Go fitness in an iframe

A while ago I got another piece of obfuscated and suspicious JavaScript code embedded at the bottom of a site somewhere in the internet. There are several similarities between this code and the code of a piece of malicious code I analysed earlier regarding construction style and the usage of JS standard functions. Although this one uses another obfuscation approach and is fully functional. Reason enough to take a closer look!

So let's start with this piece of pretty obviously suspicious code. I found it at the bottom of an index file of the infected site. Copies of this code has been placed on every sub page as well.

Level 1 always starts at the bottom of the mess

We have at least two JS functions. The first sbhq() seems to just return some encoded and/or encrypted content and the second one hbfz() processes it.

A bit more tidy:


Line 2 and 7 defines the two important JS functions. Line 13 defines an array variable s[], an integer variable j and the string literal variable r set with the return value of sbhq() in its unescaped (r=unescape(r)) state.

The usage of unescape() gives us the hint to answer the question of the encoding format. According to the Mozillas JS reference the string is hexadecimal escaped, as the '%' followed by several bytes indicates.

Line 15 to 17 fills s[] with integer values from 0 to 255. And line 19 seems to be the key for some sort of symmetrical encryption.

Line 21 to 27 at the first glance does some modulo calculation on the key k and prepares the result in s[]. From line 32 to 41 the encryption part seems to happen.

The result of all these calculation stuff is feed to hbfc(e), which is defined in line 7.

I'm really to lazy to mess around with this obfuscation approach, so I'll take the shortcut!

Shortcut to level 2

Line 9 and 10 seems to be another funny JS method to write eval(). This indicates a is some sort of JS code. So let us use our browser to sort this obfuscation mess out by changing these lines to a simple alert(a);:


Clipped what this code does: A new html div element will be appended to the document body but out of sight with an iframe sourcing to a site.

According to virustotal.com this site is of course malicious (5/64) but only at a subset of AV vendors.


So the code has basically two layers of obfuscation, a hexadecimal escaping followed by some sort of symmetric encryption. For this it uses a deprecated unescape() JS standard function and a handmade encryption algorithm. To execute the hidden code the author uses eval() another old acquaintance (see A restaurant serves harmless malware code).

The code embeds a third party site in a iframe and lay it over the original one, that is nothing to fancy though.