c6b46389dcb5c1fb834199a445044440.js Analysis

August 6, 2017

Apparently my blog for now is going to be about different ad companies that use the same techniques, and in some cases, even the same files. This post is about c6b46389dcb5c1fb834199a445044440.js, which is loaded from index line 54.

<!-- Popunder Code for | 2017-08-06,1006003,0,0 --> <script type="text/javascript" data-cfasync="false"> /*<![CDATA[/* */ /* Privet darkv. Each domain is 2h fox dead */ (function(){ var t=window;t["\u005fp\u006f\u0070"]=[["s\u0069\u0074e\u0049\u0064",1006003],["\x6d\x69\u006e\x42i\x64",0],["\x70\u006f\u0070\x75nd\x65\u0072\u0073\x50\x65r\x49\x50",0],["\x64\u0065\u006cay\u0042e\x74\u0077ee\u006e",0],["de\u0066\u0061\u0075lt",false],["\x64\u0065\u0066\x61\u0075\u006c\x74Pe\u0072\x44a\x79",0],["t\u006fp\x6dos\u0074\u004c\u0061\u0079\u0065r",!1]];var j=["/\x2f\x63\u0031.\x70\u006f\x70a\u0064\u0073\x2e\x6e\u0065\x74/\x70\u006fp\x2e\x6a\u0073","/\x2f\x63\u0032\u002e\u0070o\u0070ad\x73.\x6e\u0065\u0074\x2f\x70\u006f\x70\u002ej\x73","\x2f/w\u0077\x77\x2e\x6c\u006a\u0066\u0065\u0074l\x68\u006c\x65\x69\u0066\x66r\x2ebid/y\u002e\u006a\x73","//\x77\u0077\u0077\u002el\u0074\u006e\u006a\x74p\u0068\u0062\u0062v\u0069\x67\x69\x2eb\u0069\x64/\u006egl\x2e\x6a\u0073",""],g=0,h,b=function(){if(""==j[g])return;h=t["docu\u006dent"]["\u0063re\u0061t\x65\x45\x6ceme\x6e\u0074"]("\x73\u0063r\x69\u0070\x74");h["\u0074y\u0070\x65"]="\u0074e\x78\x74\u002f\x6aava\u0073\u0063r\x69\x70t";h["a\x73\x79\u006e\u0063"]=!0;var z=t["\x64\x6fc\x75\x6d\x65nt"]["\x67e\u0074\x45\x6c\u0065\u006d\u0065\x6e\u0074s\x42\x79\x54\x61g\u004ea\u006d\u0065"]("\x73c\x72\x69\x70\u0074")[0];h["s\u0072\x63"]=j[g];if(g<2){h["\x63\x72o\u0073\u0073\x4f\x72\x69\u0067\x69n"]="\x61\x6eon\x79\u006d\u006f\x75\x73";};h["\u006f\x6ee\u0072\x72\u006f\u0072"]=function(){g++;b()};z["\u0070\x61\u0072\u0065\x6etNo\u0064\x65"]["\u0069\u006e\x73\x65rt\u0042\x65\u0066\x6fr\u0065"](h,z)};b()})(); /*]]>/* */ </script> <script type='text/javascript' src='//'></script><!-- adsterra nsfw --> <script data-cfasync="false" src="//"></script><!-- admaven sfw -->

When I first looked at this file, I thought I was looking at a renamed pop.js. It had two base64 encoded PDFs, one of which is small and insignificant, and the other is fairly large. Scrolling through the rest of the file, I found another linked PDF.

The long embedded PDF is the pop.js PDF. It has the same alert script as in pop.js's PDF, app.alert('Please wait..'), and the same metadata, indentifying as the creator of the file.

The linked PDF is sourced from It has the same alert script as the one found in 616020.pdf, except they added their copyright sign to it. The PDF metadata has been stripped down a little bit, but it still has the same creator, creation and last modified date as well. If you open the document, it has the text Copyright AdSupply 2016.

/* Copyright AdSupply 2016 */ app.alert("Focusing, please wait....");
14 0 <</CreationDate(D:20160526135438-07'00')/Creator(Adobe Acrobat Pro DC 15.16.20039)/ModDate(D:20160603133039-07'00')/Producer(Adobe Acrobat Pro DC 15.16.20039)>>

That's a bit odd, because the HTML comments where the scripts are loaded from specify c6b46389dcb5c1fb834199a445044440.js is from adsterra and 616020.pdf is from admaven.

It's not a huge coincidence that these scripts share resources - they're loaded all within the same few lines of the 4archive index page. It would be exciting if these ad companies were all competing with each other, using each other's innovations - I imagine it can't be easy to go to court and claim that someone is stealing your intellectual property when that IP is subverting the wishes of victimsusers.

The only other really new thing about this script is that they don't obfuscate their variable or function names at all. Check out some of the names they use:

These names give a good description of the capabilities of this particular script. This is a prime script for reverse engineering, since half the work is already done.

Thanks for reading.