Here’s an interesting script sent to me by a friend. This script was the first step in the infection chain which redirected the user to an exploit pack.
The author’s goal was likely to thwart security tools and reseachers as they wouldn’t be able to deobfuscate the script without knowing the exact UserAgent string used. Clever!
There are several ways to crack this but below, I just enumerated all the values which was used to XOR the obfuscated code and displayed the result:
Here, you can see the results of our bruteforcing effort: