From: John Smith [mailto:email@example.com]The link in the email has a format such as:
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out
Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.