Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”
With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.
When the word document is opened and macros are enabled it downloads:
http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
The site seems to be a hacked site running from Heart Internet hosting.
The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://184.108.40.206/ (rdns of “u15862612.onlinehome-server.com”)
Net Range 220.127.116.11 – 18.104.22.168
Then injects its process into explorer.exe and connects to:
http://22.214.171.124/SH%2D/WyxpFK%2BE/nBa%24z%24& (rdns of “mail.expertmail106.co.uk”)
Name Cheap Windows VPS
inetnum: 126.96.36.199 – 188.8.131.52
descr: Fozzy Inc.
among other urls.