Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From: Bill Me Later [email@example.com]
Subject: Thank you for scheduling a payment to Bill Me Later
Log in here
Your Bill Me Later� statement is now available!
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.
For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
Here are the details:
Your Bill Me Later Account Number Ending in: 0014
You Paid: $1644.03
Your Payment Date*: 04/03/2013
Your Payment Confirmation Number: 228646660603545001
Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46. The executable is resistant to automated analysis tools but has the following fingerprint:
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it.