From: Intuit PaymentNetwork [mailto:email@example.com]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.
Direct Deposit Service System information
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
• Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
• Amount to be withdrawn: $1,107.47
• Paychecks would be transferred to your employees' accounts on: September 28, 2012
• Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516
The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 18.104.22.168 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.