See: https://www.virustotal.com/nl/url/5bafb5b24c517f3e02c69bd0d356fee906fbd12063550546d778ae88f350ab95/analysis/
IDS alerts 10: http://urlquery.net/report.php?id=7815965 (Message rulegroup file image rules - FILE-IMAGE Directshow GIF logical width overflow attempt).
See:count25.51yes dot com/click.aspx?id=257404429&logo=12 benign
[nothing detected] (script) count25.51yes dot com/click.aspx?id=257404429&logo=12
status: (referer=xinpujing.baijiale.tmdss dot com/tj.js)saved 1694 bytes 837762fa3ad2542bbec5ba7ea89aa4edec2b3346
info: [iframe] count25.51yes dot com/sa.htm?id=257404429
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
suspicious: maxruntime exceeded 10 seconds (incomplete) 564 bytes (site blacklisted twice: http://www.urlvoid.com/scan/count25.51yes.com/)
Also blacklisted here: http://sitecheck.sucuri.net/results/xinpujing.baijiale.tmdss.com
Obfuscated code-> http://jsunpack.jeek.org/?report=a3cec4edf6e7f62e494decef5530c2ded019a811
http://hosts-file.net/?s=count25.51yes.com flagged as AYS benign.
polonus