Malicious Javascript Analysis II

This obfuscated Javascript came from a new, unknown exploit kit. There's a large chunk of code that looks pretty scary!

We can see a couple of things from this partial look at the script. It appears to be using AJAX which isn't very common in malicious scripts that I've run across. I cleaned up the code and came up with this.

There are two functions in this script. The function at the top isn't called until the second function in the middle is called first. The 'kjejz' function gets AJAX ready then gets rid of the text string of "gsoqtecw" from the variable 'pxomwgzp'. I guess it wasn't too scary after all! We're left with decimal values (I inserted the backslash delimiter to convert this manually myself).

The code then converts the decimal to text and we get this.

We get the final Javascript code and see that it writes out some div containers and an object tag with a PDF classid of "CA8A9780-280D-11CF-A24D-444553540000". Then it inserts an iframe to exploit Acrobat regardless of the installed version. Simple and straightforward.

Posted on: 12/04/2010