A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #21209  by GhostLight
 Mon Oct 21, 2013 8:04 pm
Hi,

The attached javascript came from http : / / 77977db0 (dot) linkbucks (dot) com/
McAfee recognizes this as "Exploit-PDF.rt.gen", which I find unusual for a JavaScript.

Any hints on how to de-obfuscate it would be welcome.
You do not have the required permissions to view the files attached to this post.
 #21211  by Xylitol
 Mon Oct 21, 2013 9:00 pm
https://github.com/einars/js.decrypt.javacrypt should work if it's JavaCrypt, and if not try online services like http://jsunpack.jeek.org http://wepawet.iseclab.org

edit:
ok i used the scratchpad of firefox to decode it after removing JavaCrypt.
It give me a md5 hash at the end: 40badeec8a0ee2cfff89a6e0d933f24d
it's probably a legit stuff used by linkbucks.
You do not have the required permissions to view the files attached to this post.