIME format.
Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.
The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).
The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).
Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).
I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)
As soon as I published this post I checked my inbox and there was another one...
It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.