Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.
Automated analysis tools    show malicious traffic to the following IPs:
126.96.36.199 (C2NET Przno, Czech Republic)
188.8.131.52 (Clarity Telecom LLC / PrairieWave, US)
184.108.40.206 (Radionet, Ukraine)
220.127.116.11 (Safelink Internet , US)
18.104.22.168 (Orion Telekom, Serbia)
22.214.171.124 (SWAN, a.s. TRIO network, Slovakia)
126.96.36.199 (Rostelecom / VolgaTelecom, Russia)
188.8.131.52 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.