Spam with a malicious taste (update)

This post appeared originally in: IT Security blog:


I haven’t seen in a while a well done complex spam with malicious payload.

This one appears to be addressed to first name of the email recipient. As you can see in the subject, it is addressed to “SORIN” since my email address is sorin.mustaca@…

The spam contains a nice piece of social engineering which creates enough curiosity to the reader to open the attached archive.



The archive is called “Notice_to_appear_in_court_<random number>.zip. The only file in the archive is a JavaScript file extremely obfuscated : Notice_to_Appear_000483082.doc.js.


First of all, I asked myself why a ZIP with a JS in it?
ZIP is natively supported by Windows Explorer. If you have a ZIP archive, it will be automatically opened as a folder and you can execute any file in it. JS is executed by the Windows Script host without any HTML page to interpret it. Smart, I have to agree.

Now,there are some things which ruined my amazement of this spam after I executed it in a VM.


It doesn’t work… 🙂


Apparently, due to a programming error a function is called recursively without any limit.

I didn’t spend any time to understand and de-obfuscate the code, but from what I could see between the lines:

  • it writes a piece of JS code

  • it executes it

  • once executed it downloads a file from an URL.

The URL is even better obfuscated than the rest of the code.

  • It drops the file in the %TEMP% and

  • probably tries to execute it.

The obfuscated code is written by numerous functions into two global variables which are written in the end with the document.write function.


The malicious payload

Fortunately, there are tools online which de-obfuscate, analyze and scan the content.

Let’s have a look:

Virus Total:

URL of the analysis:

SHA256: 4b3be5f9b39c4d5d2bedef3c9d68e7c560e9166549a0a75e1ad3bd2b889491c9
File name:
Detection ratio: 6 / 57
Analysis date: 2015-03-01 16:55:08 UTC ( 0 minutes ago )


Interesting piece of code. I wonder which tool created that obfuscated code. It would be interesting to get it and see what it can do.

Here is what VirusTotal has to say about the JS file:

SHA256: 30e75b154125f487e2c793305f5657b63be8858f784ade0d15fed1103d84809b
File name: Notice_to_Appear_000483082.doc.js
Detection ratio: 5 / 50
Analysis date: 2015-03-03 09:23:26 UTC ( 1 minute ago )

Funny part:

Some AV vendors timed out while scanning this file.

Here is the top of shame:


Update (03.03.2015):

Thanks to Kahu Security we have an analysis of what the script does. Just check this post.

This script hits a PHP page on one of three websites via an AJAX call.
It downloads the file and saves it to the Temp folder as an .exe file with a random numeric name then runs it.

The malware downloaded is detected by just 2/57 AV vendors.

© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: