Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from (thanks!), sent me this little gem:

In the midst of seemingly random strings, there are clues to its structure but there's very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.

The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.

I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first part spells out "ActiveXObject".

Here's yet another script that uses the same method and then takes it up another level. The first part also spells out "ActiveXObject" but this time, it makes use of an interesting behavior where the first character of the string attached to the ".e()" property is collected. Note: You need to unescape the script to convert the decimal values to a single character.

Writing a program to extract the correct value is a little tricky but doable. I'll need to test this further before releasing the program but it seems to work.

Example #1

Example #2

Example #3...for this one, I had to unescape the script first.

In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted on: 02/21/2016