From: eFax [firstname.lastname@example.org]The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.
Date: 28 May 2014 13:12
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643
Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.
* The reference number for this fax is atl_did1-1400166434-95058563842-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
This binary has a VirusTotal detection rate of 6/53. Automated reporting tools   show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
- baura.exe (VT 3/53, Malwr report)
- yaccpdf.exe (VT 4/53, Malwr report)
- pdfmarks.exe (VT 4/52, Malwr report)
- yxnib.exe (VT 3/53, Malwr report)