Reader Malware: ZIP/HTML Phish

Reader Henry submitted a malicious email attachment: a ZIP file.

It contains a PNG file and a HTML file:

The HTML file contains a script with hexadecimal code, that can be decoded with base64dump.py:

This is a phishing site for Microsoft credentials, that starts with a captcha:

There's something more to this zip file: that's for next diary entry.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

678 Posts
ISC Handler
Oct 23rd 2021

Sign Up for Free or Log In to start participating in the conversation!