Spammers seem to be adding layers of obfuscation to their malware attachments in an attempt to evade spam filters that look inside attachments. Most malware attachments come in the form of executables, or, increasingly, Word files with malware-laden macros. These files are usually zipped, a common method of passing files via email. Most email gateways can unzip attachments to inspect the underlying file, so this simple layer of masking the file's true nature is becoming increasingly useless.
The example we'll take a look at purports to attach a copy of a requested passport. The email body looks like:
This looks much more like a typical script that results in the download of malware. The script visits the web sites listed at the bottom, retrieves what would seem to be pictures (judging from the URLs) but are in reality executables (as evidenced by the script saving the files as .exe files in the TEMP directory). The downloaded files are then executed by the "Run" statement. The malware files it downloads are in the MSIL Trojan Injector family.
This type of multi-layered obfuscation is often used by exploit kits. When an unsafe link is clicked, the kit uses this sort of trick to provide the landing page code that's rendered in the browser in an attempt to evade AV scanners and web gateways looking for suspicious traffic. As spammers try to transfer these tactics to email attachments, safe email practices become increasingly necessary. As always, DO NOT open attachments from senders you don't recognize, and be suspicious of any attachment you weren't expecting. If needed, verify with the sender before opening.