This has been ported over to my GitHub site and is not longer being maintained here. For any issues, comments or updates head here.
I was asked a question a little while ago from a fellow forensicator about deobfuscating some JS that he came across. The JS didn't take long to reverse but I suspect there are others out there that would benefit from a quick post regarding another way to go about this task. While there's jsunpack, js-beautify etc. I chose to run it through Malzilla for this example.
The structure of the JS was noticeably familiar and turns out to be related to an exploit pack; which is a common source of where a lot of the JS you might come across in the DFIR field results from these days. These types of kits make it point-and-click easy to not only distribute malware but also make it uber-easy to obfuscate the code on their pages.
The first thing to do is copy out what’s in between the ‘<script>’ tags and place it in the top box of the ‘Decoder’ Tab within Malzilla - we don't need the other <html> tags etc., we only need the goods. Next step is to get rid of what we don’t necessarily need at this point (shown commented out with ‘//’). This will vary depending on what you're analyzing and may take a bit more knowledge to realize but just remember what your goals are - there will be junk thrown into the mix and since all I care about at this point is to see what gets produced (URL etc.) the top part didn't look relevant for helping me get my question answered :
At this point you have a few options (1) replace the eval() (2) run it through debugging to verify it's working (3) run the script. Everything looks good enough to work so let's just go ahead and choose to run the script:
Note that even though the bottom text displays “Script can’t be compiled” (seen above) … the eval results were still produced. To see the results, click on ‘Show eval() results’ then double click on each of the results (one in this instance) and the results will be displayed in the lower pane – this time showing the produced iframe :
There's generally always more than one way to get the results you require so hopefully this will help some of you next time.