This is a weird one and I can’t determine what the final payload does via running the files in an online sandbox. I really don’t know if the bad actor has messed up or whether it is an anti-vm or anti-sandbox protection on it. The .z attachment on the emails is not correct and the actual attachment is a .iso file that has been renamed or mistakenly given a .z extension. I received 2 different copies of this email with the same payload and email content but coming from different email addresses and domains both on the same server with … Continue reading →