Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sometimes it's just SPAM SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sometimes it's just SPAM

A reader forwarded us a suspicious email. It contained a URL, and I downloaded the content with a method similar to what Lenny explained in this diary entry.

Here is the content of the html page:

There are several methods to deobfuscate the data in this script. If you take a close look, you will notice that each number in array plannedb is subtracted with 52 (planneda) and then converted to characters.

As I often have to do such decodings, I have a tool for this:

It can easily be used to decode the script:

Retrieving this URL reveals that this is actually a SPAM email, there is no malicious code.

I've seen before that spammers and advertisers use code obfuscation techniques similar to malware authors. Even legitimate web developers do it occasionaly to try to protect their code from being copied and reused.


Didier Stevens
Microsoft MVP


561 Posts
ISC Handler
Aug 14th 2017

Sign Up for Free or Log In to start participating in the conversation!