From: Fax [email@example.com]As before, there are several links leading to different download locations, the ones I have personally seen are:
Date: 9 January 2015 at 14:52
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http://rehberhatay.com/files/get_msg.html
What is interesting though is that the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different.
Visiting the sites I listed above get ten different download locations:
That led to 10 different ZIP files containing different EXE files, each one with similar VT results           and in turn Malwr reports that they are almost identically functionally          .
Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
18.104.22.168 (Excell Media Pvt Lt, India) is probably the key thing to block.
Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55 and you can see the Malwr report for that file here.
For researchers only, a copy of the file involved can be found here, password=infected