Date: Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From: "Moneygram Inc." [email@example.com]
Subject: Payment notification email
Revenues notification emailPayload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html and some intermediate scripts.
This is an automated email - please do not reply!
You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.
Transaction sum: 110 USD
Transaction date: 2013/08/02
View the details of this transaction online
Thank you for using MoneyGram services!
MoneyGram ® 2013
More analysis later..
OK, I have a little more time to look at this. Here is the screenshot:
ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
These scripts use a ".txt" extenstion, presumably to fool AV scanners.
[donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 126.96.36.199 (Nuclear Fallout Enterprises, US).
The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.