explainx.ainewsletter3.4k
deobfuscating-javascript-malware

deobfuscating-javascript-malware

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/deobfuscating-javascript-malware
0 commentsdiscussion
summary

Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated dropper investigation.

skill.md
name
deobfuscating-javascript-malware
description
'Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated dropper investigation. '
domain
cybersecurity
subdomain
malware-analysis
tags
- malware - JavaScript - deobfuscation - web-malware - script-analysis
version
1.0.0
author
mahipal
license
Apache-2.0
nist_csf
- DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01

Deobfuscating JavaScript Malware

When to Use

  • Investigating a phishing page with obfuscated JavaScript that performs credential harvesting or redirect
  • Analyzing a web skimmer (Magecart-style) injected into an e-commerce site
  • Deobfuscating a JavaScript dropper that downloads and executes second-stage malware
  • Examining malicious email attachments containing HTML files with embedded obfuscated scripts
  • Analyzing browser exploit kits that use heavy JavaScript obfuscation to hide exploit delivery

Do not use for obfuscated JavaScript that is merely minified production code; use a standard beautifier instead.

Prerequisites

  • Node.js 18+ installed for executing and debugging JavaScript in a controlled environment
  • Python 3.8+ with jsbeautifier library for code formatting
  • Browser developer tools (Chrome DevTools) for controlled execution in an isolated browser
  • CyberChef (https://gchq.github.io/CyberChef/) for encoding/decoding operations
  • de4js or JStillery for automated JavaScript deobfuscation
  • Isolated analysis VM with no access to production systems or sensitive data

Workflow

Step 1: Safely Extract and Examine the Obfuscated Script

Isolate the malicious JavaScript without executing it:

# Extract JavaScript from HTML file
python3 << 'PYEOF'
from html.parser import HTMLParser

class ScriptExtractor(HTMLParser):
    def __init__(self):
        super().__init__()
        self.in_script = False
        self.scripts = []
        self.current = ""

    def handle_starttag(self, tag, attrs):
        if tag == "script":
            self.in_script = True
            self.current = ""

    def handle_endtag(self, tag):
        if tag == "script":
            self.in_script = False
            if self.current.strip():
                self.scripts.append(self.current)

    def handle_data(self, data):
        if self.in_script:
            self.current += data

with open("malicious_page.html") as f:
    parser = ScriptExtractor()
    parser.feed(f.read())

for i, script in enumerate(parser.scripts):
    with open(f"script_{i}.js", "w") as f:
        f.write(script)
    print(f"Extracted script_{i}.js ({len(script)} bytes)")
PYEOF

# Beautify the extracted JavaScript
npx js-beautify script_0.js -o script_0_pretty.js

Step 2: Identify Obfuscation Techniques

Categorize the obfuscation methods used:

Common JavaScript Obfuscation Techniques:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
String Encoding:
  - Hex encoding:          "\x68\x65\x6c\x6c\x6f" -> "hello"
  - Unicode escapes:       "\u0068\u0065\u006c\u006c\u006f" -> "hello"
  - Base64:                atob("aGVsbG8=") -> "hello"
  - charCodeAt/fromCharCode: String.fromCharCode(104,101,108,108,111)
  - Array-based lookup:    var _0x1234 = ["hello","world"]; _0x1234[0]

Eval Chains:
  - eval(atob("..."))
  - eval(unescape("..."))
  - new Function("return " + decoded)()
  - document.write("<script>" + decoded + "</script>")
  - setTimeout(decoded, 0)

Control Flow:
  - Switch-case dispatcher with shuffled case order
  - Opaque predicates (always-true/false conditions)
  - Dead code insertion
  - Variable name mangling (_0x4a3b, _0xab12)

Anti-Analysis:
  - Debugger traps: setInterval(function(){debugger;}, 100)
  - Console detection: overriding console.log
  - Timing checks: performance.now() deltas
  - DevTools detection: window.outerWidth - window.innerWidth > 100

Step 3: Remove Anti-Analysis Protections

Neutralize anti-debugging and anti-analysis traps:

// Remove debugger traps before analysis
// Replace in the obfuscated script:

// Before:
setInterval(function() { debugger; }, 100);

// After (neutralized):
setInterval(function() { /* debugger removed */ }, 100);

// Neutralize DevTools detection
// Before:
if (window.outerWidth - window.innerWidth > 160) { window.location = "about:blank"; }

// After:
if (false) { window.location = "about:blank"; }

// Neutralize timing checks
// Override performance.now to return consistent values
const originalNow = performance.now;
performance.now = function() { return 0; };

Step 4: Decode String Obfuscation Layers

Progressively decode encoded strings:

# Python script to decode common JS obfuscation patterns
import re
import base64
import urllib.parse

def decode_hex_strings(code):
    """Replace \\xNN sequences with ASCII characters"""
    def hex_replace(match):
        hex_str = match.group(0)
        try:
            return bytes.fromhex(hex_str.replace("\\x", "")).decode("ascii")
        except:
            return hex_str
    return re.sub(r'(?:\\x[0-9a-fA-F]{2})+', hex_replace, code)

def decode_unicode_escapes(code):
    """Replace \\uNNNN sequences with characters"""
    def unicode_replace(match):
        return chr(int(match.group(1), 16))
    return re.sub(r'\\u([0-9a-fA-F]{4})', unicode_replace, code)

def decode_charcode_arrays(code):
    """Resolve String.fromCharCode calls"""
    def charcode_replace(match):
        codes = [int(c.strip()) for c in match.group(1).split(",")]
        return '"' + "".join(chr(c) for c in codes) + '"'
    return re.sub(r'String\.fromCharCode\(([0-9,\s]+)\)', charcode_replace, code)

def decode_base64_strings(code):
    """Resolve atob() calls with static strings"""
    def atob_replace(match):
        try:
            decoded = base64.b64decode(match.group(1)).decode("utf-8")
            return f'"{decoded}"'
        except:
            return match.group(0)
    return re.sub(r'atob\(["\']([A-Za-z0-9+/=]+)["\']\)', atob_replace, code)

# Apply all decoders
with open("script_0.js") as f:
    code = f.read()

code = decode_hex_strings(code)
code = decode_unicode_escapes(code)
code = decode_charcode_arrays(code)
code = decode_base64_strings(code)

with open("script_0_decoded.js", "w") as f:
    f.write(code)
print("Decoded strings written to script_0_decoded.js")

Step 5: Resolve Eval Chains Safely

Unwrap eval/Function constructor chains without executing:

// Node.js script to safely resolve eval chains
// Run in isolated environment: node --experimental-vm-modules deobfuscate.js

const vm = require('vm');

// Create sandboxed context with logging
const sandbox = {
    eval: function(code) {
        console.log("=== EVAL INTERCEPTED ===");
        console.log(code.substring(0, 500));
        console.log("========================");
        return code; // Return the code instead of executing it
    },
    document: {
        write: function(html) {
            console.log("=== DOCUMENT.WRITE INTERCEPTED ===");
            console.log(html.substring(0, 500));
        },
        getElementById: function() { return { innerHTML: "" }; }
    },
    window: { location: { href: "" } },
    atob: function(s) { return Buffer.from(s, 'base64').toString(); },
    unescape: unescape,
    setTimeout: function(fn) { if (typeof fn === 'string') console.log("TIMEOUT CODE:", fn); },
    console: console,
    String: String,
    Array: Array,
    parseInt: parseInt,
    RegExp: RegExp,
};

const context = vm.createContext(sandbox);

// Load and execute the obfuscated script in sandbox
const fs = require('fs');
const code = fs.readFileSync('script_0.js', 'utf8');

try {
    vm.runInContext(code, context, { timeout: 5000 });
} catch(e) {
    console.log("Execution error (expected):", e.message);
}

Step 6: Analyze the Deobfuscated Payload

Examine the revealed malicious logic:

Deobfuscated Malware Categories and IOC Extraction:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Credential Harvester:
  - Form action URLs (exfiltration endpoints)
  - XMLHttpRequest/fetch destinations
  - Targeted input field names (username, password, cc_number)

Web Skimmer (Magecart):
  - Payment form overlay injection
  - Card data exfiltration URLs
  - Keylogger event listeners (onkeypress, oninput)

Redirect Script:
  - Destination URLs in location.href assignments
  - Conditional redirects based on user-agent or referrer
  - Cloaking logic (show benign content to bots)

Exploit Kit Landing:
  - Browser/plugin version checks
  - Exploit payload URLs
  - Shellcode embedded as arrays or encoded strings

Key Concepts

TermDefinition
Eval ChainNested layers of eval(), Function(), or document.write() calls that each decode one layer of obfuscation before passing to the next
String Array RotationObfuscation technique storing all strings in a shuffled array and accessing them by computed index to hide string literals
Dead Code InsertionAdding non-functional code blocks that never execute to increase analysis complexity and confuse pattern matching
Opaque PredicateConditional expression whose outcome is predetermined but difficult to determine statically; used to obscure control flow
Anti-DebuggingJavaScript techniques to detect and thwart browser DevTools or debugger usage including debugger statements and timing checks
Web SkimmerMalicious JavaScript injected into e-commerce sites to steal payment card data from checkout forms (Magecart attack)

