Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.
From: Lewis Muller [Lewis.Muller@intuit.com]
Subject: FW: Invoice 3056472
Your invoice is attached.
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer.
Automated analysis     shows the usual sort of badness, including a call home to gidleybuilders.com on 18.104.22.168 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server: