Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”
With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.
When the word document is opened and macros are enabled it downloads:
http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
The site seems to be a hacked site running from Heart Internet hosting.
The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://126.96.36.199/ (rdns of “u15862612.onlinehome-server.com”)
Net Range 188.8.131.52 – 184.108.40.206
Then injects its process into explorer.exe and connects to:
http://220.127.116.11/SH%2D/WyxpFK%2BE/nBa%24z%24& (rdns of “mail.expertmail106.co.uk”)
Name Cheap Windows VPS
inetnum: 18.104.22.168 – 22.214.171.124
descr: Fozzy Inc.
among other urls.