I always find a need to check out some javascript, even when I know it's malicious I still have to know what it is doing. Doing it safely is always a good idea. Recently I found that Node.js works perfectly for this. This will document how to do this simply and easily.
I don't think this is groundbreaking or new but I am documenting it because it took me a while to find a good way to do Javascript analysis.
We start with our sample.
After laughing about the please use IE/Firefox I decided I don't like big blobs of text. This one is not bad but no real reason to not get into the habit of cleaning up the code.
Lets quickly look at the code and see if we can simplify it without changing the functionality.
So it looks like we can and this is what it will look like after a quick simplification.
We are now ready to start figuring out what this code does. We know it won't be much because the array is so small. For example some exploit kits are 17k items strong in the array.
Lets fire up node.
Then looking at our Javascript above we can go ahead and setup some variables. I simplified the naming because I like simple.
Once I had the variables setup I went into the main loop that happens to turn the array into a usable string in Javascript. Then execute "e" which was eval and is now console.log
We can now see some more useless code around the vars because they are not used. This simple email attachment would have redirected to Blackhole Exploit kit.
