From [random]The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.
Date Wed, 28 Oct 2015 10:39:26 +0100
Boat has been done a week now. I contacted you last week
Boat is ready to pick up, I have had inquiries as to people wanting to
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
Please call me to arrange payment and pickup of the Boat ,
need me to store the boat I can do that at the storage facility ,
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Your invoice is attached. Please
Thank you for your business - we appreciate it very
Don and Carol Racine
Racine Design, Inc.
Jacksonville, Fl. 32220
phone (904) 771-8170
Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 126.96.36.199 (Cobranet, Nigeria), an IP I strongly recommended that you block.
The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.