Clicking on the link generated the following HTTP traffic:
As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how the script works. For more information about these spam emails click here.
220.127.116.11 – Domains
18.104.22.168 – Domains
22.214.171.124 – Domains