We ordered a license yesterday and today we received a payroll file.
On my machine my av jumps up and reports a TR/Bublik.clpx inside the Payroll.scr file.
I can’t find explicit information on that id, only similars: Avira Virus Lab
The mail says, it should be .xls but’s a .scr, hmmmm.
Is this mail from you?
Besides
Bublik is russian bread as well: Bublik - Wikipedia 
Here’s the original mail:
File Validity: 24/04/2014
Company : http://***************
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
The longer I watch the source, the more it is definitely a fraud:
I missed the first line before I wrote things above … gee.
Return-Path: <fraud@aexp.com>
X-Original-To: dev@*********
Delivered-To: m02ab570@*********
X-policyd-weight: NOT_IN_SPAMCOP=-1.5 NOT_IN_IX_MANITU=-1.5 CL_IP_NE_HELO=1.5 REV_IP_EQ_HELO=-1.25 (check from: .aexp. - helo: .localhost. - helo-domain: .localhost.) FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; rate: -1.15
Received: from localhost (unknown [113.189.215.109])
by dd17412.kasserver.com (Postfix) with ESMTP id 5E38E1E2025C
for <dev@*********>; Fri, 25 Apr 2014 04:44:29 +0200 (CEST)
Received: from voice718.********* (10.0.0.100) by ********* (10.0.0.164) with Microsoft SMTP Server (TLS) id 2Y3Y87E9; Fri, 25 Apr 2014 09:44:35 +0700
Received: from message1531.********* (10.188.69.90) by smtp.********* (10.0.0.180) with Microsoft SMTP Server id YT6PJZCV; Fri, 25 Apr 2014 09:44:35 +0700
Date: Fri, 25 Apr 2014 09:44:35 +0700
From: "Unity Messaging System" <Unity_UNITY4@*********>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <VE4PXIHCA3TUOK5QZ5PK3XAOM56CP6TH8X1W4L@*********>
X-MS-Exchange-Organization-AuthSource: 6SMG96F3JC8O706@*********
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 06
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;2;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <4CWHJS1DZNJAT9COMXY4KCX12Q032HQGHUXALV@*********>
To: <dev@*********>
Subject: Internal Payroll
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_005_23S1M7GGNM9QEN0NUNBCXR9ZOO4V0ZJCTF43LS8RT8MJIE2NW79S205_"
X-KasLoop: m02ab570
Please confirm if this mail is definitely not from your system, thanks.