Tools & Systems

  • CyberChef: GCHQ's web-based tool for encoding/decoding transformations useful for unwinding multi-layer obfuscation
  • de4js: Online JavaScript deobfuscator supporting common obfuscation tools (obfuscator.io, JScrambler)
  • Node.js VM Module: Sandboxed JavaScript execution environment for safely evaluating obfuscated code with intercepted APIs
  • Chrome DevTools: Browser developer tools for stepping through JavaScript execution with breakpoints and console access
  • JSDetox: JavaScript malware analysis tool providing execution emulation and deobfuscation

Common Scenarios

Scenario: Deobfuscating a Magecart Web Skimmer

Context: A compromised e-commerce site has obfuscated JavaScript injected into its checkout page. The script needs deobfuscation to identify the data exfiltration endpoint and determine what customer data was stolen.

Approach:

  1. Extract the injected script from the page source (often appended to a legitimate JS file or loaded from an external domain)
  2. Beautify the code and identify the obfuscation technique (typically string array + rotation + hex encoding)
  3. Decode string encoding layers (hex -> Unicode -> base64) using the Python decoder script
  4. Resolve the string array by evaluating the array definition and rotation function
  5. Identify the form targeting logic (querySelector for payment form fields)
  6. Extract the exfiltration URL from the XMLHttpRequest or fetch call
  7. Document stolen data fields and exfiltration endpoint for incident response

Pitfalls:

  • Executing obfuscated scripts on a connected system (the script may phone home during analysis)
  • Not removing anti-debugging traps before using browser DevTools (infinite debugger loops)
  • Missing additional obfuscation layers loaded dynamically from external URLs
  • Overlooking base64-encoded inline images or data URIs that may contain additional scripts

Output Format

JAVASCRIPT MALWARE DEOBFUSCATION REPORT
=========================================
Source:           checkout.js (injected into example-shop.com)
Obfuscation:      obfuscator.io (string array + rotation + hex encoding)
Layers Removed:   3

OBFUSCATION TECHNIQUES IDENTIFIED
[1] String array with 247 entries, rotated by 0x1a3
[2] Hex-encoded string references (\x68\x65\x6c\x6c\x6f)
[3] Base64-wrapped eval chain (2 layers)
[4] Anti-debugging: setInterval debugger trap

DEOBFUSCATED FUNCTIONALITY
Type:             Magecart Payment Card Skimmer
Target Forms:     input[name*="card"], input[name*="cc_"]
Data Captured:    Card number, expiration, CVV, cardholder name
Exfil Method:     POST via XMLHttpRequest
Exfil URL:        hxxps://analytics-cdn[.]com/collect
Exfil Format:     JSON { "cn": card_number, "exp": expiry, "cv": cvv }
Trigger:          Form submit event on checkout page

EXTRACTED IOCs
Domains:          analytics-cdn[.]com
IPs:              185.220.101[.]42
URLs:             hxxps://analytics-cdn[.]com/collect
                  hxxps://analytics-cdn[.]com/gate.js
how to use deobfuscating-javascript-malware

How to use deobfuscating-javascript-malware on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add deobfuscating-javascript-malware
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/deobfuscating-javascript-malware

The skills CLI fetches deobfuscating-javascript-malware from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/deobfuscating-javascript-malware

Reload or restart Cursor to activate deobfuscating-javascript-malware. Access the skill through slash commands (e.g., /deobfuscating-javascript-malware) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.632 reviews
  • Soo Bhatia· Dec 28, 2024

    I recommend deobfuscating-javascript-malware for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Xiao Nasser· Dec 20, 2024

    We added deobfuscating-javascript-malware from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Charlotte Torres· Dec 20, 2024

    Useful defaults in deobfuscating-javascript-malware — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Pratham Ware· Dec 16, 2024

    Keeps context tight: deobfuscating-javascript-malware is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Noor Perez· Nov 27, 2024

    Keeps context tight: deobfuscating-javascript-malware is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Sophia Shah· Nov 11, 2024

    deobfuscating-javascript-malware reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Yash Thakker· Nov 7, 2024

    deobfuscating-javascript-malware has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Dhruvi Jain· Oct 26, 2024

    Solid pick for teams standardizing on skills: deobfuscating-javascript-malware is focused, and the summary matches what you get after install.

  • Ishan Bhatia· Oct 18, 2024

    deobfuscating-javascript-malware is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Zara Srinivasan· Oct 2, 2024

    Registry listing for deobfuscating-javascript-malware matched our evaluation — installs cleanly and behaves as described in the markdown.

showing 1-10 of 32

1 / 4