More And More Obfuscation Being Used In The Malicious Scripts
As can be seen, Malzilla was unable to manually analyze the code.
It was clear that this code would require manual analysis. I saw some eval() functions being used in the script at the bottom. I tried to replace eval() with alert(), document.write(), etc. In order to help with debugging, but I didn’t achieve what I was looking for. Now, it’s the time to do step by step analysis of the code in order to gain a deeper understanding of the logic. Let’s now start reading the code step by step. First, we break the script and format the code so that it is readable. Below are the screenshots of the part 1 of the script:
There are plenty of random variables defined initially and then one array is defined as “var sYvxoe19wg=new Array(); “. Now for each variable, the characters are being XOR'd with random numbers and then the variables are concatenated in the array defined earlier.
for (var aRjNtT8j=0;aRjNtT8j
This means the array will complete after XOR’ing 21 variables and concatenating them in the array. This array should be passed to some function to parse this. Let’s open second part of the script,
Now we are a little closer to decoding this script. We have the final array and we then call one function with the array as an argument. First, add “alert(sYvxoe19wg)” to the array before calling the function to see if we get the final array() and copy it using Ctrl + C from the message box. Here is what it looks like:
Now we have the final array. Copy and paste this to a text file as it will be required later. A closer analysis of these 3 functions tells us that all these functions are being used to decode strings like “eval”, “fromCharCode” and “String.fromCharCode”. Simple array substitution is used to decode these strings. I have added comments for all these functions in the image below:
This code delivers yet another obfuscated script. Here is the screenshot of the message box,
Copy this script and open up Malzilla, which can now handle the remainder of the decoding.
The above figure shows that the malicious script running successfully and requesting another malicious URL which replies with a single malicious PDF file. We will not going into additional details of the PDF analysis. The downloaded PDF file was again obfuscated and targeted a couple of Adobe PDF vulnerabilities.
1) this.media.newPlayer– CVE-2009-4324
2) util.printf() – CVE-2008-2992
3) Collab.collectEmailInfo() -CVE-2007-5659
4) Collab.getIcon() - CVE-2009-0927