Unknown html malware flagged? Moderate risk.

See: https://www.virustotal.com/nl/url/fede43e645327ad6e2fc5602d57bb37d79e2241ef8ecf12baa8e5000e13b0214/analysis/1416063007/
155 instances of decoded javascript code

 [[\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74]] 

→ Exploit:Win32/Pdfjsc.YS
Potentially suspicious file: wXw.blogger.com/static/v1/widgets/2885176887-widgets.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘%26tran=%26npn=1%26=%26=%26=%26=%26=%26#falsefontFamilyfontFamily=%26true=%26=%26=%26=%26=%26=%26I=%26true=%26=%26=%26=%26=%26=%26I=%26=%26=%26=%26=%26=%26=’]] of length 104 which may point to obfuscation or shellcode.
Threat dump: http://jsunpack.jeek.org/?report=59434dcaac860d133e346f374baada32e3f6262d
Threat dump MD5: AA0254EA8EC811E73C733E0886208A94
File size[byte]: 90891
File type: ASCII
Page/File MD5: 87E1B384620ABC47AC07B242A531468F
Scan duration[sec]: 4.001000
line:3: SyntaxError: missing ] after element list:
error: line:3: [ernal%26%26k.gtbExternal[Ra]?d+=jd+k.gtbExternalRa:k[Ga]%26%26k[Ga].csi%26%26(d+=jd+k[Ga].csi()[Ra])}catch(e){}varf=k[Ga];if(f%26%26(f=f.loadTimes)){f().wasFetchedViaSpdy%26%26(d+=ad);if(f().wasNpnNegotiated){vard=d+Zc,h=f().npnNegotiatedProtocol;h%2
error: line:3: …^
Complaint on IP: http://www.liveipmap.com/74.125.226.10 & http://totalhash.com/network/ip:74.125.226.10

See: http://www.site-scan.com/eng/show_headers.php?REQUEST=GET&URL=http://hatimsudan.blogspot.de/&MODIFIED=0
http://whois.domaintools.com/blogspot.de
LeafDNS scan: http://leafdns.com/index.cgi?testid=4FE6DC29 & http://leafdns.com/index.cgi?testid=B197BE4F
Most of it OK here: http://www.dnsinspect.com/blogspot.de/1416068947
Nagłówki serwera www:
Server: GSE
Content-Encoding: gzip

Czas odp. DNS: 0.011 sekundy
Czas połączenia: 2.226 sekundy
Czas zapytania: 3.508 sekundy
Czas odpowiedzi: 0.989 sekundy

Ilość pobranych danych: 909.19 kB
Prędkość pobierania: 384.12 kB/s

Missing security headers for Framing, Transport, Caching Pragma, Access Control and Content-Security-Policy.

Eisk here 7 out of 10 red: http://toolbar.netcraft.com/site_report/?url=http%3A%2F%2Fhatimsudan.blogspot.de
GSE Linux vulnerable to ptrace exploit.

links: [D] htxp://hatimsudan.blogspot.de/favicon.ico; rel=“icon”; type=“image/x-icon”
[D] htxp://hatimsudan.blogspot.com/; rel=“canonical”
[D] htxp://hatimsudan.blogspot.com/feeds/posts/default; rel=“alternate”; title=“مكتبة كتب - Atom”; type=“application/atom+xml”
[D] htxp://hatimsudan.blogspot.com/feeds/posts/default?alt=rss; rel=“alternate”; title=“مكتبة كتب - RSS”; type=“application/rss+xml”
[D] htxp://www.blogger.com/feeds/9130047430270102112/posts/default; rel=“service.post”; title=“مكتبة كتب - Atom”; type=“application/atom+xml”
[D] htxp://www.blogger.com/openid-server.g; rel=“openid.server”
[D] htxp://hatimsudan.blogspot.com/; rel=“openid.delegate”
[D] htxps://www.blogger.com/static/v1/widgets/2235083404-widget_css_bundle_rtl.css; rel=“stylesheet”; type=“text/css”
[D] htxps://www.blogger.com/dyn-css/authorization.css?targetBlogID=9130047430270102112&zx=0176c0c6-a4f0-4e73-b8be-79b967f2cbbb; rel=“stylesheet”; type=“text/css”

pol

Another example of this type of malware: https://www.virustotal.com/nl/url/59c0545d177def7c69ae1cc3e45b03e0eebae311df907159628ace5a190cb16d/analysis/1416076831/
Outdated Web Server Nginx Found Vulnerabilities on nginx nginx/1.2.3
Google Browser Diff.: Not identical

Google: 34541 bytes Firefox: 35536 bytes
Diff: 995 bytes

First difference:
?q=%d0%98%d1%80%d0%be%d0%bd%d0%b8%d1%8f+%d1%81%d1%83%d0%b4%d1%8c%d0%b1%d1

DNS report: http://www.dnsinspect.com/l0addr4.sprosbiz.pp.ua/1416076890

pol

Detected here: http://killmalware.com/l0addr4.sprosbiz.pp.ua/
HTML code contains blacklisted domain: loader4.us
DrWeb detects as infested with JS.Loadpays.2
http://l0addr4.sprosbiz.pp.ua/ is in Dr.Web malicious sites list!
Also listed here: https://www.securiteinfo.com/attaques/hacking/sites_web_corrompus.shtml

polonus

Another one dug up here via Clean MX VW: https://www.virustotal.com/nl/url/637aecf82c12144de15717f78a42b36ba9cc1d5515e2b0d03b12a55c3eb490e7/analysis/1416155647/
Bitdefender’s TrafficLight the only extension to detect this as malicious?
Wordpress Version 4.0 based on: http://ambertekblog.com/wp-admin/js/common.js

Mailchimp unsubscripe failed: http://us4.list-manage.com/unsub_confirm.html

Extensive header info proliferation: apache/2.2.27 (unix) mod_ssl/2.2.27 openssl/1.0.1e-fips dav/2 mod_bwlimited/1.4 - php/5.4.30

DOM=XSS vuln. Results from scanning URL: htxp://s1.wp.com/_static/??-eJyNkNFugzAMRX9oaYS0sqdp3wKuAYcQZ7ED4++XVgKtfWA82b65x46uXaIBDopBrRN7w5kA48/FyZv98zRlE33uKYil0FEgXffmwCsDJwW+odyXu++Mab3ACh5PQ+KpdAMvZtdfWR1wKuaYW9tSb9rERUl3ODQz9Y0Sh/OMjBSNpzCajiGL6egoDZzYkdXlqf7rd6ixgdGccz+5KIDPWzZLx61D0NcVGz+X7Ng2IqgP4DHHhCIHR6FJnAX9/stNKMzX9Fm9V9e6ruqPq/sFtMDXew==
Number of sources found: 78
Number of sinks found: 36

and on detect-zoom

Eesults from scanning URL: htxp://platform.twitter.com/widgets.js?ver=20111117
Number of sources found: 110
Number of sinks found: 50

This external link is being blocked for me via an extension: htxp://s.skimresources.com/js/725X1342.skimlinks.js
adding the following filter to a functionality plugin or to your theme’s functions.php file blocks this:

add_filter( 'sharing_js', '__return_false' );

Re concerns for this adware: https://adblockplus.org/forum/viewtopic.php?t=17098
See: http://www.site-scan.com/eng/show_headers.php?REQUEST=GET&URL=http://ambertekblog.com&MODIFIED=0

polonus