Another Spam Email Redirecting Host to Forskolin Pages

Email found in my inbox:

Clicking on the link generated the following HTTP traffic:

As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how the script works. For more information about these spam emails click here.

Associated SHA256s

Hybrid Analysis:
d9e24436cae6fb8215290454095989285b653a1bf50ab35a182ce2a7be92f661

VirusTotal:
8a60f6fdbddbf0cab49d6640f0298c78221fc571628d4980aab8ee7d60267c9e

Recommend blocking:
79.175.182.138 – Domains
90.156.141.35 – Domains
190.97.163.155 – Domains

Category: Spam
Tag: Forskolin Spam

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown

Leave a Comment Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Like this:

Share this:

Published by malwarebreakdown

Leave a Comment Cancel reply

Related