Date: Wed, 30 Jul 2014 17:06:27 +0530 [07:36:27 EDT]Actually the body text isn't completely blank but does contain some bits of HTML.
From: Twila Garner [email@example.com]
Subject: Order status -950533 30.07.2014.xls
<XSSCleaned_taghttp-equiv="content-type" content="text/html; charset=UTF-8">
<body text="#000000" bgcolor="#FFFFFF">
But the payload is the thing, in this case there is an archivecalled 950533-30.07.2014.zip containing a folder order-8301138-30.07.2014.xls which in turn contains a malicious executable order-8301138-30.07.2014.xls.exe which has a VirusTotal detection rate of 6/54.
The Comodo CAMAS report shows attempted downloads from the following connections:
A second file is downloaded from these locations with a VT detection rate of just 2/54. The CAMAS report is inconclusive.
I recommend the following blocklist: