Jump to content

Recommended Posts

Posted (edited)

Got a strange email with what kind of looked like obfuscated code.  Usually just trash these, but this one had code looking thing in the title.  

=?UTF-8?b?VA==?=**(1S7LG9C102)***=?UTF-8?b?aA==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?=**(1S7LG9C102)***=?UTF-8?b?aw==?=**(1S7LG9C102)***=?UTF-8?b?Xw==?=**(1S7LG9C102)***=?UTF-8?b?eQ==?=**(1S7LG9C102)***=?UTF-8?b?bw==?=**(1S7LG9C102)***=?UTF-8?b?dQ==?=**(1S7LG9C102)***=?UTF-8?b?IQ==?=**(1S7LG9C102)***=?UTF-8?b?Vw==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bA==?=**(1S7LG9C102)***=?UTF-8?b?Zw==?=**(1S7LG9C102)***=?UTF-8?b?cg==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?= 

I know UTF-8 points to encoding scheme, but I don't recognize this format at all.  Doesn't look like web encoding or base 64.  Anybody know what this is?  Also, can the attacker force code execution with malware code in the title of email?  

PS I hope the above quote doesn't execute anything on anybody's computer, but if I'm quoting potential malware code, is there anyway to make it safer when posting?

[edit] I got rid of the repeating elements in the above quote and got "VAaAYQbgawXweQbwdQIQVwYQbAZwcgZQZQbg==?=" which kind of looked like base64 but when I convert it I get "T€aàkðyðuWlprPeà" which doesn't make sense.

Edited by devrand0m
Posted

Could be that he's hoping you're using some email client like Outlook or something that has a security flaw in code-execution..Mass email to multiple people, hoping at least 1 of them has a specific program that does this might be the answer.

Or maybe his email didn't completely send, cutting out a bit of it and confusing your email client.

I don't really know, is basically what I'm saying. :P

Posted

@Dave-ee JonesI'm pretty sure it was complete.  I got another one, almost identical in format, but slightly different content.

I'm asking about the email title, but the body of the email is also suspect.  Obfuscated in a strange way, but kind of looks like possibly base64 encoded hex code (assembly?).  I just wasn't sure if it's safe to post the body here.  (don't want to pwn anyone by accident.)

Posted
39 minutes ago, devrand0m said:

@Dave-ee JonesI'm pretty sure it was complete.  I got another one, almost identical in format, but slightly different content.

I'm asking about the email title, but the body of the email is also suspect.  Obfuscated in a strange way, but kind of looks like possibly base64 encoded hex code (assembly?).  I just wasn't sure if it's safe to post the body here.  (don't want to pwn anyone by accident.)

Well, chances of that happening is very low because the browser needs to be able to recognise and execute the code so unless someone's got some super dodgy, insecure browser then it should be fine. But better safe than sorry.

Posted (edited)

Its foreign language encoding coming through, possibly with fancy quotes in it. you see this sometimes with chinese and russian characters in an email, mostly on windows outlook type email programs and it's not encoded properly to show the unicode characters  or ansii characters as intended due to the encoding and special characters in the email.

more than likely just a pure spam bot though. view the header and trace the IP, what country of origin was the email from? It's also possible it was trying to run some sort of code for specific vulnerable clients and by pass spam filtering rules at the same time.

 

This might help - https://dmorgan.info/posts/encoded-word-syntax/

 

Decoded, looks like a thank you email.

Thank_you!Walgreen 

 

Edited by digip

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...