ET WEB_CLIENT Hex Obfuscation of document.write % Encoding not detected

See: http://urlquery.net/report.php?id=8169284
https://www.virustotal.com/nl/url/8835a4f4a707e40a64827fceab963e56ab1e70179347b83376cd770e2819dcb0/analysis/1386256211/
https://www.virustotal.com/nl/file/4b4961f7d134838f1d828384e21d971aebea3aa3d03623f1572efd61d6ca85e9/analysis/1374716085/
avast! does not flag.
Suspicious javascript code injection found (7 instances) http://quttera.com/detailed_report/www.arroyomu.com.ar
see: wXw.arroyomu.com.ar/content/index.php → http://jsunpack.jeek.org/?report=ee91a094c434ea1e99cb5e303360c68481ebe631
see: http://jeffsoh.blogspot.nl/2012/07/javascript-unescape-obfuscated-code.html link by JeffSoh on NetSec
Decoded document.write(unescape(‘’)); could be benign (decoded by me, pol via HexDecoder)
link evaluation: http://jsunpack.jeek.org/?report=add4342633a509a6cc6e045fbe6fd3a18e0bc2a5
and http://jsunpack.jeek.org/?report=abe1910fe5fef1863531c4595c6f62b5d7f0c715
ON IP arroyomu dot net flagged by Bitdefender’s TrafficLight as with malware,

pol

well the file analysis scan is more then 4 months old
https://www.virustotal.com/en/file/4b4961f7d134838f1d828384e21d971aebea3aa3d03623f1572efd61d6ca85e9/analysis/1374716085/

since you dont get a new file scan when running that URL at VT, my guess is the file is no longer there… or ?

however jsunpack does display some suspicious code…

well it seems jsunpack is correct…detected by 3
all those detectig as Trojan.Script.232927 are using Bitdefender engine so that count as one

https://www.virustotal.com/nb/file/2841f77cd99d105e5ce803fa71805c1aeca75c93dd0487a4d7ac4f3ac219091a/analysis/1386258635/

Site is still up and not flagged, good you validated it…
Script could be benign however…
With script blocking active I get this here on that site:

Versión 0.97d con items de 0.99

Servidores VIP:

  • Capacidad ilimitada de usuarios
  • Mayor ancho de banda de conexión
  • Drop de todos los ítems excelentes
  • Nuevos Spot
  • Nuevos Mapas
  • Venta de entradas al Blood
  • Venta de Soul

ENTRAR AL VIP

Para más informacion ir AQUÍ

See the flagged code just a sec ago attached.

pol

A more recent example of this alert: https://urlquery.net/report/b9e34ff6-b1ee-4435-925c-988241ca898c

Re: http://doc.emergingthreats.net/bin/view/Main/2012245

Not given here: https://www.virustotal.com/#/url/5e89f95d8bcb077ad0302c302e129b3d9151de3eb9519c73240d4ce9a085ccf6/details

CleanMX finds: https://www.threatminer.org/host.php?q=64.136.20.43

polonus