I got a funny email today that I started digging in to, so I thought I would share as I have been working on little else since.
It came in as a notice from facebook that someone has posted a picture of me..
Yay! That so exciting, it was caught by the spam filter so it means it must be a really good picture..
There was a few links embedded in to the email but they all when to the same place.
Here is what it was trying to execute.
Pardon the terrible parsing job I did and the var n has been cut way down to keep it simple.
The basics of what is going here is that there is something hidden in n (duh) and the surrounding code gets it out and executes it. The key functions we need to know here are, split and fromCharCode.
Split does exactly what it sounds like it will split the text with a given parser in this case .. so it produces a string free of them. These are just added as an attempt to hider analysis and detection.
fromCharCode will convert a unicode value in to an ascii character.
Part 2 is going to show what tools to use to get something out of this with minimal effort.