Wednesday, 28 October 2015

Obfuscated javascript

You have a new fax!

You can find your fax document in the attachment.

Scan quality:        500 DPI
Filesize:            244 Kb
Pages:               8
From:                Kent Mcgowan
Scanned at:          Wed, 28 Oct 2015 16:43:48 +0300
Processed in:        17 seconds
File name:           scanned-00657347.doc

Thank you for using Interfax!

SHA256: 090959443bafe2d1c4259640d3de5eb175118f291699f8e2e0d3b4bb018d7560 

The attachement was a zip file calledscanned-00657347.zi . Inside the zip file was a file named scanned-00657347.doc.js. This is, of course, javascript, and when I looked at it, it was obfuscated.

Double extensions are a common trick.  Windows, by default, doesn't show you the extension of a known file type. So when Windows shows you the name of the file scanned-00657347.doc.js it hides the .js, so what you see it scanned-00657347.doc

The date/time of the file inside the zip is about one hour ago, so it's pretty fresh! And I was the first person to upload it to Virustotal. I claim First to Find!!! That's a geocaching joke.

18/55 products flagged it, 37 didn't. I unzipped the file, and scanned that. Now, only 15 products flagged it, 40 didn't. Clearly, from this and other instances, it makes a difference to the detection capability of a product, whether it is zipped or not. You'd think it might be slightly more difficult to detect when zipped (because the product has to unzip it first, although that's pretty easy). But the reverse seems to be true - I'm seeing better detection when the file is zipped!

The SHA for the unzipped file is

SHA256: 017bbfe2f2ff7f8aca150e8622386239f1930e20b6efeb7e94971a7aa71d52bd

No comments:

Post a Comment