Date: Fri, 17 Aug 2012 06:50:08 -0400
From: "Global Express" [firstname.lastname@example.org]
Subject: Re: FW: End of Aug. Stat. Required
as reqeusted I give you inovices issued to you per july.
The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.
22.214.171.124 (Slicehost, US)
126.96.36.199 (Infolink, Panama)
188.8.131.52 (Myren, Malaysia)