The emails carried links that led to sites hosting the Blackhole exploit kit in an obvious attempt to infect the machines of corporate users.
In a Webroot analysis, Dancho Danchev explains that the two individual campaigns copied Intuit Payroll’s direct deposit system in hopes that their receivers would follow malevolent links enclosed in the emails and thus infect themselves with the latest version of the Black Hole Exploit kit.
The exploit is serving an Adobe vulnerability from two years ago, CVE-2010-0188. A successful exploitation will load ‘MD5: 5723f92abf257101be20100e5de1cf6f’ and ‘MD5: 06c6544f554ea892e86b6c2cb6a1700c’ to its host.
The various malicious domains used in the campaign responded to the same set of IP addresses. You can find a list of the malicious URLs in Danchev’s write-up.