Stupidly, I clicked on an email attachment with an htlm extension to see what the scam was. I think I was expecting it to open in a text editor, but it ran. (Dumb, dumb, dumb!) Anyway, I've paid my dues by restoring over a terabyte of backup onto two disks. My question is, can someone far more expert than I am in javascript interpret what the embedded script does, in general terms. (Not what the embedded malware does.) Before anyone panics, I've cut some 600,000 characters out of the text variable so it isn't a danger. (I've also changed the extension from html to txt.)

I think the text var in the script is a representation of the contents of a zip file, and the script changes the text to an actual file and saves it. I'm bit unclear whether the script also tries to run the zipped file. I'd like to remove any lingering doubts as to anything bad that might have happened before I unplugged the ethernet cable. I never saw any evidence of a file being unzipped, or indeed of the zip file itself.

Any information on what the script was doing would be most welcome. Thanks!

It doesn't look like you've attached the file. Please attach it as a .txt file. (Other file formats might be rejected by our system).

better yet, copy/paste the code into a code block.
I for one (and hopefully everyone) won't open attachments...

Jwenting,

If he attaches a txt file, our system will automatically display its contents inline in a safe way :)

OK, it looks like it doesn't like my attachment, even though it was a .txt file. The message that says it's not happy with the file only appears when I hover, and I thought the big "X" over my attachment was in case I wanted to delete it. Sorry. Here it is as an in-line block.

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Document download</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>

<div>
    <h1>Download completed</h1>
    <p>The document was successfully downloaded.</p>
</div>


<script type="text/javascript">
var text = "UEsDBBQAAgAIAF2GyFQJ3tgE/mMHAAAAIAAcAH0AU2Nhbm5lZERvY3VtZW50c185NzIwNDgxLmltZ1NEaACsAAAAAAgAr2fodWNkYGkRYWBgMGCAAB8gZmQFM1lFgURJc2zB6aOeMt9j77K+ZMYtx8jEwMDEkMDAApIVkGD4zyjPABIDqVUAEgogtoAIRJwRIi4EVbuSQQhFrSJU7X5GYbhabiABAFVUDQAHQamgYj+qoGJBqaBi7NsLfBTlvfDx2d1JsoTFBLkLyKoLCrFKiMoloAsJEShiJOEO2mjCnYST7AKtIIlLTpmMUezFeo62r1TxaFt9qW1PqfXUkOVqUSlaiKZeCtVOXC95BSEQJO//mZ0NAeqxrb14jr8vn+wzO5dnnueZZ57/M7OqaQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBs3fuzQTBftAADAF8mUgqlDhxH/AQD4Qink+R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgE/j0txauXx++fxml7/ 645469 bytes deleted/   UEsBAh4AFAACAAgAXYbIVAne2AT+YwcAAAAgABwAEQAAAAAAAAAgAAAAAAAAAFNjYW5uZWREb2N1bWVudHNfOTcyMDQ4MS5pbWdTRAQArAAAAFVUBQAHQamgYlBLBQYAAAAAAQABAFsAAAC1ZAcAAAA=";

function b64toBlob (b64Data, contentType, sliceSize) {
  var byteArrays = [];
  var byteCharacters = atob(b64Data);

  for (var offset = 0; offset < byteCharacters.length; offset += sliceSize) {
    var slice = byteCharacters.slice(offset, offset + sliceSize);

    var byteNumbers = new Array(slice.length);
    for (var i = 0; i < slice.length; i++) {
      byteNumbers[i] = slice.charCodeAt(i);
    }

    var byteArray = new Uint8Array(byteNumbers);
    byteArrays.push(byteArray);
  }

  var blob = new Blob(byteArrays, {type: contentType});
  return blob;
}

var blob = b64toBlob(text,'application/zip', 512);
if (window.navigator.msSaveOrOpenBlob) {
    window.navigator.msSaveOrOpenBlob(blob, "ScannedDocuments_9720481.zip");
} else {
    var url = URL.createObjectURL(blob);
    var a = document.createElement("a");
    a.href = url;
    a.download = "ScannedDocuments_9720481.zip";
    document.body.appendChild(a);
    a.click();
    setTimeout(function() {
        document.body.removeChild(a);
        window.URL.revokeObjectURL(url);
    },0);
}



</script>   

</body>
</html>

Also I tried the hybrid analysis site, and if I understood the results correctly, it said it was malicious, but didn't say what it would do, what actions I might have observed, which is what I'm primarily concerned with. For instance, if it tried to open a zip file, the default for me would be win-zip and I would have seen it open, which I did not.

Robert. Thank you. I'm not sure that it did anything. That's why I was asking for help in interpreting the javascript. I don't expect anyone to interpret the 600K file, which is probably an executable anyway, but I'd love to know if the javascript actually tried to "execute" the file it appears to be creating or if it just was hoping I would unzip it. I never saw anything besides the "Download completed" message. I never saw any sign of a zip file being unzipped. (I disconnected my PC from my network almost immediately and after a few days bit the bullet and restored my entire system from a backup prior to the incident. Possibly a bit over the top, but it let me get on with life.) My question here was intended to remove any last doubts.

Do you think the javascript would have actuated the malicious code, or just created it?

What little I could decode was it would create a PDF but that's as far as I got. It could do more but I don't have the 600K file and it's not work I do. I leave such to places like online scanners and r/Malware.

commented: Thanks for the additional info. I appreciate it. +2

In JavaScript, the this keyword refers to an object. Which object depends on how this is being invoked (used or called). The this keyword refers to different objects depending on how it is used: In an object method, this refers to the object.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.