Thanks for the write-up! Yes, this clearly shows it is malware. In VirusTotal, it also indicates in "Behavior" that it targets apps like "Mail". They put a lot of effort into obfuscating the binary as well.

I believe what you wrote here has ten times more impact in convincing people. I would consider adding it to the blog as well (with obfuscated URLs so Google doesn't hurt the SEO).

Thanks for providing context!