I receive several of these a month, this one is for a website that I manage.

The scammer is hoping that you will fall for the DMCA Copyright Violation Notice and will click on the link and download the attachment (which contains malware). This is part of a large ongoing malware attack (Ransomware). And for some reason seems to exclusively result from a website’s contact us form (likely to hide who they are and to keep their costs down). If you follow the URL in the email, it will take you to a Google Drive page to download the file ‘Stolen Images Evidence’.

When I downloaded the file, it contained a file called Stolen Images Evidence.js (11.8Kb). I scanned the file with my AV of choice and it came back containing four different pieces of malware (Trojan-Downloader.Win32.PsDownload.sb, Trojan-Downloader.JS.SLoad.sb, Trojan.Win64.Reflo.sb, Trojan.Win32.Powershell.d, which trojans, are used to download other malware (often Ransomware). Interestingly enough, I ran it through Virus Total (virustotal.com) and only four of the 56 anti-malware software titles actually marked it as malware.  This is likely due to the hex coding used in the JavaScript file, making it more difficult for a standard signature-based scanner to detect. My scanner of choice only found it in heuristic mode.

I extracted the contents from the Zip (on my isolated Virtual Machine) and it contains an encoded (hex) javascript code. Below is a small section of the coding (I’m not posting the entire file, sorry kiddies).

var _0x27d8b2=_0x55d7;var _0x20ec1e=_0x55d7;var _0x356e3e=_0x55d7;function _0x53e4(){var _0x1d9607=[‘M;ox’,’\x22AUn’,’njXH’,’AcwA’,'(\x22ox’,’FMKo’,’Yoxr’,’XQAU’,’ACAU’,’CAUn’,’jXiA’,’jXyp’,’FMPP’,’FMOb’,’jXbA’,’jXn\x20′,’BAUn’,’cAUn’,’MhKo’,’\x20=ox’,’AAUn’,’jXZA’,’XuAG’,’jXDR’,’rFMt’,’bQBA’,’oxrF’,’2882943ODgGdf’,’woxr’,’e\x22,\x20′,’XwAU’,’Mveo’,’Mnqo’,’coxr’,’Mtox’,’njXs’,’XgBz’,’bvox’,’XGQA’,’rFMn’,’XAAU’,’XOAU’,’FMio’,’XLAU’,’njXU’, ‘XAdA’,’rFMZ’,’,AUn’, ‘jXBn’,’AIAU’,’AUnj’,’==AU’,’357GIMCxv’, ‘njXw’,’XBAU’,’nAUn’, ‘FMwo’,’FM=\x20′,’xoxr’,’jXtA’,’jXSh’,’jXAZ’,’FMDR’,’QAZA’,’rFM)’,’Ioox’,’rFMO’,’AdAA’,’Mi\x22;’, ‘FMSo’,’FMBo’,’jXAA’,’rFMl’,’Xoxr’, ‘X8Ad’,’rFMX’,’oWAU’,’njXc’,’Mjox’,’627724MhlJWH’,’FMxo’,’njX8′,’4AUn’,’\x22/cA’,’FMzT’,’jX0A’,’jXwA’,’SAUn’,’C4AU’,’X\x22AU’,’njXG’,’jX(A’,’jXZQ’,’jX);’,’FgAA’,’rFMi’,’MtYo’,’nop\x20′,’FMto’,’XaAU’,’HAUn’,’jXQA’, ‘njXB’,’njXa’,’AFAU’,’XGMA’,’XRsA’,’XBhA’,’\x20oxr’,’hoxr’,’rFM;’,’MIox’,’njXA’,’joxr’,’-AUn’,’0AUn’,’AZAU’,’XApA’,’MAUn’,’Aoxr’,’w\x20Ac’,’X, AU’,’gAUn’,’35EGSyKa’,’338020dwIdwi’,’AKnA’, ‘XGAU’,’pAUn’,’MEox’,’IAAo’,’Hoxr’,’uAUn’,’XQAA’,’jXc\x20′,’IAUn’,’XuIA’,’6365058shSgqy’,’BFAA’,’XnAU’,’Mdox’,’FMeo’,’XQB3′,’dAUn’,’jXEW’,’QAUn’,’jX\x20A’,’Joxr’,’wAUn’,’rAUn’, ‘njXe’,’xrFM’,’njXE’, ‘hAUn’,’zEfw’,’FM\x22o’,’FMUn’,’EAUn’,’roxr’,’BOAU’,’jXcA’,’XjAG’,’opAU’,’mAUn’,’rFMe’,’rFMd’,’repl’, ‘rFMI’,’rFM\x20′,’jXoA’,’ABAU’,’FMZl’,’jXeA’,’XUAU’,’njX\x20′,’jXDA’,’1UsoDwn’,’rFMx’,’XhiA’,’FMTo’,’eAUn’,’IAMA’,’UnjX’,’jXpA’,’FM=o’,’ace’,’Xp\x20A’,’Voxr’,’13325330DzEwry’,’jXLg’,’Gmox’,’AvAC’,’AKAA’,’rFM.’, ‘njXg’,’9954072gojxEO’,’.AUn’,’sAUn’,’njX0′,’bgAU’,’77288jnOfwX’,’njX\x22′, ‘XAAY’,’jXBj’,’jXHA’,’XecA’,’njXL’,’bAUn’, ‘aAUn’,’jXEA’,’XAGA’,’lEAU’,’jXkA’,’UAUn’,’XbAU’,’ll\x20-‘,’jXuA’,’jXdA’,’Mnox’,’M\x22ox’,’jXC0′,’poxr’,’rFMs’,’ATAU’,’jXBA’,’AGoA’,’loxr’,’FMLr’,’njXp’,’MHkB’];

I always track the IP address when someone sends something from a web contact form. In this case, it was sent from 108.58.123.210, which is a Day’s Inn by Wyndham in Hicksville Long Island, New York.

The headers for this email are not very impressive as they came from within the server’s network (it was from a contact form).

Return-Path: <webmaster@redacted>
Delivered-To: webmaster@redacted
Received: from mail.redacted
by mail.redacted with LMTP
id 8LoPExR/VGHFdgAANJBo7Q
(envelope-from <webmaster@redacted>)
for <webmaster@redacted>; Wed, 29 Sep 2021 10:58:28 -0400
Return-path: <webmaster@redacted>
Envelope-to: webmaster@redacted
Delivery-date: Wed, 29 Sep 2021 10:58:28 -0400
Received: from host by mail.redacted with local (Exim 4.94.2)
(envelope-from <webmaster@redacted>)
id 1mVb2S-0000wK-8x
for webmaster@redacted; Wed, 29 Sep 2021 10:58:28 -0400
To: webmaster@redacted
Subject: =?us-ascii?Q?redacted._Contact:_redacted?= =?us-ascii?Q?_DMCA_Copyright_Violation_Notice?=
X-PHP-Originating-Script: 1008:PHPMailer.php
Date: Wed, 29 Sep 2021 14:58:28 +0000
From: Fred <FredBostic@slack.com>
Reply-To: FredBostic@slack.com
Message-ID: <0Q3x5Gxn6KyPuBq6IBVZBxROkxqboDFkrVQiRElcyk@simplywebservices.net>
X-Mailer: PHPMailer 6.5.0 (https://github.com/PHPMailer/PHPMailer)
X-Sender: webmaster@redacted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

It should be noted that in the last three different copies of this email I have received, Google had quickly taken the attachment offline before I was able to download it and investigate it.