Manually De-obfuscating Malicious Content
D() is clearly an interesting function, so we’ll begin there. We can see that function “D()” takes two parameters and returns a value. Let’s quickly find the “D()” function and look into the code. Here is what function “D()” looks like:
Insert all of the variables, which use this function and read out all the strings returned by this function. Here is what our new “test.html” file looks like:
I have already added the strings returned by this function in the code comments. The above malicious code points to the malicious website “hxxp://linkbucks-com.37wan.com.tagged-com.BestBlenderPart.ru:8080/wsj.com/wsj.com/ibibo.com/google.com/xvideos.com.php”.