Date: Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From: Administrator [docs9@victimdomain]
Subject: FW: Last Month Remit
File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename.
2/47. Automated analysis tools    show an attempted connection to p3-sports.com on 220.127.116.11 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs demonstrating a peer-to-peer capability.