Keypoints
- Initial lure: voicemail-themed email with a ZIP attachment named like “Companyname Micro.protected.zip” containing a single HTML file.
- Stage 1 decoding: the HTML contains an array of mixed hex and binary tokens decoded with parseInt and String.fromCharCode, then document.write to execute the next stage.
- Stage 2 cryptography: a large base64 blob is AES-encrypted (AES ECB, PKCS7) and decrypted client-side using CryptoJS with a hardcoded AES key.
- Safe analysis method: replace document.write with console.log or create a local HTML that loads CryptoJS offline to decrypt and log output without loading remote content.
- Final stage: decoded HTML builds an iframe that redirects via href.li to a malicious domain (9zg[.]aforenotedc[.]ru) serving a fake Microsoft login page that exfiltrates credentials.
- IOC artifacts: multiple SHA256 hashes and phishing URIs/domains were reported for detection and hunting.
MITRE Techniques
- [T1566] Phishing – ‘Use of voicemail lure to entice users into downloading malicious attachments.’
- [T1071.001] Application Layer Protocol: Web Protocols / HTML smuggling – ‘Embedding malicious JavaScript within HTML files to bypass security mechanisms.’
- [T1027] Obfuscated Files or Information – ‘Utilization of multiple layers of obfuscation in JavaScript to conceal malicious intent.’
- [T1003] Credential Dumping (misattributed here for credential access) – ‘Phishing page designed to capture user credentials during login attempts.’
Indicators of Compromise
- [SHA256 Hash] initial and related HTML smuggled files – 287691ade84c692b9ea3af2bee22096d13584c817fcb7c908c3c4c17c582aa5f, 7c3769acab50337d09e80762b9c20329b117d94243878a2a2eb91fba4a211f23, and 3 more hashes
- [MD5 / SHA1] sample file properties – MD5 cde00cb2b65ee286fec3017beb953795, SHA1 eabfaa69c1e3b6a04d17c76987becd63b5b78076
- [Domain] phishing infrastructure – 9zg[.]aforenotedc[.]ru, aforenotedc[.]ru
- [URI] iframe / phishing redirect examples – https[:]//9zg[.]aforenotedc[.]ru/oBVboBDZoE8nn9Lnp8eBs/, https[:]//www[.]bandptrade[.]com/o/
- [Filename] archive used in lure – Companyname Micro.protected.zip (HTML attachment inside ZIP)
The technical delivery chain begins with an HTML file inside a ZIP (attachment name pattern like “Companyname Micro.protected.zip”). The first-stage HTML embeds an array of mixed hex and binary tokens that a decoding loop processes with parseInt (base 16 or base 2) and String.fromCharCode, then writes the result into the page via document.write; that output contains the next-stage JavaScript blob. Analysts can safely capture this intermediate payload by replacing document.write with console.log in a browser console (or by pasting the script into a controlled environment) to prevent automatic execution.
The next stage contains a large base64-encoded blob (variable u) that is AES-encrypted and decrypted client-side with CryptoJS using AES in ECB mode with PKCS7 padding and a hardcoded key (example keys observed: 8527412153049366, 6534135480761922, 6910525483127436). The decryption routine base64-parses the ciphertext, derives a CryptoJS UTF8 key from the hardcoded string, performs AES.decrypt(…, mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7), then converts the result to UTF8; the resulting HTML/JS is then written and would normally execute. To analyze this safely, recreate a local HTML file that includes the CryptoJS library offline, paste the encrypted blob and key, call the decrypt function, and log the decrypted output instead of writing it to the DOM (save as decrypt_me.html and open in an isolated VM or sandbox).”
The final decoded HTML contains base64-encoded strings decoded with atob to construct an iframe URL that redirects via href.li to a malicious domain (e.g., https://9zg[.]aforenotedc[.]ru/…), which serves a cloned Microsoft Office login and captures supplied credentials. When extracting the iframe, remove or disable any insertAdjacentHTML (or similar DOM-insertion) calls to avoid loading remote content during analysis. Throughout the process maintain an offline/sandboxed environment and treat any automatic network requests (Cloudflare-hosted libraries, iframe targets) as potentially malicious—extract URLs and static artifacts for hunting rather than executing them.
Read more: https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/