Date: Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49 and are 6/47 for the EXE.
From: Kerry Pettit [Kerry.Pettit@wellsfargo.com]
Subject: FW: Important docs
We have received this documents from your bank, please review attached documents.
Wells Fargo Accounting
817-884-0882 cell Kerry.Pettit@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Automated analysis    shows an attempted connection to hortonnovak.com on 126.96.36.199 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or both of them.