Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
From: Jed_Gregory [Jed_Gregory@chase.com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036
The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.
The Pony/Gate component is hosted on 126.96.36.199 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.