1

I was told that a suspicious looking email appeared in one's email and upon clicking the link it downloaded a ZIP archive with only a single .js file in it.

The code was obfuscated, but I managed to work out what it actually does.
Here's a Hastebin link to it.

It looks like this script is trying to use an ActiveXObject which is only available on Internet Explorer, as far as I'm concerned.

So my question is - what was the attacker expecting? I don't think it's common to have a standalone JS shell installed, so I'm guessing that an average user wouldn't even be able to execute it.

P.S. When I accessed the URL in the code through a browser, it displayed a plain cyanish page with some text in it. However, when I downloaded what that URL was pointing to, it turned out to be an executable of some sort (judging by the This program cannot be run in DOS mode in the beginning). If some bright-minded person could shed some light on what that executable could do, I'd be glad to hear it :)

illright
  • 111
  • 3
  • unfortunately, we can't do code reviews for random malware code – schroeder Oct 11 '17 at 15:20
  • 2
    *"I don't think it's common to have a standalone JS shell installed..."* - it is actually common. It's called windows scripting host. And js inside zip (or some other archive formats like 7z) is probably 80% of the malware I get in mails. – Steffen Ullrich Oct 11 '17 at 15:24
  • Possible duplicate of [How is malware distributed within zip files?](https://security.stackexchange.com/questions/118804/), [How does malware downloaded by JavaScript get executed, and why would you distribute malware in a .js file?](https://security.stackexchange.com/questions/130206) and [many more similar questions](https://www.google.com/search?q=zip+javascript+site%3Asecurity.stackexchange.com). – Steffen Ullrich Oct 11 '17 at 15:24
  • windows runs "js" files. not the same js files as browsers, but js files nonetheless – dandavis Oct 11 '17 at 22:01

0 Answers0