I’ve never looked at a JavaScript payload before. This came into my work the other day, we get these all the time but this is the first I have decided to forward to my personal email so I could actually view the code and and upload it to virus total.

I thought the JavaScript would be slightly more readable but its pretty much all digits and ampersands.

The other reason why I wanted to look at it was too see if it was JS for information gathering. Like if a user were to open it in the browser it could get hardware info and send that back to the attacker to craft a more targetted attack.

Basically just curious what kind of payload this might be and someone can link an article where I could read up on it more. Is that JavaScript passing on another type of code?

Here is some of the results from Virus Total. Avast

HTML:PhishingMS-AHK [Phish]

AVG: HTML:PhishingMS-AHK [Phish]

ESET-NOD32: HTML/Phishing.Outlook.AH

Fortinet: JS/Phishing.AHK!tr

Rising: Trojan.Phishing/HTML!8.11C79 (TOPIS:E0:4i4r62DLKGJ)

Zoner: Probably Heur.HTMLUnescape

Followed by a bunch of undetected. I find it weird so many others said “undetected” why is that? I’m sure they must have seen this type of attack before? Could it actually be recently written and in some of those other security vendors definitions yet? Or am I just misunderstanding the scan.

Thanks!

Edit: Here is the link to virus total if anyone’s interested. https://www.virustotal.com/gui/file/56c60227d58ee82eccf00afef58905c416ded4c4d643cc9c39e21c148d694e3b/summary