Hi,
can you decrypt this code lines seen in a recent pishing campaing hitting us?
Partially base64 encoded javascript, variables for something called spoguestaccess which makes me nervous and so on.
What does it do? Download payload? Currently not detected by Intercept-X
PS: also have a case open for this
sourcecode1.txt
<!DOCTYPE html> <html> <head> <title>Sign in to your account</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"> <meta name="robots" content "none"> <meta name="Googlebot" content="nofollow"> <meta name="robots" content "noindex, nofollow"> <link rel="shortcut icon" type="icon" href="images/favicon.png"> <link rel="stylesheet" type="text/css" href="style.css"> <script type="text/javascript" src="js/jquery.js"></script> </head> <body> <script type="text/javascript"> <!-- document.write(unescape('%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6F%76%65%72%6C%61%79%22%3E%0A%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6C%6F%67%69%6E%2D%62%6F%78%22%3E%0A%09%09%09%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%73%2F%6D%73%2D%6C%6F%67%6F%2D%76%32%2E%6A%70%67%22%20%61%6C%74%3D%22%6C%6F%67%6F%22%3E%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%69%64%65%6E%74%69%74%79%22%20%63%6C%61%73%73%3D%22%69%64%65%6E%74%69%74%79%2D%62%61%6E%6E%65%72%22%3E')); //--> </script> <div id="identity-name" class="identity"> <img src="images/arrow.png" alt="arrow"> golllel@byom.de </div> </div> <h2 id="title" style="color:#231E17;"><strong>Enter password</strong></h2> <p id="message" class="message"></p> <script type="text/javascript"> <!-- document.write(unescape('%09%09%09%3C%64%69%76%20%69%64%3D%22%6C%6F%61%64%65%72%22%20%63%6C%61%73%73%3D%22%6C%6F%61%64%65%72%20%68%69%64%64%65%6E%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%3C%2F%64%69%76%3E')); //--> </script> <form action="submit.php" method="post"> <input type="hidden" id="email" name="email" value="golllel@byom.de"> <script type="text/javascript"> <!-- document.write(unescape('%09%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%70%61%73%73%77%6F%72%64%22%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%70%6C%61%63%65%68%6F%6C%64%65%72%3D%22%50%61%73%73%77%6F%72%64%22%20%72%65%71%75%69%72%65%64%20%61%75%74%6F%66%6F%63%75%73%3E%0A%09%09%09%09%0A%09%09%09%3C%62%72%3E%0A%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%67%72%6F%75%70%32%22%3E%0A%09%09%09%09%0A%09%09%09%09%3C%73%6D%61%6C%6C%20%69%64%3D%22%66%70%73%22%3E%3C%61%20%68%72%65%66%3D%22%23%22%20%63%6C%61%73%73%3D%22%66%61%64%65%22%3E%26%23%78%34%36%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%37%3B%26%23%78%36%46%3B%26%23%78%37%34%3B%26%23%78%32%30%3B%26%23%78%36%44%3B%26%23%78%37%39%3B%26%23%78%32%30%3B%26%23%78%37%30%3B%26%23%78%36%31%3B%26%23%78%37%33%3B%26%23%78%37%33%3B%26%23%78%37%37%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%34%3B%3C%2F%61%3E%3C%2F%73%6D%61%6C%6C%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%0A%09%09%09%3C%2F%64%69%76%3E%0A%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%73%69%67%6E%69%6E%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%73%69%67%6E%69%6E%22%20%76%61%6C%75%65%3D%22%53%69%67%6E%20%69%6E%22%3E%0A%09%09%09%3C%2F%66%6F%72%6D%3E%0A%09%09%3C%2F%64%69%76%3E%0A%09%3C%2F%64%69%76%3E%0A%0A%09%3C%66%6F%6F%74%65%72%3E%0A%09%09%3C%75%6C%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%30%3B%26%23%78%37%32%3B%26%23%78%36%39%3B%26%23%78%37%36%3B%26%23%78%36%31%3B%26%23%78%36%33%3B%26%23%78%37%39%3B%20%26%20%26%23%78%36%33%3B%26%23%78%36%46%3B%26%23%78%36%46%3B%26%23%78%36%42%3B%26%23%78%36%39%3B%26%23%78%36%35%3B%26%23%78%37%33%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%34%3B%26%23%78%36%35%3B%26%23%78%37%32%3B%26%23%78%36%44%3B%26%23%78%37%33%3B%26%23%78%32%30%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%32%30%3B%26%23%78%37%35%3B%26%23%78%37%33%3B%26%23%78%36%35%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%3E%26%63%6F%70%79%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%32%30%3B%26%23%78%34%44%3B%26%23%78%36%39%3B%26%23%78%36%33%3B%26%23%78%37%32%3B%26%23%78%36%46%3B%26%23%78%37%33%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%37%34%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%3C%2F%75%6C%3E')); //--> </script> </footer> </body> </html>
Regards
The document.write sections are just parts of the web page. I guess to obfuscate the form. E.g.
document.write 1<div class="overlay"> <div class="login-box"> <img src="images…
I think sourcecode1 is the more interesting file. Don't know why sourcecode 2 is automatically extended here.
document.write 1<div class="overlay"> <div class="login-box"> <img src="images/ms-logo-v2.jpg" alt="logo"> <div id="identity" class="identity-banner">"document.write 2
<div id="loader" class="loader hidden"> <div class="circle"></div> <div class="circle"></div> <div class="circle"></div> <div class="circle"></div> <div class="circle"></div> </div>
document.write 3
<input id="password" type="password" name="password" placeholder="Password" required autofocus> <br>
<div id="group2"> <small id="fps"><a href="#" class="fade">Forgot my password</a></small> <br> <br> <br> </div> <input id="signin" type="submit" name="signin" value="Sign in">
</form> </div> </div>
<footer> <ul> <li><a href="#">Privacy & cookies</a></li> <li><a href="#">Terms of use</a></li> <li><a>©2020 Microsoft</a></li> </ul>
==
You can put these all together to get an idea of the page.
I suppose going a little further, the other "strings" are:The title:Sign in to your account = "Sign in to your account" Enter password = Enter passwordForgot my password = Forgot my passwordPrivacy & cookies = Privacy & cookies
Terms of use = Terms of use
©2020 Microsoft = ©2020 Microsoft
Thank's a lot Sophos User930 for your time and efford checking the code lines. So does'nt look too bad. I guess there was no hidden downloader on those pages.