Your inbox pings. Harmless-looking attachment. Unzip it, and suddenly Formbook — that notorious infostealer — has a foothold on your machine, slurping credentials like a vampire at a blood bank.
That’s the nightmare this obfuscated JavaScript delivers. Not some abstract code demo. Real people clicking phishing bait, losing passwords, bank details, crypto keys.
Look.
This beast, named cbmjlzan.JS, clocks in at 10MB — massive for JS — and only 15 AVs flag it on VirusTotal. Why? It’s packing AsmDB, that GitHub lib turning JS into a low-level powerhouse, like strapping rocket boosters to a skateboard.
And here’s the kicker — my unique take: attackers aren’t just hiding code anymore. They’re treating JavaScript like an operating system platform, mirroring how AI devs layer massive libs into models. Expect this trend: JS as the new malware canvas, evolving faster than defenses.
Why Does Obfuscated JavaScript Slip Past Your Antivirus?
Scroll through the deobfuscated bits, and it’s Windows ActiveX all the way: ActiveXObject for FileSystemObject, XMLDOM, ADODB.Stream. Crafty.
It reverse-engineers its own name with FDAWE — splits, reverses, joins — then copies itself to C:\Users\Public\Libraries\, sets a scheduled task running every 15 minutes. Persistence locked in.
function FDAWE(x) { return x.split(‘’).reverse().join(‘’); } var scriptName = WScript[‘ScriptName’]; var urlName = ThreeChars(scriptName) + ‘.url’; var publicUrl = ‘C:\Users\Public' + urlName; var copiedScript = ‘C:\Users\Public\Libraries' + scriptName;
That’s straight from the sample. Simple, yet it blends in.
Three fake PNGs drop: Brio.png, Orio.png, Xrio.png. Not images. PowerShell bait.
Powershell.exe fires up with base64-encoded guts, decrypting Xrio.png using AES — hardcoded key and IV. CBC mode, PKCS7 padding. Pro stuff.
The decrypted payload? Evasion classics: patches EtwEventWrite() to dodge logging, neuters AmsiScanBuffer() so antimalware scans come up empty. Been seeing this in wild malware for years.
But wait — it doesn’t stop. Orio.png unpacks a .NET DLL (SHA256: 53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b). Injected into MSBuild.exe — legitimate process, total stealth.
How Does This PowerShell Loader Actually Work?
That DLL? Grabs Brio.png, extracts the real prize: Formbook (SHA256: fdcfbb67d7e996e606963ac96a4a1b14e7070e1e88d210b2f567e3d40541b7b7).
Formbook’s no newbie. Infostealer extraordinaire — grabs browser creds, screenshots, clipboard, even crypto wallets. Sells harvested data on underground markets.
The chain’s genius in its layers. JS for initial drop and persistence (low detection). PowerShell for decryption and evasion (scripting king on Windows). DLL loader into MSBuild (living off the land). Final Formbook payload.
Each step dumps suspicion. AVs choke on the 10MB obfuscation fog, UTF tricks, AsmDB bloat.
Here’s the thing — companies hype “AI-powered detection,” but this laughs it off. Patch one evasion? Attackers swap in another. Like whack-a-mole on steroids.
And AsmDB? That’s the wildcard. Lets JS poke CPU instructions directly — assembly in a browser-friendly wrapper. Attackers building full exploits without leaving JS sandbox. Wild.
What Happens Once Formbook’s Running on Your PC?
It phones home. Exfils data over HTTP/HTTPS to C2 servers. Custom encryption, of course.
Your everyday user? Emails compromised, logins swiped, identity theft incoming. Businesses? Employee machines become breach vectors — lateral movement to servers.
I’ve seen Formbook campaigns spike before. This feels like v2.0: heavier obfuscation, smarter loaders. Prediction: RAR phishing with JS bombs will flood inboxes this quarter, especially targeting finance bros and remote workers.
Defenses? Update everything. Enable AMSI/ETW logging. Block RARs in email gateways (yeah, I know — users whine). Behavioral AV that watches process injection.
But honestly — train people. That “invoice” RAR? Delete.
Short version: don’t click.
This multi-stage dance reminds me of Stuxnet’s air-gapped wizardry — but democratized for script kiddies. Except now it’s email-delivered, no USB needed.
Will This Obfuscated JS Replace Traditional Malware Droppers?
Maybe not replace. Evolve alongside.
JS runs everywhere — Windows Script Host, browsers, even Office macros. Portable poison.
Paired with AsmDB, it’s a platform shift for attackers. Like how React changed web dev — modular, powerful, hard to uproot.
Defenders gotta catch up. Static AV? Dead. Need runtime analysis that groks JS reversing itself.
One punchy fact: this JS evades most AVs. Your freebie scanner? Probably blind.
🧬 Related Insights
- Read more: Anthropic’s Mythos: The AI Zero-Day Generator Too Dangerous to Unleash
- Read more: DeepLoad Malware: AI-Powered ClickFix Scam That’s Already Stealing Enterprise Logins
Frequently Asked Questions
What is Formbook malware?
Formbook’s an infostealer that grabs passwords, cookies, screenshots from browsers and apps, then sells the loot underground.
How to spot obfuscated JavaScript in phishing?
Huge file sizes (10MB+), .JS in RAR/ZIP, weird names like cbmjlzan.JS. Scan with VirusTotal first — but don’t execute.
Does Windows Defender catch this?
Sometimes, post-decryption. But initial JS often slips through. Enable attack surface reduction rules for PowerShell.
