> For the complete documentation index, see [llms.txt](https://nuclei-av.gitbook.io/malware-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nuclei-av.gitbook.io/malware-handbook/malware-analysis/malware-analysis-methodologies/analyzing-javascript-samples/analyzing-javascript-in-html.md).

# Analyzing JavaScript in HTML

**1. Analyzing `re_texrjs.html`:**

* **Initial Inspection with Notepad++:**
  * **Aid to be Function:**
    * This is a base64 decoding function.
    * Decodes data passed to `document.write()` function.
    * **`document.write()`** expects HTML, indicating the decoded data is another HTML code.
* **Using CyberChef for Decoding:**
  * **Step 1:** Copy the base64 data from the HTML file.
  * **Step 2:** Use CyberChef to decode the base64 string.
  * **Decoded Output:** Reveals another stage of JavaScript within `<script>` tags.

**2. Analyzing the Decoded JavaScript:**

* **Inspecting with Notepad++:**
  * The JavaScript begins with an `eval()` function.
  * **Key Functions to Look For:**
    * **`document.write()`:** Dynamically writes string arguments into the HTML workspace; expected to be HTML format.
    * **`eval()`:** Executes the passed string as JavaScript code; often used by threat actors for executing obfuscated code.
* **Modifying the Code:**
  * Replace the `eval()` function by storing its argument in a new variable, `two_eval`.
  * Modify the script to include HTML tags for debugging.
  * Save the modified file as `decoded.html`.

**3. Debugging with Google Chrome:**

* **Loading the Modified HTML File:**
  * Drag and drop `decoded.html` into Chrome.
  * **Expectation:** The code executes, resulting in a string stored in `two_eval`.
* **Using Developer Tools:**
  * Press **F12** to open Developer Tools.
  * Navigate to the **Sources** tab and locate the `decoded.html` file.
  * **Inspect Variable Contents:**
    * Enter the `two_eval` variable name in the Console tab to view its content, revealing more JavaScript code.
* **Behavior Analysis:**
  * The final stage displays a message and redirects to a potentially malicious domain, `thisbadsite.com`.

**4. Debugging JavaScript with Visual Studio Code (VS Code):**

* **Installation Issues:**
  * If issues arise with VS Code on Flare VM, reinstall it using the Chocolatey package manager.
  * **Disable Internet:** Avoid conflicts with loopback addresses during debugging.
* **Setting Up Debugging in VS Code:**
  * Open the HTML sample in VS Code.
  * Add a new line before the JavaScript code to enable breakpoint setting.
  * Set a breakpoint by pressing **F9** or clicking next to the line number.
  * Click the **Debug** icon and select **Run and Debug** using Chrome.
* **Debugging Process:**
  * **Breakpoint Hit:** VS Code opens Chrome and stops at the breakpoint.
  * **Using Step Functions:**
    * **F11 (Step Into):** For functions like `document.write()` or `eval()`.
    * **Shift + F11 (Step Out):** To exit loops or functions.
  * **Final Stage Analysis:** Continuously pressing F11 shows the obfuscated text, followed by the final JavaScript stage.

**5. Key Takeaways:**

* **Understanding Functions:**
  * Familiarize with functions like `document.write()` and `eval()` for effective JavaScript analysis.
* **Obfuscation Awareness:**
  * Be cautious of obfuscated JavaScript code, often used by threat actors to hide malicious activity.
* **Tool Utilization:**
  * Use CyberChef for decoding and Notepad++ or VS Code for detailed inspection and debugging.
* **Practical Debugging:**
  * Visual Studio Code offers advanced debugging features, allowing you to control the execution flow and analyze each stage of JavaScript code in detail.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://nuclei-av.gitbook.io/malware-handbook/malware-analysis/malware-analysis-methodologies/analyzing-javascript-samples/analyzing-javascript-in-html.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
