Malicious JavaScript snippet

I got this snippet in an html file attached to a phishing email.

d=document;a=[0x78,0x63,0x74,0x33,0x7f, etc...];for(i=0;i<a.length;i++){a[i]-=2;}

I’ve reformatted and annotated it for readability.

// hide redirect as ascii bytes
a = [0x78,0x63,0x74,0x33, etc...];

// "decrypt" our malicious code
// maybe this is good enough to defeat filters looking for encoded redirects?
for (i = 0; i < a.length; i++) {
    a[i] -= 2;

//detect if we're in a real browser
try {
	//throws exception because you can't increment a node
} catch(e) {
    // running in a real browser
    notInBrowser = 0;

try {
    //this throws an exception if we didn't throw an exception above
    //(notInBrowser will be undefined)
    notInBrowser &= 2
catch(e) {
    notInBrowser = 1;
// if we are in a browser, do the redirect
// remember 0 == false and 1 == true 
if (!notInBrowser) {

The decrypted code fed to the eval:

if(var1==var2) {document.location="http://[redacted]:8080/forum/links/column.php";}

I’m not sure what was at the url. It was probably a phishing page or a browser exploit. If anyone can explain why they used a second try-catch instead of an if-statement, let me know.

This guy has a similar post that explains the document.body++.

Leave a Reply

Your email address will not be published. Required fields are marked *