Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
From: "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
The detection rate for this initial malware is just 9/45 at VirusTotal.
This is a pony/gate downloader  which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 126.96.36.199 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.
The download then attempts to download a second stage from the from the following locations  (as well as installing all sorts of hooks into your system):
The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.