Let me kick this off by first telling you how much I love phishing emails. I LOVE them. I LOVE seeing 60 phishing emails fly straight through email filters. I LOVE having to inspect each one for the IOC. I LOVE having to dig through Bro logs to check to make sure that person didn't click the link. If this isn't true love, I don't know what is.

I actually don't love any of those things. In fact, most phishing that you'll see is extremely generic and very poorly done. It's almost as if no one knows that the Social Engineering Toolkit exists. Like, Dave Kennedy literally did all the work for them and they still choose to use awful screen cap JPEGs with some fields overlaying them, but I guess that's all beside the point. This XKCD pretty much hits the nail on the head.

XKCD Phishing License

The one, single good thing about these babies is that they're great to learn from because they're easy!

MD5: b9431bf87b0f7e51fd1899a1206c16d2
SHA256: 47328a9056844c14c6848664f834f68ffa4dcce1b087bd6dbce536c6bd45e277

This file is available on VirusTotal, so download and follow along!

Look how bad this thing is... Figure 1: People actually fall for this. I mean seriously, look how bad this is.

So as an analyst, my main concern with this is really just the IOC. Basically - did the user click the link? Did the user enter their credentials? So, you may be thinking, "Yeah... so I opened Chrome DevTools, inspected the form and lo and behold I see the domain it posts to, namely: thdfiwboloie[.]herokuapp[.]com/tmp/cgi-cdn/vredhat252438fsgds73X8vV7jMX2MLEsIM9ddw117952feM3434323Sjp3ijUOUFKd/Scan001[.]pdf[.]php

Form POST Action Figure 2: Oh, lookie there! The form posts to that domain.

Awesome news! If we were just analyzing this quickly, we've got our IOC and we can make sure we had no network hits and move on with our merry lives. But how does this thing really work? Let's open this up in a text editor and see what we're working with.

File opened in text editor. Figure 3: Well, that's pretty nasty looking...

Is this nice, giant thing of hex encoded characters what you expected, or did you expect an HTML page like we saw when we opened it in the Chrome DevTools? In fact, where is that HTML we saw in Chrome? Hint: Look at the JavaScript...

Going through the entire file, it looks like the only thing we really see is document.write(unescape('insert tons of hex here...');

Let's take a look at what the unescape function does. Hint #2: JavaScript documentation is your friend. Use it!

Unescape Function Figure 4: Ty for the documentation Microsoft.

So, based on the documenation, we can see that the only thing our JavaScript is doing in this case is calling unescape to convert all of those hex encoded characters to their ASCII character set equivalents and then writing them to the HTML document, thus building our phishing page that we saw earlier. Let's go ahead and prove this.

We're going to do this two different ways. These are not the only ways, but these are my preferred ways.

1. Node.js

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. So what makes this awesome? This means we can run our JavaScript code inside Node to do the "deobfuscation" (unescaping). Now, there's some slight modification to our file that we're going to make. Remove the document.write() function that is wrapping our unescape function. We do this because the DOM is not existent inside of Node, unlike the Chrome browser.

Now that we've made our changes to our file contents, let's pop those contents into Node. (Go make yourself some coffee while you wait for it to paste. It's an incredible amount of characters...) Once it's finally finished pasting, go ahead and hit enter.

Thanks Node.js! Figure 5: How easy was that? Yay Node!

There's our HTML document! Now, thinking back to our original JavaScript (remember we removed document.write()), this text would then be written to the HTML document which renders that ugly phishing page in the browser.

2. Google Chrome

Chrome makes it just as easy! Remember, we're doing the same thing (unescape('hexencodedchars)). Let's paste our modified script (with document.write() removed) into the Chrome console and take a look at the results!

Yay Chrome! Figure 6: Woot! Chrome rocks too!

Same exact results as Node.js. You can even argue it's a little better since it's formatted nicely for us!

Well, I promised an easy one to start with and we got it! Poke around in Node and in the Chrome DevTools and really get acquainted with them. These are going to be the two most important tools we'll be using in this series. (Hint: I use Chrome DevTools EXTENSIVELY!!!) See if you can't find a few more phishing documents and try this same process until you feel comfortable!

I hope you enjoyed the first entry in this series! If you have any questions or comments, feel free to comment below!