Phishing remains one of the most pervasive threats to end-users. In this analysis, we explore a campaign where a "purchase receipt" PowerPoint document leads to a sophisticated phishing site utilizing AES encryption to hide its source code from automated scanners.
Filename: TransactionID7889277544.pptx
MD5: bd912590f18332ab93af23d1dcc688e4
Technical Analysis Video
Initial Delivery: The PPTX Vector
The attack begins with a spam email claiming the user has made a recent purchase via Apple. Attached is a "receipt" in the form of a Microsoft PowerPoint (.pptx) file.
Because modern Office documents are essentially ZIP archives (OOXML), we can inspect the internal structure by changing the extension to .zip. Deep within the archive, specifically in slide1.xml.rels, we find relationships containing shortened Twitter URLs (t.co).
The Phishing Site & AES Obfuscation
The PowerPoint slide presents a high-quality "Invoice" that urges the user to click a link to cancel the order. This link redirects through multiple shortening services (t.co and bit.ly) to land on a very convincing Apple-themed phishing page.
The technical highlight of this page is its use of AES-CTR (Advanced Encryption Standard in Counter Mode) to obfuscate the entire HTML body. Instead of standard HTML, the page source is a giant encrypted blob. A small JavaScript snippet using the Aes.Ctr.decrypt function decrypts the content locally in the user's browser.
Bypassing the Encryption
This technique is highly effective against automated reputation crawlers and security systems that scan for static phishing signatures. However, an analyst can easily bypass this using browser Developer Tools. By outputting the value of the decryption variable (in this case, "output") to the console, we can retrieve the raw, decrypted HTML.
Phishing Mechanics
The site follows a standard phishing workflow:
- Authentication: Collects AppleID and Password (no validation).
- Fake Alert: Claims the account is locked for security reasons.
- Data Harvesting: Directs users to "Unlock Account" by providing personal security questions and financial details (Credit Card, SSN, etc.).
Conclusion & Detection
Initial detection for the PowerPoint document is often low, as the file itself contains no malicious macros or exploits—only a simple URL. The real "threat" resides in the browser. The use of AES encryption demonstrates an evolving trend in phishing, moving away from simple obfuscation to cryptographic methods that evade automated security filters.
Educating users to scrutinize unusual file types (like PowerPoint for receipts) remains the best defense against these credential-harvesting campaigns.
Happy hunting.