Heavy Obfuscation Used By Fake Antivirus Websites
The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.
The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:
So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.