Suspicious JavaScript Obfuscation detected....

[polonus]

See: https://urlquery.net/report/2e444bfc-676d-4fe1-9f69-a0328f141d36
Flagged here: https://www.virustotal.com/en/url/407a9bcd9439b69f041c4fe8ace1156ac439dd4ce69dc245885790f5796f1b8d/analysis/1555338643/
blacklisted external links & blacklisted iframes: https://quttera.com/detailed_report/dmuller.net

https://sitecheck.sucuri.net/results/dmuller.net
Blocked for me javascript to -http://s47.sitemeter.com/js/counter.js?site=s47phoenixnet
Site also blacklisted by Yandex: https://www.yandex.com/infected?url=dmuller.net

Also detected: -http://mailhide.recaptcha.net/d?k=01lgAndaS1VU6rqbxzR7LMyA==&c=mgS5PlYSw5ukLXrkwl2eC-ttQigM7YLCzZmUwTNH-9E=   1
additional links like -EXTRALINK##-http://s47.sitemeter.com/js/counter.js?site=s47phoenixnet   1
EXTRALINK##-http://s47.sitemeter.com/stats.asp?site=s47phoenixnet   1
EXTRALINK##-http://s47.sitemeter.com/meter.asp?site=s47phoenixnet   1
FILE##v3track.php?trackref%3Dhttp%3a%2f%2fgoogle.com&trackuri%3D%2fspaceflight%2findex.php&trackdim%3Dx&trackcountry%3Dru
various ecxternal links extphp etc.

polonus

[Pondus]

scan using the full URL used at urlQuery and fortinets webfilter

https://sitecheck.sucuri.net/results/dmuller.net/wp?q=p%3Den%2Ftadalfil

https://www.virustotal.com/#/file/b05c63a25e3541fe0773f15f5d5b9ea43a4b1b4773c957bdacffbab6bcc84c46/detection


https://sitecheck.sucuri.net/results/134.249.116.78/jquery.js
https://www.virustotal.com/#/url/dab0812fe89ebcac05a3f37cbad6effaa06802bf91b00535ae789f8d05096aa2/detection
https://www.virustotal.com/#/file/6aa48a47b63effcf8d62194c1dc563a79ab7b737a90888cfaebfb046b2d96715/detection

https://www.virustotal.com/#/url/72911124dcd577dee006d816321d5a06668b06467a305934e47a2f20a8905e5d/detection

[polonus]

Hi Pondus,

Thanks for demonstrating this is again part of the same long ongoing malware campaig, involving:
   -http://sd5doozry8.com/ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d

We have met this one a couple of times before,

Damian aka polonus