MSGID: 2:221/1.58@fidonet e341d3f0
REPLY: 1252.fido_internet@1:340/7 22f16092
PID: OpenXP/5.0.43 (Win32)
CHRS: ASCII 1
TZUTC: -0400
Hello Daniel!

** 07.04.20 - 00:03, Daniel wrote to August Abolins:

 D>Good job. I love doing that on the rare occasion I get an attachment. with
 D>xls I like to save them as zip files, then extract the components and dig
 D>around. It's silly simple how some of these trojans work.

I just received one that VirusTotal nor my local scanner detect any fault  
with.

But the email is:

   Hey,
   I'm James Smith and I'm interested in a position at your company.
   I think I would be a wonderful  to your company.
   I've added a copy of my resume.


   Thank you!

   --
   James Smith

And the attached file is: James Smith Resume.xls (169kb)

A binary look at it doesn't reveal any clues at all.  The vast majority of  
the chars are totally non-ascii.

The salient parts of the header are:

   Received: from o3.2e.shared.sendgrid.net ([50.31.60.24])
   X-EN-OrigIP: 50.31.60.24
   Received: from t-online.de (unknown)
   From: "James Smith" <63@jdscentral.com>
   Subject: Job
   Message-ID: <4269CC6C.3461899@jdscentral.com>
   Date: Thu, 09 Apr 2020 11:15:42 +0000 (UTC)
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
   Thunderbird/38.0.0

Meanwhile, I discovered https://www.joesandbox.com/  Looks impressive.   
Does anyone here use that?

  ../|ug

--- OpenXP 5.0.43
 * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/1 6 360 226/30 227/114
SEEN-BY: 229/101 426 452 1014 240/5832 249/206 317 400 280/464 5003
SEEN-BY: 288/100 292/854 310/31 317/3 322/757 342/200 396/45 423/81
SEEN-BY: 423/120 712/848 770/1 2452/250
PATH: 221/1 280/464 229/426