docker_file_analysis/data/generated/workflows/javascript-deobfuscation-workflow.txt

============================================================
  JavaScript Deobfuscation
============================================================

  Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros.

  Related FOR610 Labs: 3.6, 3.7

────────────────────────────────────────────────────────────

  Step 1: Beautification
  Tools: js-beautify
  Format minified/compressed JavaScript for readability.
  Look for: eval() calls, document.write(),
  String.fromCharCode(), unescape(), atob().

    $ js-beautify malicious.js > beautified.js

  Step 2: Static Review
  Tools: visual-studio-code
  Identify obfuscation layers. Search for: eval/Function
  constructor (code execution), long encoded strings,
  variable name patterns (single chars = likely
  obfuscated).

    $ code filename.js

  Step 3: Safe Execution (SpiderMonkey)
  Tools: spidermonkey
  Execute outside browser with objects.js to simulate
  browser/WScript APIs. Command: js -f
  /usr/share/remnux/objects.js -f <script.js>. Captures
  eval'd code without running it.

    $ js -f malicious.js

  Step 4: Environment Tuning
  Tools: visual-studio-code
  If script expects specific environment (location.href,
  navigator.userAgent): edit objects.js to provide
  expected values. Re-run SpiderMonkey.

    $ code filename.js

  Step 5: Alternative Analysis
  Tools: box-js, jstillery
  box-js: Node.js sandbox with WScript emulation.
  JStillery: AST-based deobfuscation. Use when
  SpiderMonkey can't handle the obfuscation.

    $ box-js --output-dir=/tmp suspicious.js

  Step 6: Payload Identification
  What does the deobfuscated JS do? Common patterns:
  download & execute (dropper), redirect to exploit kit,
  credential harvesting. Extract all URLs, IPs, file
  paths.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser