Another Spam Email Redirecting Host to Forskolin Pages

Email found in my inbox:

Clicking on the link generated the following HTTP traffic:


As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how the script works. For more information about these spam emails click here.

Associated SHA256s

Hybrid Analysis:


Recommend blocking: – Domains –  Domains – Domains

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: