Nigerian Yahoo phishing mail with java script.

The CEO of an institution sent me the email he received this days at the institution’s email address.
An invoice from an unrelated company.

Please send me the order signed and stamped.


Is an old client and knows about cybersecurity .He did not want to open this suspicious email.
He sent it to me to analyze the file they had received.

So… let’s help our clients! 😉

A coded .htm file with some addresses included.

When you open the file, a Yahoo page appears telling you that the session has expired and you must log in again.
In this way you will enter the log-in data and these will be sent to the addresses shown above. &

They have start on 2017-03-14 with DHL phishing.

Both are linked to an email address: onyekaemmanuel158[@]

…AND the email is linked more domains hoste in Nigeria.

Some of them have the same message on the main domain, but all of them have some files uploaded.

In one of them i found an .rtf exploit uploaded.

Exploit toolkit CVE-2017-0199

[quote]{\rt{\object\objautlink\objupdate\rsltpict\objw9579\objh8486\objscalex893748\objscaley4368{\*\objclass \’77\’6F\’72\’64\’2E\’64\’6F\’63\’75\’4D\’65\’4E\’74\’2E\’33\’35\’39\’39\’35\’33}{\*\objdata…[/quote]

Phishing files are also hosted for linkedin, microsoft, DHL, google… and more.

On the next picture you may see the relationship between the extracted data.

What I would like to find out is why it was written in Romanian for a Romanian institution and if was something random or a fixed target.
The institution is an important one … so everything is possible.

So this is it!

This was not just an email!

Have fun & Stay safe!

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

Leave a Reply

SC ProDefence SRL - Cyber Security Services