So a while ago I did a short piece on extracting malicious VBA, something I seem to run into more and more.
Today I ran into a different attachment. It was a .zip file containing a .shtml file. SHTML is (appearently) an HTML file that invludes information that will be added "on the fly" by the server (Server Side Includes; SSI) before being sent to you, such as a "Last modified" date. I'm not really sure why this file type was used, but whatever.
I didn't want to open it, even on a linux box. Running strings on it gives me what looks like a standard HTML document with an iframe to some website.
[email protected]:~/Desktop# strings Jack_Ryan_resume.shtml
Ok, so now I had the web address and I know it tries to load that in an iframe, but what does the web address do? Curl is the easiest thing to try from here. Lynx will also get you the references on the page.
curl http://www.malicious.url lynx -dump http://www.malicious.url
I like curl a little better, it tells me exactly what's on the page, but lynx gets to the point. Both let me know that it's header contains a refresh that points to a google drive download. Visiting that with curl or lynx gives me a 400 error, so I think I'll stop there.