For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;
1. Site A
2. 4 x MITMs
5. Exploit site
In this case;
Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.
Annoyingly, the initial script on main.php is still easy to decode, comment out the following;
Pop it into Malzilla, and voila - it decodes itself, saving us a world of time.
Given we already know what the Blackhole exploit itself already does, you'll likely want to skip straight to the payload URL itself, in which case, locate the first line containing;
Then simply combine the number in the f var, with;
In this case, f was 59, so the URL was;
Which produced this lovely little beast (no surprises as to what it is of course);
Malwarebytes users will be pleased to know, the 180KB of badness is detected as Trojan.FakeCC.
The e-mail itself originated from 18.104.22.168 ( AS34841 BALCHIKNET Lafy EOOD - AS51582 DCC-BG Cifrova Kabelna Korporacia EOOD).