Initial detection: https://www.maltiverse.com/sample/a788349bf237270012c25ba2264a0b01e97eb6d4d91d860c59ddc2d42259e7b9
Redirecting: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=dXl5XXNdZi50fXlie3N0cy5zdWA%3D~enc
28 hints: https://webhint.io/scanner/03483065-746e-48c0-a6b3-0d31d88fa822
On IP detection: https://www.hybrid-analysis.com/sample/12c5b1b5c08ef95c087034a4b56a0480ba5ce6302ae235488235324618002a88?environmentId=100
blocked IP as in generic reputation blocklist: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/alienvault_reputation.ipset (Firehol driven).

polonus

Another example: lib.js malware abuse.

See:https://www.virustotal.com/#/url/c80943325f4eba0eccdd706518d850fcb863e8cdd8aa0a4bbd4aa3601b27139e/detection
Where we stumbled upon this - https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Zy1wfHouXl1tYF5nWy1iW25gXXV0bFtua2BddXRsW25rLl5nWzxuPVl8SF1dJTIxJTIwSnxQfE4mbD1odHRwOmBgd3d3LiNdbiN8YnxsLl5dLmt9~enc
coming from: -http://www.nunubee.com as with malware - https://urlquery.net/report/5cc9758f-9c9c-40e3-bbe4-bfe9d384948c
obfuscated js script malware: https://sitecheck.sucuri.net/results/www.nunubee.com
This was being used on there: http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx
de-obfuscated we get: http://ddecode.com/hexdecoder/?results=b44ef8331887c77d7dd943d86059e49a

But less on file detection: https://www.virustotal.com/#/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection

polonus (volunteer website security analyst and website error-hunter)

Interesting resource: https://urlhaus.abuse.ch/url/83692/
See: (latest) https://www.virustotal.com/pl/file/476e35caadd55a53100f89e75336e1ff42f3084351440abf6b14878bc30aff96/analysis/
from: https://urlquery.net/report/821caac1-65b9-45c2-a4e7-5a4b171eba0f
avast flags as with Win32:Malware-gen

polonus