Date: Thu, 1 Feb 2012 13:05:58 +0100
Subject: Rejected ACH payment
The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.
Transaction ID: 424339813641
Reason for rejection See details in the report below
Transaction Report report_424339813641.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 126.96.36.199 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 188.8.131.52 (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.