Posts

Obfuscated JavaScript

Image
[Imported From X-Sec Blog, just for backup]

Recently we got a JavaScript file with heavily obfuscated codes. Let's try to de-obfuscate it and find out what it will do!


As you can see, the original file only has one line(exclude the comment line), its code is also being obfuscated, so first step we need to do is just formatting the code.


After formatted, we noticed the notification from Visual Studio Code:


And in the code we care about, there are lots of useless parameters in function call:


But we found a function whose parameter is being used:


r=2183, r-2183+2=2, n[2]=e.

In fact, this function will return the parameter we passed to it.

We also found a function called "hpd" which has never been called.

So, after removed such obfuscations, we get the following code(only shows main part):


Looks much better.

But, as for the second image, we still need to find out which string will each function return, so it's time to use Internet Explorer ;-)

After function resolve and …

A Deep Dive Into Obfuscated Macro

Image
[Imported From X-Sec Blog, just for backup]

Today, let's see a malicious document with obfuscated macro.


As you can see, the document has two parts contained macro. You can decompile & dump them through oledump or OfficeMalScanner, in this case, I uses OfficeMalScanner to dump macros.


"AutoOpen" function will be executed when opening this document, so we need to analyze this function first.

From this image, we can find lots of useless codes, such as:

Dim kPzzJ(2)
kPzzJ(0) = Left(mMIojQ, 128)
kPzzJ(1) = Right(QzcsN, 271)

Define an array, modify its element's value, but this array is never being used.

After useless code removal, we can only find one line is important:

Shell@ znTPdbX + mBYjUWTQKAI + oUCbzPVliID, UbJHpY

It executes command from the combination of three string variables:  znTPdbX, mBYjUWTQKAI and oUCbzPVliID, and uses 0 as its second argument(0 -> vbHide, means the window to execute command is hidden)


As for the second macro, we can see still find …