From: email@example.com [mailto:firstname.lastname@example.org]
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
The malicious payload is at [donotclick]openpolygons.net/detects/lorrys_implication.php hosted on 126.96.36.199 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before.
That IP also hosts the fake AV application win8ss.com and another malware site of legacywins.com.
Plain list for copy-and-pasting: