From: DHL Courier Services [email@example.com]Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).
Date: 23 September 2015 at 11:15
Subject: SHIPMENT LABEL
Signed by: community.mile.org
Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.
The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.
Thank you for using DHL services.
Princess Court 11
If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on 184.108.40.206 (Inetserver Inc, US) which belongs to a netblock 220.127.116.11/29 which also looks highly suspect.
here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org
For the moment, I would suggest that the entire 18.104.22.168/29 range is malicious and should be blocked.