Date: Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.
From: HP Digital Device [HP.Digital8@victimdomain]
Subject: Scanned Image from a Xerox WorkCentre
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22
Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 18.104.22.168 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.
The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.
This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.