MSGID: 2:221/360.0 5e8393a8   
   PID: JamNNTPd/OS2 1.3 20191227   
   TID: GE/2 1.2   
   CHRS: UTF-8 2   
   TZUTC: 0300   
   Received another suspicious email with a "Resumé" attachment just now.   
      
   No password version.   
      
   I renamed the file:   
      
   XXXXJohn Smith Resume.xls   
      
   Send it to VirusTotal.  Only ONE engine of many detected this thing.   
      
      
    TACHYON == Trojan/XF.Downloader.Gen   
      
      
   I looked inside the file and noticed a few clues in the clear (but I obscured a   
   few things here with #### so no one inadvertently clicks on a link):   
      
    C:\XTHbSJX\hQPDpQm\yNuMyDc.dl   
      
    http://march262020.####/files/bot.dll   
      
    URLDownloadToFileA   
      
    http://march262020.####/files/bot.dll   
      
    rundll32.exe,DllRegisterServer   
      
    http://march262020.####/files   
      
    CreateDirectory   
      
    ShellExecute   
      
    /bot.dll   
      
    Excel 4.0 Macros   
      
      
   Very telling!  Seems to me, that the simplest infection mechanism can still   
   find   
   an unsuspecting victim.   
      
   The domain reference above pointed to:   
      
    Source:  whois.apnic.net (APNIC serves the Asia Pacific region)   
    IP Address:  170.106.11.8   
      
   But it arrived via Germany:   
      
    X-EN-OrigIP: 194.25.134.80  <== via RIPE   
    Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])   
    Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de   
      
   Sneaky buggers, eh?   
      
   --- TB68.4.1/Win7   
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)   
   SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/0 1 6 360 226/30 227/114   
   SEEN-BY: 229/101 426 452 1014 240/5832 249/206 317 400 280/464 5003   
   SEEN-BY: 288/100 292/854 310/31 317/3 322/757 342/200 396/45 423/81   
   SEEN-BY: 423/120 712/848 770/1 2452/250   
   PATH: 221/360 1 280/464 229/426