Date: Fri, 17 Aug 2012 06:50:08 -0400
From: "Global Express" [email@example.com]
Subject: Re: FW: End of Aug. Stat. Required
as reqeusted I give you inovices issued to you per july.
The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.
126.96.36.199 (Slicehost, US)
188.8.131.52 (Infolink, Panama)
184.108.40.206 (Myren, Malaysia)