A massive i tag contains a 112 attributes, all identified by integers. In the HTML code, they are not in order, but the code re-order everything and builds a large string, which is passed to a second function whose role is to:
- if the first character of the current pair of character is "=", go to the next pair;
- decode the value as a base-23 integer, convert into a character and add it to the decoded string.
- it detects the OS and browser;
- it searches for a number of Adobe, MS DOMXML and others plugins and gets the versions;
- there is a mention of a PDF file in the code;
- two URLs are mentioned, one was taken down already and was used to download a file called "update_flash_player.exe", confirming that it may be trying to exploit some flash vulnerabilities, the other one was still live at the moment of the analysis and was used to serve an executable (Info on VirusTotal). Yesterday at around 6PM EST, the detection rate was 4/44.
Once that object executed, it contacted a forum, then attempted a download from three different sites, which returned the same executable. My only guess at this time is the author planned for some redundancy should some of the sites be taken down. The additional download was also submitted to VirusTotal (info). As of yesterday, around the same time, the detection rate was 6/44.
When executed, these additional did nothing during the analysis period. They may be dormant or waiting for some condition to be met.
The analysis continues!