Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol.com.br
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
Caso tenha alguns dos dados errados favor nos retorne no email firstname.lastname@example.org.
ATT, DANI AIRES DP.FINANCEIRO
Por favor, não "responda" esta mensagem.
The reference numbers and sender change slightly in each version.
I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.
The Malwr report indicates that it downloads components from the following locations:
The Hybrid Analysis report also has some other details.
These sites are hosted on:
18.104.22.168 (WebsiteWelcome, US)
22.214.171.124 (Universo Online, Brazil)
The VirusTotal report for both these IPs   indicates a high level of badness, indicating that they should be blocked.
Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.