Date: Fri, 17 Aug 2012 06:50:08 -0400
From: "Global Express" [firstname.lastname@example.org]
Subject: Re: FW: End of Aug. Stat. Required
as reqeusted I give you inovices issued to you per july.
The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.
220.127.116.11 (Slicehost, US)
18.104.22.168 (Infolink, Panama)
22.214.171.124 (Myren, Malaysia)