From: accounting@abcimportexport.comThe link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:
Reply-To: userworldz@yahoo.com
To: Recipients [accounting@abcimportexport.com]
Date: 31 May 2016 at 12:31
Subject: New Company Order
185.5.175.211 (Voxility SRL, Romania)
This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24
sdfsdaf