polonus
2
Code seemed benign here: http://wepawet.iseclab.org/view.php?hash=eb8ac32891d032a56dffd51ee75e5b5f&t=1385502049&type=js
External links to check:
htxp://1383740992.t.pa663.info/wawa/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/llbei/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/weiku/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/dsb/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/gdmhs/?id=‘+d+’&ref=pft → ‘’ all trackcode → http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.1383740992.t.pa663.info/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO
aw tracking code to search for event listeners (handlers) in different views (addListener code) in see code quote here:
ref.indexOf(‘360 dot cn/warn/’)·>·0·||·ref.indexOf(‘c.pc.qq dot com’)·>·0·||·ref.indexOf(‘api.pc120 dot com’)·>·0·||·ref.indexOf(‘safe.ie.sogou dot com’)·
This is to be considered as malicious:
https://www.virustotal.com/nl/domain/api.pc120.com/information/
Verdict probably trojan dropper code,
pol