Date: Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.
From: Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~9.pdf
multifunction device Location: machine location not set
Device Name: Xerox1552
For more information on Xerox products and solutions, please visit http://www.xerox.com
Automated analysis    shows a connection to cushinc.com on 126.96.36.199 (Westhost, US). This is the same server as seen yesterday, so my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.