Date: Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.
From: Callie Figueroa [Callie@victimdomain]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.
Anubis reports an attempted connection to faneema.com on 220.127.116.11 (Mochahost, US). I recommend blocking both the domain and IP address in this case.