casual malware

Most malware authors automate the obfuscation of their javascript downloaders, making analysis difficult. Luckily, you rarely need to completely deobfuscate the javascript to progress with your analysis. If you can identify the primary function used to handle obfuscated strings you can then use a few quick tricks to obtain interesting data from the javascript file without having to run it. Identifying the deobfuscation function at a glance: Most of the deobf functions I see contain a lot of string and character manipulation functions & methods. Some to look for include: parseInt() toString() substr() String.fromCharCode() charCodeAt() UCHAR() More info on common javascript obfuscation methods and the functions utilized can be found here:  https://github.com/bl4de/research/blob/master/javascript-malware-obfuscation/Simple_JavaScript_malware_code_obfuscation_examples.md#basic-obfuscation-methods---expressions-comma-operator-parseint-and-tostring-method Here is an exampl