{ "id": "97a97723-f906-4b8d-92fa-073ffee3bb2f", "created_at": "2026-04-06T00:19:59.326795Z", "updated_at": "2026-04-10T03:20:44.739964Z", "deleted_at": null, "sha1_hash": "39c7b9ac8fb2415763d7ad52686f6793bf128ea0", "title": "LinkedIn information used to spread banking malware in the Netherlands", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 108403, "plain_text": "LinkedIn information used to spread banking malware in the\r\nNetherlands\r\nBy maartenvandantzigfoxit\r\nPublished: 2016-06-07 · Archived: 2026-04-05 18:10:27 UTC\r\nBlog\r\nJune 7, 2016June 7, 2016 2 Minutes\r\nSince early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started\r\ndetecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign\r\nappears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of\r\nthe e-mail:\r\nGeachte FirstnameLastname,\r\nRole,Company\r\nWij schrijven u in verband met de factuur met nummer 014321463.\r\nDe nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro.\r\nVriendelijk verzoeken wij u het openstaande bedrag te betalen.\r\nBetaling graag zo spoedig mogelijk.\r\nMet vriendelijke groet,\r\nA.E. De Kuiper,\r\nBEEREJAN HOLDING BV.\r\nFaisantenstraat 53 Hilversum 1211 PT\r\nTel. +31180647000\r\nFax. +31294484970\r\nThe first name, last name, role and company name are all values that are taken from the LinkedIn page of the\r\nreceiver of the phishing mail, giving the e-mail a very personalized look.\r\nThe subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:\r\nCompany : De nota is nog niet betaald\r\nCompany – De nota is onbetaald gebleven\r\nCompany – Uw laatste factuur wacht op betaling\r\nAt this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.\r\nhttps://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/\r\nPage 1 of 3\n\nThe e-mail contains a Word document with a Macro.\r\nThe name of the document is also based on personal information of the receiver:\r\nCompany-Firstname-Lastname.doc\r\nThe content of the Word document appears to be scrambled, this is an attempt to trick the user into running the\r\nembedded Macro, in order to view the document.\r\nThe Macro retrieves a binary from the following (likely compromised) website:\r\nledpronto.com/app/office.bin (sha256:\r\nc1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)\r\nThe Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda,\r\nin this case, always connects to the following domain \u0026 IP using SSL:\r\nskorianial.com / 107.171.187.182\r\nZeus Panda is a type of banking malware based on Zeus source code, more information can be found\r\nhere: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market\r\nThe following SSL certificate is used by the Panda Zeus Command and Control server:\r\nIf you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.\r\nPublished June 7, 2016June 7, 2016\r\nPost navigation\r\nhttps://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/\r\nPage 2 of 3\n\nSource: https://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/\r\nhttps://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/" ], "report_names": [ "linkedin-information-used-to-spread-banking-malware-in-the-netherlands" ], "threat_actors": [], "ts_created_at": 1775434799, "ts_updated_at": 1775791244, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39c7b9ac8fb2415763d7ad52686f6793bf128ea0.pdf", "text": "https://archive.orkl.eu/39c7b9ac8fb2415763d7ad52686f6793bf128ea0.txt", "img": "https://archive.orkl.eu/39c7b9ac8fb2415763d7ad52686f6793bf128ea0.jpg" } }