 I have an obfuscated javascript here that I want to analyze, let's take a look. So this obfuscated javascript contains expression like the following one, a list of strings, office-modeled-dialect and then something-informer. Now that something here is a unicode character code. And that string here, the last string in that list is also passed on to the e-function. Here you can see a call of the e-function for this string. Now if we look a bit further here in the script, you can see here the definition of that e-function. So the e-function does a cat of the argument it receives. So it returns the first character of the string it receives. So this expression here actually evaluates to the character represented by this hexcode 0074. And in javascript when you evaluate a list of elements like this list of strings, that list evaluates to the last element. So this whole expression here is actually an obfuscated way to just represent that character here by that hexadecimal code. So I'm going to use my translate function to try to de-obfuscate this javascript. Now the option we are going to use here in my translate function is the regex option. And this regex option allows you to pass a regular expression that will be matched with a file that is passed on to translate. And for every match that it finds, it will call a python function that we pass it. And this python function returns a string. And the match regular expression is replaced by that return string of the function. So we are looking for a parentese. And then we want it to match everything except another parentese. And then we are going to match a backslash U and for that unicode encoded character. So let's already test this simple regular expression on the file. Now in regular expressions a parentese and a backslash have special meaning and we want to use not a special meaning but a literal value so we need to escape them. And escaping is done also with a backslash. So before the parentese we put a backslash and also before the backslash another backslash like this. Then we can pass it the file and then the python function. And this python function receives the matching object and then we can do some analysis, some processing with a matching object. But here in the first step we are just going to replace this with a character X like this. So in here you can already see a first result. At that first string here that beginning of that first list and strings is just replaced with X character. And then we have the hexadecimal value in former quote and the function E. So let's continue our regular expression to match the complete list. So here we expect four hexadecimal characters. So an hexadecimal character that's between 0 and 9 or A and F and we expect 4 of these. So this much is the hexadecimal value. Then we have another string of letters. So let's match this. A single quote, a dot and a call to the E function and then closing the list. Now a dot has special meaning so we need to escape that and parentese is also so let's escape them like this. And when we run this here we can already see that our script is much smaller and each of the lists has been replaced by the character X. Now of course instead of the character X we want the character that is represented by that hexadecimal function, sorry hexadecimal expression. So we are going to select that hexadecimal expression so that we can process it further. We are going to put it into a group and to put a much expression into a group you just enclose it with parenteses. You don't have to escape the parentese because we are not matching parenteses but we are using it to indicate that we want to match a group. So that's what we've done here in our regular expression and now in our matching object we can take the groups and select the first group like this. And now you can see here that we have each time the hexadecimal code of the character. Now we don't want that hexadecimal code, we want the actual character. So we need to convert this to a character that's with the chr function. Now the chr function expects an integer not an hexadecimal value so we are going to convert that hexadecimal value with the int function and a base 16 from hexadecimal to integer value like this. And now you can already see the characters a t and a i and this makes up the string this this and here you can read active x object. So what is missing here is that each of the characters that we calculated needs to be enclosed with single quotes. So let's do this. The ASCII value for a single quote is 39 so let's call chr, put this before the character and after the character like this. Okay and now we have our strings here that can just be concatenated together to easily read what they represent. I can do that concatenation simply in this case here by replacing that plus with nothing and for that we can use the stream editor. So I'm going to search for single quote space plus single quote and then replace this with nothing globally like this. And here we have our deobfuscated strings, this, the active x object and also the URL from where the payload is downloaded by this malicious javascript.