From: IRS [firstname.lastname@example.org]The ZIP file contains a malicious executable SetupIRS2015.exe which has a VirusTotal detection rate of 8/53. The irsuk.co site is hosted on 184.108.40.206 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux.com (220.127.116.11 - TheFirst-RU, Russia)
Date: 23 January 2015 at 11:46
Subject: IRS Fiscal Activity 531065
We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.
To install the program go to the link above:
Intrenal Revenue Sevrice
London W1K 6AH
The WHOIS details for the domain are almost definitely fake, but kind of interesting..
Registrant ID: CR185450554
Registrant Name: Thomas McCaffrey
Registrant Organization: Real Help Communications, Inc.
Registrant Address1: 3023 Anzac Avenue
Registrant City: Roslyn
Registrant State/Province: Pennsylvania
Registrant Postal Code: 19001
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2158872818
Registrant Email: email@example.com
They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.
A look at 18.104.22.168 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 22.214.171.124 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.
The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.
Overall, automated analysis tools are not very clear about what this malware does      although you can guarantee it is nothing good.