Deobfuscating some more Javascript

Saw this paste with malicious javascript. If ou strip out all the malicious variable creations (_zds, se, _dd) and the eval statement at the end , and replace them all with console.log() statements, you can get a bit of a better picture. Then if you do the same routine again of repacing bad stuff with console.log statemnts you finally get this code

and in it there is a freeky looking variable that ends up containing the urls of interest.

var IGv7=[MMo+XQb1+Gd5 + VSv+Hb+Cl+Tj4+VKq+Pg + DSx+Pa + GYy+MEw1+Rj + Pf+NZa2 + Fb9+Fb+Ke+JPy+Ow9 + ORq+Sv+FOl7 + Cn, MMo+Ly5+YOv7 + AYc8+Sq6+So+Af1+Nu + Zz+ZKb + Zn1+Ik+Vy4+PRi5+Ho4+Gy9, VBg+DFu + ZDn + Cl0+Vw+Jc + Fs+Jp + Tu6+Vg7+OZv8 + UTt+Po+Cj3 + Gq8+EDt+Ag+LDc + Qn+St0+HNu + Sk6, MMo+Ly5+Qc7 + Vc9+Zn4 + ALt+Ui4 + BYt+Cc5+ZZq9 + Vm0+Ci5, Wq6 + Ya+Li5 + LJz3+Vg+Je1 + Yu8+ZPg+DFe5+HDm+Su1+Xz + XGx];

when printed out

console.log(IGv7);

["http://jago-computerservice.homepage.t-online.de/poxs17b", "http://www.elba-scaglieri.com/vj021d23", "http://sven-jaenecke.homepage.t-online.de/zvs7h", "http://www.arrotin.net/y263j", "http://bookinghotworld.ws/0b8acb"]



More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.