{
	"id": "6f646d23-5faf-4a07-9857-893956e2bb57",
	"created_at": "2026-04-06T00:07:27.832118Z",
	"updated_at": "2026-04-10T03:19:58.495616Z",
	"deleted_at": null,
	"sha1_hash": "94e7aa9d5cbdd07059ada76f704927383dcfb8c3",
	"title": "Evasive URLs in Spam: Part 2 | Trustwave",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58395,
	"plain_text": "Evasive URLs in Spam: Part 2 | Trustwave\r\nBy Diana Lopera\r\nPublished: 2020-10-01 · Archived: 2026-04-05 12:44:54 UTC\r\nOctober 01, 2020 2 Minute Read\r\nA URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs\r\nthat we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed\r\nhow valid URL formats can be used in evading detection.\r\nThe spams in this campaign have a PowerPoint Add-in attachment which contains a malicious macro. When the\r\nPowerPoint file is closed, it accesses a URL via the Windows binary mshta.exe, and this leads to different\r\nmalware being installed into the system. This routine is not unusual for macro downloaders. However, we find the\r\nobfuscation used on the URL interesting and worthy of further investigation.\r\nEmail_sample\r\nFigure 1: The spam containing a PowerPoint Add-in and the PowerPoint’s process tree\r\nPpt_hiew\r\nFigure 2: The PowerPoint attachment and its macro code where the initial malicious URL is formulated\r\nThe domains associated with this campaign are already known to host malicious files and obfuscated malicious\r\ndata. To trick the email recipient, and avoid being flagged by email and AV scanners, the cybercriminals behind\r\nthis campaign employed a semantic attack on these URLs.\r\nA URI may have an Authority component and below is its structure. If the Userinfo subcomponent is present, it is\r\npreceded by two slashes and followed by an “@” character.\r\nauthority = [userinfo@]host[:port]\r\nUserinfo is rarely used, and as such, can be used to try and fool a casual observer. In this campaign, dummy\r\nuserinfo is incorporated on the URLs. The bad guys are attempting to make the domains unnoticeable yet still\r\nconforming with the generic URI syntax.\r\nUrl_flow\r\nFigure 3: The URL flow\r\nThe initial URL shown in the image above has the domain j[.]mp – a URL shortening service offered by Bit.ly, a\r\nURL shortener too. To avoid being characterized as a short URL and eventually evading detection signatures, the\r\nstring “%909123id” is repeatedly used in the userinfo. Since the URL j[.]mp/kassaasdskdd (shortened from\r\nFigure 3) does not require a userinfo to gain access to any resources, the userinfo data will be ignored when the\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/\r\nPage 1 of 3\n\nURL is accessed. The first URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript\r\nhosted on Pastebin.\r\nVbscript\r\nFigure 4: The obfuscated script on Pastebin and its de-obfuscated data\r\nRegistryJPG\r\nFigure 5: The registry entry created by the VBScript on Figure 4\r\nThe VBScript, contained in the 2nd URL in Figure 3, is a dropper. It writes a PowerShell downloader into the\r\nregistry and sets its persistence. The PowerShell downloads and processes the raw data on two more Pastebin\r\nURLs, and then executes the output binaries.\r\nThe third and the fourth URLs are Pastebin URLs too. Both contain dummy userinfo as well which will be\r\nignored by the Pastebin URLs. The content at the third URL pastebin[.]com/raw/uhMtv3Bk (shortened from\r\nFigure 3) contains an obfuscated PowerShell code. The PowerShell executes 2 DotNet compiled DLLs – the first\r\nDLL bypasses the Anti-Malware Scan Interface (AMSI) and then loads a DLL injector into the memory. The\r\nfourth URL pastebin[.]com/raw/Nz1mPUdT (shortened from Figure 3) contains an obfuscated\r\nmalware Lokibot sample. This will be injected to a legit process notedpad.exe by the DLL injector mentioned\r\nearlier.\r\nSummary\r\nWe found it interesting that the attackers were using URIs in this way, which essentially is an attack on the user’s\r\npreconceived notion of what a URI should look like. It may also defeat security solutions, which may be\r\nexpecting URIs in a certain format.\r\nTrustwave Secure Email Gateway has added protection for this threat for our customers. As advised by my\r\ncolleague in the blog, be cautious with URLs received from external emails – investigate links before clicking.\r\nIOCs\r\n Email Attachment\r\n    REQUEST FOR OFFER 08-20-2020.ppt (82944 bytes) SHA1:\r\n01A3399F8A075137CD4F68A2B247C509FCEAB21F\r\nDLL Injectors\r\n    WindowsFormsApplication68.dll (49664 bytes) F8E91A3A407235583058DF06C2C2CCDE73194A03\r\n    Guwav.dll (20480 bytes) SHA1: 70b45d01eea4156610583c8b3dfcab89eeb6f113\r\nObfuscated VBScipt from pastebin[.]com/raw/XZxTT7Xy\r\n    (3346 bytes) SHA1: FC050B623983B10D60ED4557771609C9D10F3C3A\r\nObfuscated PowerShell from pastebin[.]com/raw/uhMtv3Bk\r\n    (525125 bytes) SHA1: 047D7516EF672AE882B322F1E3E9DF2BDF7F4583\r\nLokibot deobfuscated from pastebin[.]com/raw/Nz1mPUdT\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/\r\nPage 2 of 3\n\n(104.0KB) SHA1: A988B692581A76A6220A641037F7AA254C1F293F\r\nLokibot Setting URL\r\n    hxxp://195[.]69[.]140[.]147/[.]op/cr[.]php/SczbkxCQZQyVr\r\nLokibot C\u0026Cs\r\n    kbfvzoboss[.]bid/alien/fre[.]php\r\n    alphastand[.]trade/alien/fre[.]php\r\n    alphastand[.]win/alien/fre[.]php\r\n    alphastand[.]top/alien/fre[.]php\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/"
	],
	"report_names": [
		"evasive-urls-in-spam-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94e7aa9d5cbdd07059ada76f704927383dcfb8c3.pdf",
		"text": "https://archive.orkl.eu/94e7aa9d5cbdd07059ada76f704927383dcfb8c3.txt",
		"img": "https://archive.orkl.eu/94e7aa9d5cbdd07059ada76f704927383dcfb8c3.jpg"
	}
}