From: ENOM, INC. [email@example.com]In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.
Date: 30 October 2015 at 04:11
Subject: Domain LAPTOP-MEMORY.COM Suspension Notice
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:
Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE
Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 188.8.131.52 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.
The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools    indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):
Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:
184.108.40.206 (Unified Layer, US)
220.127.116.11 (Unified Layer, US)
18.104.22.168 (WebSiteWelcome, US) [13 instances]
22.214.171.124 (Unified Layer, US)
126.96.36.199 (Unified Layer, US)
188.8.131.52 (WebSiteWelcome, US) [2 instances]
184.108.40.206 (WebSiteWelcome, US) [7 instances]
220.127.116.11 (WebSiteWelcome, US)
18.104.22.168 (WebSiteWelcome, US)
22.214.171.124 (WebSiteWelcome, US) [4 instances]
126.96.36.199 (WebSiteWelcome, US)
188.8.131.52 (WebSiteWelcome, US)
184.108.40.206 (WebSiteWelcome, US)
220.127.116.11 (WebSiteWelcome, US) [2 instances]
18.104.22.168 (WebSiteWelcome, US)
22.214.171.124 (WebSiteWelcome, US)
126.96.36.199 (WebSiteWelcome, US) [2 instances]
188.8.131.52 (WebSiteWelcome, US)
184.108.40.206 (WebSiteWelcome, US)
220.127.116.11 (Unified Layer, US) [4 instances]
18.104.22.168 (Unified Layer, US)
22.214.171.124 (GoDaddy, US)
A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 126.96.36.199) indicates several compromised domains on the same server, indicating that the entire box has been popped.
It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.
The payload appears to be the Cryptowall ransomware.