The accompanied link is : hxxp://numerodedicato.altervista.org/blog/wp-content/uploads/fgallery/updint.html. On visiting the link, the user finds a webpage with a following layout:
The message looks interesting. The webpage is executing another JavaScript to load content from another third-party domain. The details of this deobfuscated script are present here: http://pastebin.com/MVCH8M3N
The obfuscation provided us with an iframe that is downloading content from the following URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5
The obfuscated plugin script is here : http://pastebin.com/biZnVwMD
The deobfuscated plugin script is here : http://pastebin.com/hsKKn6EP
Many of the AV engines shows this website as benign. But, this domain hosting a BH exploit Pack. Let's see further:
On deobfuscation we get an applet code as follows:
Something seems suspicious, with Pre.jar file here. Further, the request to this link : hxxp://roadmateremove.org/data/hhcp.php?c=8896e loads the iframe for the plugin detection code. On successful verification and fingerprinting the Pre.jar file is served on the vulnerable systems. A quick check on virus-total only provides a reference to Blackhole exploit.
Check: https://www.virustotal.com/file/65ac3d0ef75cad088c80bcb238fe6206c42866a8e73676f5b5dd6b235871f874/analysis/1346173365/
Definitely a Java exploit in action.
This analysis is based on a specific link accompanied with this sample. The embedded links might change with other phishing emails.
Be Secure.
