Hi Pernaman,
Again a very interesting posting you came up with for us here, and not an easy nut at all to crack!. 
As you can see there is an external link that VT has with detections: https://www.virustotal.com/nl/domain/tjs.sjs.sinajs.cn/information/
An iFrame check comes up as suspicious: Suspicious
-http://d.pixiv.org/show?zone_id=topjack&segments=noseg&format=html&pla_referer_page_name=pixiv&num=5’
Please check this list for unknown links on this website:
-https://booth.pm/ → ‘booth(ç°¡åã«ã’
-http://ja.curecos.com/?ref=pixiv-cool → ‘ã³ã¹ãã¬cure’
-http://worldcosplay.net/?ref=pixiv-cool → ‘worldcosplay’
-https://halol.me/ → ‘halol’
Suspicious to me also: https://www.secure.pixiv.net/login.php?return_to=%2F
tags.php?tag=pixiv%E3%83%95%E3%82%A1%E3%83%B3%E3%82%BF%E3%82%B8%E3%82%A2T
= Unicode/UTF-8-character table landing at: - https://source.secure.pixiv.net/www/js/files/app.min.js?136fc9d88cfb9b351c1e55add23b5175 and - //seal.globalsign.com/SiteSeal/gmogs_image_100-50_ja.js
What about code like this
/*! / / / / / | / `、 i ! |i i , l / / // / | / | | | l ! i | | `/ー- 、 / / | / | l | l l ! ! i / ,,,,- ニ=x- 、_ !/ |i _, +十'イ i ! ! ''" / :;;r jヽ ` ̄ リ ,, -=、 レ | / / :| /:::::;;;;;;;:`::::::l / :;;r ヽヽ |/| / :! |::::::::;;;;;;;;:::::::l l:::;;;;;` ::| l // :! '、:_ '''' ノ l '''' ノ | / :| ::::::::..  ̄ ` ー ' ,' :| :::::::::::: , ..::::::::::::..l .:| :| :::::::::: :::::::::::::::::::| :| :| ::::::::::::::: l .:| l :| / :| :l :| , ' :::| :| :| ` 、 ⊂ニ==ー‐- , イ ::::| :| :| */
this is starting in -https://source.secure.pixiv.net/www/js/files/app.min.js?136fc9d88cfb9b351c1e55add23b5175
We have a poorly constructed api here that is vulnerable, persistent name update vulnerability for app.min.js - the common vulnerability we saw earlier behind the Kardashian sites 
php tags malcode? → checklist → https://my.hostmonster.com/cgi/help/511
Website test-in log-in errors found up.
Still iFrame is the main suspicious blocking factor here.
SSL certificate = OK.
polonus (volunteer website security analyst and website error-hunter)
