It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.
Email Analysis :
- sender : Woodard.email@example.com
- IP – extracted from the header : 126.96.36.199 – 602ad0ccae26.softphone.blizoo.bg – Blugaria
- Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
- No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.
- Zip file with my email id : myemailid_addition_028146
- only see eveal : eval(aZRcdUoP1.split(”).reverse().join(”));
- aZRcdUoP1 is only defined variable however it is commented out.
- Function aZRcdUoP1.split is not defined at all.
There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/
File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:
- MD5: ee427a22d3a6e25251bbfb7bc3823140
- SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
- SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e
JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.
The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.
- Endpoint protections – normally all corporate organiations has it
- Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.