We have to check on these redirects from that site:
URLs that redirect found in:
http://spainbuddy.com/1: htxp://www.gandy-draper.com/openx/www/delivery/avw.php?zoneid=24&cb=INSERT_RANDOM_NUMBER_HERE&n=ab826f56 -> htxp://www.gandy-draper.com/openx/www/images/46c3fd36def631da4ac2480821857606.jpg
2: htxp://www.booking.com/?aid=357636&tmpl=searchbox&width=685&calendar=1& -> htxp://www.booking.com/
and this in line 07:shr.src = 'htxps://dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6';
flagged as potentially suspicious by Quttera's -> htxps://shareaholic.com")}.call(this),/*! as
dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=']] of length 344 which may point to obfuscation or shellcode.
polonus