This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malicious encoded javascript in website source code

LHerzog 3 months ago

Hi,

can you decrypt this code lines seen in a recent pishing campaing hitting us?

Partially base64 encoded javascript, variables for something called spoguestaccess which makes me nervous and so on.

What does it do? Download payload? Currently not detected by Intercept-X

PS: also have a case open for this

sourcecode1.txt

sourcecode2.txt


<!DOCTYPE html>
<html>
<head>
	<title>&#x53;&#x69;&#x67;&#x6E;&#x20;&#x69;&#x6E;&#x20;&#x74;&#x6F;&#x20;&#x79;&#x6F;&#x75;&#x72;&#x20;&#x61;&#x63;&#x63;&#x6F;&#x75;&#x6E;&#x74;</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
	<meta name="robots" content "none">
	<meta name="Googlebot" content="nofollow">
	<meta name="robots" content "noindex, nofollow">
	<link rel="shortcut icon" type="icon" href="images/favicon.png">
	<link rel="stylesheet" type="text/css" href="style.css">
	<script type="text/javascript" src="js/jquery.js"></script>	
	
</head>

<body>
<script type="text/javascript">
<!--
document.write(unescape('%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6F%76%65%72%6C%61%79%22%3E%0A%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6C%6F%67%69%6E%2D%62%6F%78%22%3E%0A%09%09%09%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%73%2F%6D%73%2D%6C%6F%67%6F%2D%76%32%2E%6A%70%67%22%20%61%6C%74%3D%22%6C%6F%67%6F%22%3E%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%69%64%65%6E%74%69%74%79%22%20%63%6C%61%73%73%3D%22%69%64%65%6E%74%69%74%79%2D%62%61%6E%6E%65%72%22%3E'));
//-->
</script>
			
				<div id="identity-name" class="identity">
					&nbsp;&nbsp;&nbsp;<img src="images/arrow.png" alt="arrow">&nbsp;&nbsp;&nbsp;&nbsp;golllel@byom.de				</div>
				
				
			</div>

			<h2 id="title" style="color:#231E17;"><strong>&#x45;&#x6E;&#x74;&#x65;&#x72;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64;</strong></h2>
			<p id="message" class="message"></p>

<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%3C%64%69%76%20%69%64%3D%22%6C%6F%61%64%65%72%22%20%63%6C%61%73%73%3D%22%6C%6F%61%64%65%72%20%68%69%64%64%65%6E%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%3C%2F%64%69%76%3E'));
//-->
</script>

			<form action="submit.php" method="post">
				<input type="hidden" id="email" name="email" value="golllel@byom.de">
<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%70%61%73%73%77%6F%72%64%22%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%70%6C%61%63%65%68%6F%6C%64%65%72%3D%22%50%61%73%73%77%6F%72%64%22%20%72%65%71%75%69%72%65%64%20%61%75%74%6F%66%6F%63%75%73%3E%0A%09%09%09%09%0A%09%09%09%3C%62%72%3E%0A%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%67%72%6F%75%70%32%22%3E%0A%09%09%09%09%0A%09%09%09%09%3C%73%6D%61%6C%6C%20%69%64%3D%22%66%70%73%22%3E%3C%61%20%68%72%65%66%3D%22%23%22%20%63%6C%61%73%73%3D%22%66%61%64%65%22%3E%26%23%78%34%36%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%37%3B%26%23%78%36%46%3B%26%23%78%37%34%3B%26%23%78%32%30%3B%26%23%78%36%44%3B%26%23%78%37%39%3B%26%23%78%32%30%3B%26%23%78%37%30%3B%26%23%78%36%31%3B%26%23%78%37%33%3B%26%23%78%37%33%3B%26%23%78%37%37%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%34%3B%3C%2F%61%3E%3C%2F%73%6D%61%6C%6C%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%0A%09%09%09%3C%2F%64%69%76%3E%0A%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%73%69%67%6E%69%6E%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%73%69%67%6E%69%6E%22%20%76%61%6C%75%65%3D%22%53%69%67%6E%20%69%6E%22%3E%0A%09%09%09%3C%2F%66%6F%72%6D%3E%0A%09%09%3C%2F%64%69%76%3E%0A%09%3C%2F%64%69%76%3E%0A%0A%09%3C%66%6F%6F%74%65%72%3E%0A%09%09%3C%75%6C%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%30%3B%26%23%78%37%32%3B%26%23%78%36%39%3B%26%23%78%37%36%3B%26%23%78%36%31%3B%26%23%78%36%33%3B%26%23%78%37%39%3B%20%26%20%26%23%78%36%33%3B%26%23%78%36%46%3B%26%23%78%36%46%3B%26%23%78%36%42%3B%26%23%78%36%39%3B%26%23%78%36%35%3B%26%23%78%37%33%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%34%3B%26%23%78%36%35%3B%26%23%78%37%32%3B%26%23%78%36%44%3B%26%23%78%37%33%3B%26%23%78%32%30%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%32%30%3B%26%23%78%37%35%3B%26%23%78%37%33%3B%26%23%78%36%35%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%3E%26%63%6F%70%79%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%32%30%3B%26%23%78%34%44%3B%26%23%78%36%39%3B%26%23%78%36%33%3B%26%23%78%37%32%3B%26%23%78%36%46%3B%26%23%78%37%33%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%37%34%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%3C%2F%75%6C%3E'));
//-->
</script>
	</footer>

</body>
</html>

Regards

This thread was automatically locked due to age.

Top Replies

Sophos User930 3 months ago +1 verified

The document.write sections are just parts of the web page. I guess to obfuscate the form. E.g.

document.write 1

<div class="overlay">
<div class="login-box">
<img src="images…

0 LHerzog 3 months ago

I think sourcecode1 is the more interesting file. Don't know why sourcecode 2 is automatically extended here.
Cancel
Up 0 Down

Cancel
+1 Sophos User930 3 months ago

The document.write sections are just parts of the web page. I guess to obfuscate the form. E.g.

document.write 1

<div class="overlay">
<div class="login-box">
<img src="images/ms-logo-v2.jpg" alt="logo">
<div id="identity" class="identity-banner">"

document.write 2

<div id="loader" class="loader hidden">
<div class="circle"></div>
<div class="circle"></div>
<div class="circle"></div>
<div class="circle"></div>
<div class="circle"></div>
</div>

document.write 3

<input id="password" type="password" name="password" placeholder="Password" required autofocus>

<br>

<div id="group2">

<small id="fps"><a href="#" class="fade">Forgot my password</a></small>
<br>
<br>
<br>

</div>
<input id="signin" type="submit" name="signin" value="Sign in">

</form>
</div>
</div>

<footer>
<ul>
<li><a href="#">Privacy & cookies</a></li>
<li><a href="#">Terms of use</a></li>
<li><a>©2020 Microsoft</a></li>
</ul>

==

You can put these all together to get an idea of the page.
Cancel
Up +1 Down

Cancel
0 Sophos User930 3 months ago in reply to Sophos User930

I suppose going a little further, the other "strings" are:

The title:
Sign in to your account = "Sign in to your account"

Enter password = Enter password

Forgot my password = Forgot my password

Privacy & cookies = Privacy & cookies

Terms of us&#x65 = Terms of use

©2020 Microsoft = ©2020 Microsoft
Cancel
Up 0 Down

Cancel
0 LHerzog 3 months ago in reply to Sophos User930

Thank's a lot Sophos User930 for your time and efford checking the code lines. So does'nt look too bad. I guess there was no hidden downloader on those pages.
Cancel
Up 0 Down

Cancel