From: Media Trade firstname.lastname@example.org
Date: 6 April 2014 16:26
Subject: Produce & Information
How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.
Thank you and have a nice day
Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on 220.127.116.11 (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.
The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on 18.104.22.168. Also, the Anubis analysis gives an idea as to the files created.
Of interest, this IP of 22.214.171.124 belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is 126.96.36.199.
I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.