From: Carlos Phillips [firstname.lastname@example.org]Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:
Subject: Invoice 48920
Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
The Malwr analysis shows some of the things going on, including network connections to:
126.96.36.199 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
188.8.131.52 (Softlayer, US)
184.108.40.206 (Chungwa Telecom, Taiwan)
220.127.116.11 (Hetzner, US)
18.104.22.168 (Razor Inc, US)
22.214.171.124 (Enet / XLHost, US)
126.96.36.199 (Main Hosting, US)
UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).
Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Additional IPs for Zbot component: