Impact
Accelerated review of heavily layered JavaScript samples.
Impact
Reduced manual effort for recurring obfuscation patterns through deterministic transforms.
Impact
Improved visibility from opaque code structure to analyst-relevant behavior.
Deliverables
- AST-driven deobfuscation pipeline with repeated transform passes.
- Behavior tagging for suspicious APIs, dynamic evaluation, and network actions.
- Investigation-ready outputs for downstream detection work.
References
Artifacts
- Transform pipeline artifact slot reserved for upcoming diagram
Problem
Obfuscated JavaScript used in phishing kits, skimmers, and malware loaders often hides malicious behavior behind packing layers, string encodings, and runtime-generated execution paths.Approach
- Parse JavaScript into AST form and apply repeated transforms to simplify encodings, control flow tricks, and dead code layers.
- Trace suspicious API usage, network behavior, credential handling, and dynamic evaluation patterns.
- Produce a deobfuscated output package alongside behavior summaries and notable indicators for researcher review.
Architecture / Workflow
- Intake worker fingerprints the source and determines likely obfuscation families.
- Transform engine applies deterministic passes to decode strings, unwrap arrays, and simplify control structures.
- Behavior layer tags suspicious execution nodes and exports findings for downstream detection work.
Tools and Technologies Used
Node.js, Babel, AST tooling, Python, Docker
Results / Impact
- Accelerated analysis of heavily layered JavaScript samples.
- Reduced manual deobfuscation effort for repeated obfuscation techniques.
- Enabled clearer mapping between code structure and malicious intent.
Key Technical Takeaways
- AST-based transforms are more defensible than regex-heavy cleanup.
- Deobfuscation quality improves when behavior tagging is integrated early.
- Some families still require analyst-guided execution tracing.