2019-08-23 WSHRat Javascript de-obfuscation

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came across this malspam that was referencing a request for quote (ala: RFQ). The email had an attachment to it that was Gzipped. Unzipping it I saw there was a nicely obfuscated Javascript file. Opening it up and looking through it, there was some clear text code that follows after a…

Continue reading