It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.
Email Analysis :
- sender : Woodard.52@sunshine-yorkshire.co.uk
- IP – extracted from the header : 130.204.206.58 – 602ad0ccae26.softphone.blizoo.bg – Blugaria
- Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
- No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.
Attachment:
- Zip file with my email id : myemailid_addition_028146
- Contains javascript : addition-7866.js
Javascript analysis:
- Javascript seems to be incomplete and functions are not properly defined
- only see eveal : eval(aZRcdUoP1.split(”).reverse().join(”));
- aZRcdUoP1 is only defined variable however it is commented out.
- Function aZRcdUoP1.split is not defined at all.
There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/
File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:
- MD5: ee427a22d3a6e25251bbfb7bc3823140
- SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
- SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e
JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.
Final words:
The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.
Security Controls:
- Endpoint protections – normally all corporate organiations has it
- Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
- Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.
