From: Mauro ReddinThe attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55.
Date: 15 September 2014 10:32
Subject: Overdue invoice #6767390
I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
The Comodo CAMAS report shows the malware attemping to phone home to golklopro.com/bitrix/modules.php which is multihomed on a number of IPs that look like a botnet to me.
UPDATE: The ThreatExpert report also shows an attempted phone-home to cosjesgame.su (also on a botnet) plus an attempted download from the following locations:
This malware looks like Zbot and is poorly detected by VirusTotal. The ThreatTrack report [pdf] shows that the malware attempts to connect to a bunch of domains that do not currently resolved (listed here [pastebin]).
I recommend that you apply the following blocklist:
For information, the WHOIS details for cosjesgame.su are as follows:
state: REGISTERED, DELEGATED
person: Private Person
UPDATE 2014-09-16: a second binary is doing the rounds, the detection rate for this at the moment is 27/55. Initial analysis suggests that it calls home to the same domains and IPs as listed above.