Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sometimes it's just SPAM

Published: 2017-08-14
Last Updated: 2017-08-14 14:47:12 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader forwarded us a suspicious email. It contained a URL, and I downloaded the content with a method similar to what Lenny explained in this diary entry.

Here is the content of the html page:

There are several methods to deobfuscate the data in this script. If you take a close look, you will notice that each number in array plannedb is subtracted with 52 (planneda) and then converted to characters.

As I often have to do such decodings, I have a tool for this:

It can easily be used to decode the script:

Retrieving this URL reveals that this is actually a SPAM email, there is no malicious code.

I've seen before that spammers and advertisers use code obfuscation techniques similar to malware authors. Even legitimate web developers do it occasionaly to try to protect their code from being copied and reused.


Didier Stevens
Microsoft MVP

Keywords: email spam
0 comment(s)
ISC Stormcast For Monday, August 14th 2017
Diary Archives