It all started with this message on GMail, that looked really funky (note the ZIP attachment).
I haven’t ordered anything on those dates. Moreover, I doubt FedEx emails originate from some fishy Argentinian domains (no offense, Argentina, but I live on the other side of the globe) or sites like websitewelcome.com.
Analyzing GMail headers proved my suspicion. Thirdly, ZIP attachments are bad tone – most of such services send unpacked PDFs.
So, what one security-cautious person do next – download the ZIP file, of course! And instantly upload it to VirusTotal.com.
Having the URL and code split across multiple functions (that are not even declared in the sequence they are executed) really helps avoiding heuristic detection, as the only way to figure out what this code does is to run it (he-he). As you can see it is indeed very efficient – 38 out of 54 engines on VirusTotal did not detect a threat – nearly 75% miss ratio! In addition, the message was not flagged as suspicious neither by GMail, nor by any other mail service in the chain (I have a chain of email accounts forwarding messages to each other).
So, here you go – now you know one when you see it. 🙂 If you want to play with it – best way to get one would be mailing to that address in the header 🙂