Date: Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From: "Amazon.com Customer Care Service" [email@example.com]
Subject: Payment for Your Amazon Order # 104-884-8180383
Please note: This is not a VAT invoice.
The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 18.104.22.168 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.
These following domains appear to be pointing to that server: