Email attachments are one of the main vector of malicious code. According to analysis by Helsinki-based security provider F-Secure 85% of all malicious emails have a .DOC, .XLS, .PDF, .ZIP, or .7Z attached.
But now, in addition to them, we have to consider another type of dangerous attachment .HTML.
<body onpageshow="document.location.replace(window.atob('a base-64 encoded string'));">
<frameset onpageshow="document.location.replace(window.atob('a base-64 encoded string'));">
It is used onpageshow event because it occurs every time the page is loaded, while the onload event occurs only when the page first loads and it does not occur when the page is loaded from the cache.
document.location.replace(newURL) replaces the current document with a new one.
The atob() method decodes a base-64 encoded string encoded by the btoa() method. The base-64 code string obfuscates the URL it represents.
In the second code snippet we can notice the use of <frameset> tag which is deprecated, no longer recommended and not supported in HTML5. Anyway some browsers might still support it for compatibility purposes.
With malicious code in a web page we can have:
- Malicious Ads: they are advertisements on the Web that infect the user's machine with malware in order to make the compromised machine a member of a Botnet.
- A Malware Distribution Network (MDN): it is a collection of landing pages, malware repository servers, and standard redirection pages. The goal of an MDN is to redirect the victim from a landing page to a malware repository server.
- Drive by Downloads: it refers to the automatic download of software to a user's device, without the user's knowledge or consent.
Here it is how an antivirus reacted when it scans this type of HTML attachment: