Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”
With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.
When the word document is opened and macros are enabled it downloads:
http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
The site seems to be a hacked site running from Heart Internet hosting.
The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://18.104.22.168/ (rdns of “u15862612.onlinehome-server.com”)
Net Range 22.214.171.124 – 126.96.36.199
Then injects its process into explorer.exe and connects to:
http://188.8.131.52/SH%2D/WyxpFK%2BE/nBa%24z%24& (rdns of “mail.expertmail106.co.uk”)
Name Cheap Windows VPS
inetnum: 184.108.40.206 – 220.127.116.11
descr: Fozzy Inc.
among other urls.