The file is nicely obfuscated but strings remain readable. Obfuscation techniques have two goals:
Make the malware analyst job more difficult (and prevent the human eye to spot interesting information just by having a look at the code)
Defeat security controls in place (IDS, YARA rules, and all types of scanners)
In this case, obfuscation has been used for the second goal. Indeed strings remain readable:
[email protected]:/MalwareZoo/20211117$ grep -Eo “https://[^ >’]+” Product Specification #87305.js
The script is a one-liner but easy to beautify. The most interesting line is this one:
var _0xa4fe8b = [
This array is used with the function _0x4fccd5() as seen in this example:
The index of the array to use is specified in hexadecimal (Ex: “0x124”) and corrected to access the right element.
The script uses the classic ActiveX objects: ‘MSXML2.XMLHTTP’ to download the file, ‘ADODB.Stream’ to dump it on the file system and ‘WScript.Shell’ to execute it.
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)