Second email I've received today (some headers omitted):



Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)

by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000

Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)

by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300

Subject: question

Date: Fri, 27 Jan 2017 12:25:26 +0100

X-MSMail-Priority: Normal

X-Mailer: Microsoft Windows Live Mail 16.4.3528.331

X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 Return-Path: Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300Subject: questionDate: Fri, 27 Jan 2017 12:25:26 +0100X-MSMail-Priority: NormalX-Mailer: Microsoft Windows Live Mail 16.4.3528.331X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 This is a multi-part message in MIME format. ------=_NextPart_000_25F3_01D27898.7064C4E0

Content-Type: multipart/alternative;

boundary="----=_NextPart_001_25F4_01D27898.7064C4E0" ------=_NextPart_001_25F4_01D27898.7064C4E0

Content-Type: text/plain;

charset="windows-1251"

Content-Transfer-Encoding: quoted-printable Hey. I found your software is online. Can you write the code for my proje=

ct? Terms of reference attached below.

The price shall discuss, if you can make. Answer please. ------=_NextPart_001_25F4_01D27898.7064C4E0

Content-Type: text/html;

charset="windows-1251"

Content-Transfer-Encoding: quoted-printable (HTML omitted) ------=_NextPart_001_25F4_01D27898.7064C4E0-- ------=_NextPart_000_25F3_01D27898.7064C4E0

Content-Type: application/octet-stream;

name="PROJECT.gz"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="PROJECT.gz"

...

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)

Update

As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.