Date: Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From: American Express [Jarvis_Randall@aexp.com]
Subject: Confidential - Secure Message from AMEX
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
2012 American Express Company. All rights reserved.
There is an attachment SecureMail.zip which in turn contains an executable file SecureMail.exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46.
Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim.com on 220.127.116.11 (DorukNet, Turkey).
The ThreatTrack report also shows a connection to 18.104.22.168 as well as 22.214.171.124 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it. Update: the ThreatExpert report also shows a connection to 126.96.36.199 (Hanaro Telecom, Korea) which is probably also worth blocking.