“CHRISTMAS OFFERS.docx” virus e-mail

Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”

With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.

VirusTotal Report

SHA256 211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c

When the word document is opened and macros are enabled it downloads:

http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
SHA256 de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773
The site seems to be a hacked site running from Heart Internet hosting.

The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from (rdns of “u15862612.onlinehome-server.com”)

Net Range –

Then injects its process into explorer.exe and connects to:; (rdns of “mail.expertmail106.co.uk”)

Name Cheap Windows VPS


inetnum: –
netname: FOZZY
descr: Fozzy Inc.

among other urls.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s