Date: Wed, 14 May 2014 11:56:34 -0500 [12:56:34 EDT]
From: Nola Painter [Nola.Painter@citibank.com]
Subject: FW: Important - Commercial Form
Commercial Banking Form
Please scan attached document and fax it to +1 800-285-1110 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is... For enquiries, please telephone the Service Desk on +1 800-285-4794 or email email@example.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Copyright © 2014 Citigroup Inc.
Other senders spotted include:
Lavonne Bermudez [Lavonne.Bermudez@citibank.com]
Gabriel Britton [Gabriel.Britton@citibank.com]
Attached to the message is an archive file CommercialForm.zip which in turn contains a malicious executable CommercialForm.exe which has a VirusTotal detection rate of 19/52. Automated analysis tools    show that it downloads an encrypted file from [donotclick]desktopcrafts.com/wp-content/uploads/2014/05/Targ-1405USdp.enc although what that does is currently unclear.