box-js 1.8.2, sample f3b3a5fc30ecbab403b27dd853ad7f6b
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[error] Couldn't parse with Acorn:
[error] SyntaxError: Unexpected token (1:716)
[error]
[error] This doesn't seem to be a JavaScript/WScript file.
If this is a JSE file (JScript.Encode), compile
decoder.c and run it on the file, like this:
cc decoder.c -o decoder
./decoder f3b3a5fc30ecbab403b27dd853ad7f6b f3b3a5fc30ecbab403b27dd853ad7f6b.js
It was missing semicolon. After placing it at the end of declaration:
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[info] Rewriting typeof calls (use --no-typeof-rewrite to skip)...
[info] Rewriting eval calls (use --no-eval-rewrite to skip)...
[info] Rewriting try/catch statements (use --no-catch-rewrite to skip)...
[info] Rewritten successfully.
/opt/box-js/node_modules/vm2/lib/main.js:213
throw this._internal.Decontextify.value(e);
^
TypeError: "tcapitulation".e is not a function
at vm.js:25:90
at ContextifyScript.Script.runInContext (vm.js:35:29)
at VM.run (/opt/box-js/node_modules/vm2/lib/main.js:207:72)
at Object.<anonymous> (/opt/box-js/analyze.js:370:4)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.runMain (module.js:604:10)
* If the error is about a weird "Unknown ActiveXObject", try --no-kill.
* If the error is about a legitimate "Unknown ActiveXObject", report a bug at https://github.com/CapacitorSet/box-js/issues/ .
Unfortunately, pasted sample code is broken (trimmed to 64k with removed '+'). Anyway, it looks like Ostap new trick, where broken identifiers are generated in Node.js environment. Try to paste sample via https://0bin.net/ or just upload it to VirusTotal and send MD5 hash :) I'll check whether it's the same case.