Today we analyze a malicious HTML document that claims the user must download a compatibility plugin in order to view a UPS receipt. This document employs several layers of HTML, Javascript, and Executable obfuscation.
Filename: UPS-Receipt-008533234.doc.html
MD5: 762B0F20C80995D3AC8A66716011C156
Sample: Download via Malwr
Video Walkthrough
Details
Opening the HTML document reveals a phishing message claiming that we must download a "compatibility plugin" in order to view the UPS receipt in Office 365.
Inspecting the HTML document reveals that all components are included in the file via Base64 encoding. It does not rely on any external pictures or resources for the initial render.
Clicking the download button triggers a ZIP download contained within the base HTML. Inside the ZIP is a JavaScript file with a name leading the user to believe it is an Office 365 plugin.
Obfuscation Analysis
Diving into the JavaScript reveals obfuscated code designed to download a file from one of 5 domains using a WHILE loop. It dynamically builds a secondary script launched via EVAL.
The script also generates a dummy Office Document full of non-legible text. This is written to disk and launched as a distraction while the malware executes in the background.
The Locky Payload
The resulting GET request is for a PNG but is saved as an EXE. This file is a UPX-packed executable recognized as the popular Locky Ransomware.
Dropped Files
- Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js
- [random 9 Character AlphaNumeric name].exe
Network Traffic
http://gritfitnesstraining.com/counter/...
http://amirmanzurescobar.com/counter/...
Conclusion
Beneath a convincing compatibility plugin HTML page and several layers of obfuscation lay an initial infection vector for the well known Locky ransomware. This has been quite the rabbit hole of obfuscation, but in the end we were able to find good 'ole Locky. Be careful out there.
Happy hunting.