Quick & Dirty Obfuscated JavaScript Analysis

    Published: 2024-11-24. Last Updated: 2024-11-24 09:22:41 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    As mentioned in diary entry "Increase In Phishing SVG Attachments", I have a phishing SVG sample with heavily obfuscated JavaScript.

    As I didn't want to spend time doing static analysis, I did a quick dynamic analysis instead. TL;DR: I open the SVG file in a VM disconnected from the Internet, and use Edge's developer tools to view the deobuscated URL.

    First I make sure the VM is disconnected from the network:

    Then I open the SVG file in Edge (Chrome works too):

    I open the developer tools:

    I switch to the Network tab:

    And then I type a dummy password and click on the Download button:

    I can then view the deobfuscated URL:

    And also the payload:

     

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives