hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)
It looks like the the aforementioned webpage is infected with a redirect to download suspect files
Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.
hxxp://talk-of-the-tyne.co.uk/download1264/
hxxp://willy.pro.br/download3299/
hxxp://freight.eu.com/download3696/
The analysis of the files on hybrid analysis does confirm that these are malicious files
https://www.hybrid-analysis.com/sample/e8d2f149de58eb45b398a84d6d27d568ab1d239584edcb55531fe11da2f9c51b?environmentId=100
Once the executable file is on the host machine, it then attempts to call out to the following
173.230.137.155
206.214.220.79
Upon further analysis we have another file which has been downloaded from the following location
hxxp://matchpointpro.com/lDu52756eeJMW/
https://www.virustotal.com/en/file/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3/analysis/1492020556/
https://www.hybrid-analysis.com/sample/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3?environmentId=100
I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.
GET /download3299/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: willy.pro.br
Cache-Control: max-age=259200
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:51 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="6274.exe"
Content-Transfer-Encoding: binary
GET /download1264/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: talk-of-the-tyne.co.uk
Cache-Control: max-age=259200
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:09 GMT
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5198.exe"
Content-Transfer-Encoding: binary
Vary: User-Agent
X-Powered-By: PleskLin
MS-Author-Via: DAV
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
GET /lDu52756eeJMW/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Host: matchpointpro.com
Cache-Control: max-age=259200
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Apr 2017 18:11:09 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5345.exe"
Content-Transfer-Encoding: binary
ngpass_ngall: 1
Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.