Using logic:Although Malzilla can deal with a lot of scripts in pretty automated way, there is a also a lot of script where you need to do some things manually.
Let's take a look at the following example:
As you can see, this script contains no decoding/deciphering function. All is "almost" in plain form there, but we still see no URL to the malware.
Only interesting thing here is the sequence of Unicode (UCS2) characters. You can see this sequence as a plain text by using Misc Decoders in Malzilla.
Copy/Paste the sequence to the Misc Decoders tab and try Decode UCS2 button.
Well, you see, there is another catch:Tell me whats wrong here?
As we know, the Unicode characters are writen as %u + 4 digits. If you take a closer look at the previous lines, in first line you will see a break after second digit, in second line you will see a break after %u etc.
This will render Decode UCS2 useless, and probably some anti-viruses too.
In latest release (0.9.2.4) of Malzilla you will find Concatenate function on Misc Decoders tab. That function will render the previous code to more usable form.
Concatenate will also do a good job if you have CLSIDs or URLs in variables like in following two examples:
Another example for beginners:
If you run the script, Malzilla will tell you that the script is compiled, but you will see no result.
The data that needs to be deciphered is not a part of the script.
Take a look at regular HTML event onLoad, the data is there.
What you need to do is to copy the script to Decoder, and append to that all that you find between the quotation marks in onLoad event.
As I got a lot of questions why this kind of scripts do not give results, I implemented the Find objects on Downloader tab.
That should find all the possible triggers (function callers) for you.
The file HTML_Obj_list.txt is the definition file for objects.
In Docs folder you will find an example how to write a definition if you need to write one.