Date: Thu, 1 Dec 2011 17:55:30 +0900
From: "LinkedIn" [firstname.lastname@example.org]
Subject: So now you're on LinkedIn: What's next?
The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction ID: 730771521612
Reason of rejection See details in the report below
Transaction Report report_730771521612.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
© 2011 NACHA - The Electronic Payments Association
Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.
The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 188.8.131.52 in Romania (I would recommend blocking the whole 184.108.40.206/24 block at least, or even 220.127.116.11/21 if you want to be on the safe side). The payload looks like a typical exploit kit.