irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

1.8 KiB
Raw Permalink Blame History

JavaScript Deobfuscation

Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros.

FOR610 Labs: 3.6, 3.7

Steps

Step 1: Beautification

Tools: tools/js-beautify

Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob().

js-beautify malicious.js > beautified.js

Step 2: Static Review

Tools: tools/visual-studio-code

Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated).

code filename.js

Step 3: Safe Execution (SpiderMonkey)

Tools: tools/spidermonkey

Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f <script.js>. Captures eval'd code without running it.

js -f malicious.js

Step 4: Environment Tuning

Tools: tools/visual-studio-code

If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey.

code filename.js

Step 5: Alternative Analysis

Tools: tools/box-js, tools/jstillery

box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation.

box-js --output-dir=/tmp suspicious.js

Step 6: Payload Identification

What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths.

#javascript #deobfuscation #spidermonkey #box-js #web #workflow

Reference in New Issue View Git Blame Copy Permalink