Apparently my blog for now is going to be about different ad companies that use the same techniques, and in some cases, even the same files. This post is about
c6b46389dcb5c1fb834199a445044440.js, which is loaded from index line 54.
When I first looked at this file, I thought I was looking at a renamed
pop.js. It had two base64 encoded PDFs, one of which is small and insignificant, and the other is fairly large. Scrolling through the rest of the file, I found another linked PDF.
The long embedded PDF is the
pop.js PDF. It has the same alert script as in
app.alert('Please wait..'), and the same metadata, indentifying
popunderjs.com as the creator of the file.
The linked PDF is sourced from
https://cdn15.acloudimages.com/36/template/pu1473410272.pdf. It has the same alert script as the one found in
616020.pdf, except they added their copyright sign to it. The PDF metadata has been stripped down a little bit, but it still has the same creator, creation and last modified date as well. If you open the document, it has the text
Copyright AdSupply 2016.
/* Copyright AdSupply 2016 */ app.alert("Focusing, please wait....");
14 0 <</CreationDate(D:20160526135438-07'00')/Creator(Adobe Acrobat Pro DC 15.16.20039)/ModDate(D:20160603133039-07'00')/Producer(Adobe Acrobat Pro DC 15.16.20039)>>
That's a bit odd, because the HTML comments where the scripts are loaded from specify
c6b46389dcb5c1fb834199a445044440.js is from
616020.pdf is from
It's not a huge coincidence that these scripts share resources - they're loaded all within the same few lines of the 4archive index page. It would be exciting if these ad companies were all competing with each other, using each other's innovations - I imagine it can't be easy to go to court and claim that someone is stealing your intellectual property when that IP is subverting the wishes of
The only other really new thing about this script is that they don't obfuscate their variable or function names at all. Check out some of the names they use:
These names give a good description of the capabilities of this particular script. This is a prime script for reverse engineering, since half the work is already done.