I'm trying to understand what a malicious JS script does. The script obfuscated, so I can not read on their own. I known that it creates an ActiveXObject object.
So I decided to declare my object with this name, which does nothing but output a log. The virus uses the construction
var x = new ActiveXObject('file_name')
Google Scripts does not allow you to declare your own classes (is it?), so I declare a constructor function for the new AX object. Everything works fine until the virus tries to access the AX object as a function like
var AX = new ActiveXObject()
AX()
This return type mismatch (Object!=Function).
There my code: https://script.google.com/d/1IrkYN_Sg0j_uiMD4fAmEPag3HLH07c1fd2t7QOQEphEg38R-t0LAPIAF/edit?usp=sharing
I comment line 195 to prevent error.
Run function doGet for test and view logs. Or just open https://script.google.com/macros/s/AKfycbyiYp4kX07jMwjM6B0fynfMrqQwX1ykJHfy8wFpX6Op/dev
function x() { return x; }you call(new x())()or even(new x())()()()()()()or(new (new x())). Maybe it was used to confuse the reader, not sure if there is other case, and I know nothing about how ActiveX behave. - jcubicfunction foo() { var bar = function(x) { console.log(x); }; bar.baz = 10; bar.quux = function() { return this.baz; }; return bar; }and call it like thisvar x = new foo(); x('hello'); x.quux()- jcubicnewoperator make no difference and result code will act the same with or without it. Because we don't use this in constructor. But of course we can create object in this and return in inner function.function foo() { this.y = 10; return () => this; } var x = new foo(); console.log(x() instanceof foo);- jcubic