More Spam with JavaScript redirectors

We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”.

01-email

The decrypted JavaScript consists of new JavaScript code.

02-JS-decrypted

This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains.

03-redirectedfile

The downloaded file contains an invisible, hidden iframe which is supposed to download further code from the internet. The target behind that iframe is already offline, luckily.

Leave a Reply