javascript-obfuscator
Commercial-grade JavaScript obfuscation commonly observed in malware droppers. Characterised by string-array lookup tables, control-flow flattening, dead-code injection, and hex-offset string references.
What It Is
The javascript-obfuscator npm package is a widely used tool for obfuscating JavaScript. Malware authors leverage it to defeat static string extraction and slow down reverse engineering. Key fingerprints include:
- A string-array function (often named
y()or similar) returning a large array of base64-like strings - A dispatcher function (e.g.
j(d, N)) that decodes strings usingcharCodeAt/fromCharCodewith a custom base64 decoder - Control-flow flattening via immediately-invoked function expressions (IIFE)
- Dead code injection with randomised variable names and conditional branches that never execute
Detection / Fingerprint
Look for the following patterns in suspicious JS files, especially those with .js extensions and large file sizes (>1 MB):
var N=(function(){var hq=j,l={};l[hq(0x2b,'MG9x')]='qDQMg';
// Dispatcher function with hex offsets and salt strings
function j(d,N){d=d-0x0;var h=y();var C=h[d]; ... }
Also common: var _0x1234 = ['string1', 'string2', ...]; style arrays.
Reproduce on your own VMs
- Install:
npm install -g javascript-obfuscator - Create a benign JS file (e.g.
payload.js) with some strings - Run:
javascript-obfuscator payload.js --output obfuscated.js --string-array true --control-flow-flattening true --dead-code-injection true - Compare
obfuscated.jsto known malware samples. The string-array lookup table and dispatcher function will match the fingerprint.
Defensive Countermeasures
- Use file-size heuristics: obfuscated JS droppers are often 1–5 MB due to embedded payloads
- Look for high concentrations of
charCodeAt,fromCharCode,String.fromCharCode, and hex offsets - Sandbox execution with WScript/CScript monitoring to catch embedded PowerShell or ActiveX calls
Pages where observed
- spamita —
Invio proforma.js(SHA-256129ef925...) ^[report.md]