In the only sample I saw, the spam looks like this:
From: firstname.lastname@example.orgAttached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].
Date: 26 August 2015 at 23:29
Signed by: yahoo.com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
Deobfuscating the macro shows that a file is downloaded from http://188.8.131.52/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
184.108.40.206 (Eurobyte, Russia)
linecellardemo.net / 220.127.116.11 (GoDaddy, US)
You might want to block the entire 18.104.22.168/24 range because.. well, Russia really.