Date: Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]Attached is a file with the rather long name of case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46 and automated analysis   shows an attempted connection to bookmarkingbeast.com on 22.214.171.124 (Xeex Communications, US). That's just two IP addresses away from this other Xeex server mentioned here. I strongly suspect that there is a problem with servers in the 126.96.36.199/28 range so you might want to block those temporarily. This range is suballocated from Xeex to:
From: "info@victimdomain" [info@victimdomain]
Subject: [No Subject]
A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:
Provide Wage and Separation information (Form 1062/1074)
Provide Separation Pay Information
If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, <b>please print attached claim (file) and
complete any outstanding forms.
This message may contain privileged and/or confidential information. Unless you are the
addressee (or authorized to receive for the addressee), you may not use, copy,
disseminate, distribute or disclose to anyone the message or any information contained in
%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue