# JavaScript Deobfuscation
> Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros.

**FOR610 Labs:** 3.6, 3.7

## Steps

### Step 1: Beautification
**Tools:** [[tools/js-beautify|js-beautify]]

Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob().

```bash
js-beautify malicious.js > beautified.js
```

### Step 2: Static Review
**Tools:** [[tools/visual-studio-code|visual-studio-code]]

Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated).

```bash
code filename.js
```

### Step 3: Safe Execution (SpiderMonkey)
**Tools:** [[tools/spidermonkey|spidermonkey]]

Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f <script.js>. Captures eval'd code without running it.

```bash
js -f malicious.js
```

### Step 4: Environment Tuning
**Tools:** [[tools/visual-studio-code|visual-studio-code]]

If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey.

```bash
code filename.js
```

### Step 5: Alternative Analysis
**Tools:** [[tools/box-js|box-js]], [[tools/jstillery|jstillery]]

box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation.

```bash
box-js --output-dir=/tmp suspicious.js
```

### Step 6: Payload Identification

What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths.

#javascript #deobfuscation #spidermonkey #box-js #web #workflow