From "firstname.lastname@example.org" [email@example.com]In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 18.104.22.168 (Cobranet).
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085
Your Reference: 14 /Geneva
In this case, the payload is Upatre downloading the Dyre banking trojan.