Subj : another one phishing for a bite
To   : Daniel
From : August Abolins
Date : Thu Apr 09 2020 09:20:00

Hello Daniel!

** 07.04.20 - 00:03, Daniel wrote to August Abolins:

 D>Good job. I love doing that on the rare occasion I get an attachment. with
 D>xls I like to save them as zip files, then extract the components and dig
 D>around. It's silly simple how some of these trojans work.

I just received one that VirusTotal nor my local scanner detect any fault  
with.

But the email is:

   Hey,
   I'm James Smith and I'm interested in a position at your company.
   I think I would be a wonderful  to your company.
   I've added a copy of my resume.


   Thank you!

   --
   James Smith

And the attached file is: James Smith Resume.xls (169kb)

A binary look at it doesn't reveal any clues at all.  The vast majority of  
the chars are totally non-ascii.

The salient parts of the header are:

   Received: from o3.2e.shared.sendgrid.net ([50.31.60.24])
   X-EN-OrigIP: 50.31.60.24
   Received: from t-online.de (unknown)
   From: "James Smith" <63@jdscentral.com>
   Subject: Job
   Message-ID: <4269CC6C.3461899@jdscentral.com>
   Date: Thu, 09 Apr 2020 11:15:42 +0000 (UTC)
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
   Thunderbird/38.0.0

Meanwhile, I discovered https://www.joesandbox.com/  Looks impressive.   
Does anyone here use that?

  ../|ug

--- OpenXP 5.0.43
 * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

.