Date: Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From: Millard Hinton [email@example.com]
Subject: Merchant Statement
Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.
For the record, these are the checksums involved: