Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem:

2016-02-21_01

In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.

2016-02-21_02

The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.

2016-02-21_03

I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.

2016-02-21_04

Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.

2016-02-21_05

Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1

2016-02-21_06

Example #2

2016-02-21_07

Example #3…for this one, I had to unescape the script first.

2016-02-21_08

In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

This entry was posted in Malicious Email, Malscript and tagged , . Bookmark the permalink.