My email forensics is a little rusty. Here is what I am working with
Received: from gideon.mail.atl.earthlink.net ([18.104.22.168])
by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
Received: from jonesday.com ([22.214.171.124])
by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0
for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
From: "Notice to Appear" <email@example.com>
So to me the return path is probably faked. Is the jonesday email address faked? They used XimianEvolution for the email client. I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong. The payload was malware, but in my opinion, clearly targeted. I've used a couple of free online forensic tools, but I don't have the name of the malware. Your thoughts are appreciated. I did see the bit about BillStanners-PC.