HackDig : Dig high-quality web security articles for hacker

Spam with a malicious taste

2015-03-01 17:50
Spam with a malicious taste

I haven’t seen in a while a well done complex spam with malicious payload.

This one appears to be addressed to first name of the email recipient. As you can see in the subject, it is addressed to “SORIN” since my email address is sorin.mustaca@…

The spam contains a nice piece of social engineering which creates enough curiosity to the reader to open the attached archive.


The archive is called “Notice_to_appear_in_court_<random number>.zip. The only file in the archive is a JavaScript file extremely obfuscated : Notice_to_Appear_000483082.doc.js.


First of all, I asked myself why a ZIP with a JS in it?
ZIP is natively supported by Windows Explorer. If you have a ZIP archive, it will be automatically opened as a folder and you can execute any file in it. JS is executed by the Windows Script host without any HTML page to interpret it. Smart, I have to agree.

Now,there are some things which ruined my amazement of this spam after I executed it in a VM.

It doesn’t work… :-)


Apparently, due to a programming error a function is called recursively without any end condition.

I am not a JS expert and I also didn’t spend any time to understand and de-obfuscate the code, but from what I could see between the lines:

– it writes a piece of JS code

– it executes it

– once executed it downloads a file from an URL.

The URL is even better obfuscated than the rest of the code.

– It drops the file in the %TEMP% and

– probably tries to execute it.

The obfuscated code is written by numerous functions into two global variables which are written in the end with the document.write function.


The malicious payload

Fortunately, there are tools online which de-obfuscate, analyze and scan the content.

Let’s have a look what antivirus software says:

Virus Total:

URL: https://www.virustotal.com/en/file/4b3be5f9b39c4d5d2bedef3c9d68e7c560e9166549a0a75e1ad3bd2b889491c9/analysis/1425228908/

File name:Notice_to_Appear_000483082.zip
Detection ratio:6 / 57
Analysis date:2015-03-01 16:55:08 UTC ( 0 minutes ago )


Interesting piece of code. I wonder which tool created that obfuscated code. It would be interesting to get it and see what it can do.


If anyone is interested in the code, I can send it to you. Just drop me a line at sorin (at) mustaca.com.

Source: /etsat-suoicilam-maps/30/5102/ku.oc.ytirucesti

Read:3629 | Comments:0 | Tags:Expert Views Sorin Mustaca court Javascript notice obfuscati

“Spam with a malicious taste”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud