devrand0m Posted October 12, 2017 Posted October 12, 2017 (edited) Got a strange email with what kind of looked like obfuscated code. Usually just trash these, but this one had code looking thing in the title. =?UTF-8?b?VA==?=**(1S7LG9C102)***=?UTF-8?b?aA==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?=**(1S7LG9C102)***=?UTF-8?b?aw==?=**(1S7LG9C102)***=?UTF-8?b?Xw==?=**(1S7LG9C102)***=?UTF-8?b?eQ==?=**(1S7LG9C102)***=?UTF-8?b?bw==?=**(1S7LG9C102)***=?UTF-8?b?dQ==?=**(1S7LG9C102)***=?UTF-8?b?IQ==?=**(1S7LG9C102)***=?UTF-8?b?Vw==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bA==?=**(1S7LG9C102)***=?UTF-8?b?Zw==?=**(1S7LG9C102)***=?UTF-8?b?cg==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?= I know UTF-8 points to encoding scheme, but I don't recognize this format at all. Doesn't look like web encoding or base 64. Anybody know what this is? Also, can the attacker force code execution with malware code in the title of email? PS I hope the above quote doesn't execute anything on anybody's computer, but if I'm quoting potential malware code, is there anyway to make it safer when posting? [edit] I got rid of the repeating elements in the above quote and got "VAaAYQbgawXweQbwdQIQVwYQbAZwcgZQZQbg==?=" which kind of looked like base64 but when I convert it I get "T€aàkðyðuWlprPeà" which doesn't make sense. Edited October 12, 2017 by devrand0m Quote
Dave-ee Jones Posted October 12, 2017 Posted October 12, 2017 Could be that he's hoping you're using some email client like Outlook or something that has a security flaw in code-execution..Mass email to multiple people, hoping at least 1 of them has a specific program that does this might be the answer. Or maybe his email didn't completely send, cutting out a bit of it and confusing your email client. I don't really know, is basically what I'm saying. :P Quote
devrand0m Posted October 13, 2017 Author Posted October 13, 2017 @Dave-ee JonesI'm pretty sure it was complete. I got another one, almost identical in format, but slightly different content. I'm asking about the email title, but the body of the email is also suspect. Obfuscated in a strange way, but kind of looks like possibly base64 encoded hex code (assembly?). I just wasn't sure if it's safe to post the body here. (don't want to pwn anyone by accident.) Quote
Dave-ee Jones Posted October 13, 2017 Posted October 13, 2017 39 minutes ago, devrand0m said: @Dave-ee JonesI'm pretty sure it was complete. I got another one, almost identical in format, but slightly different content. I'm asking about the email title, but the body of the email is also suspect. Obfuscated in a strange way, but kind of looks like possibly base64 encoded hex code (assembly?). I just wasn't sure if it's safe to post the body here. (don't want to pwn anyone by accident.) Well, chances of that happening is very low because the browser needs to be able to recognise and execute the code so unless someone's got some super dodgy, insecure browser then it should be fine. But better safe than sorry. Quote
digip Posted October 13, 2017 Posted October 13, 2017 (edited) Its foreign language encoding coming through, possibly with fancy quotes in it. you see this sometimes with chinese and russian characters in an email, mostly on windows outlook type email programs and it's not encoded properly to show the unicode characters or ansii characters as intended due to the encoding and special characters in the email. more than likely just a pure spam bot though. view the header and trace the IP, what country of origin was the email from? It's also possible it was trying to run some sort of code for specific vulnerable clients and by pass spam filtering rules at the same time. This might help - https://dmorgan.info/posts/encoded-word-syntax/ Decoded, looks like a thank you email. Thank_you!Walgreen Edited October 13, 2017 by digip Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.