JSUNPACK
A Generic JavaScript Unpacker
CAUTION: jsunpack was designed for security researchers and computer professionals
Enter a single URL (or paste JavaScript to decode):

Upload a PDF, pcap, HTML, or JavaScript file
Private? Help: privacy | uploads
Default Referer
Description

Submission permanent link f15575a477164742373357f9920e8dc1c53cf145 (Received 2012-10-25 16:30:27, http://webmail.excite.com/c55d4374/gds/index_rich.php )

URLStatus
webmail.excite.com/c55d4374/gds/rich.php saved 22709 bytes 4d2b4547bb6f5e9361ef5d7e0509079be9233da3

ae.excite.com/ status: (referer=www1.excite.com/security/0,17167,,00.html)

excitedegrees.elearners.com/qdfIframe.aspx?tsource=ccdec2&cssurl=http:/s3.amazonaws.com/degreesexcite/css/iframe-widget-left.css status: (referer=www1.excite.com/security/0,17167,,00.html)

movies.excite.com/ status: (referer=docs1.excite.com/myfunctions.js)

boards.excite.com/ status: (referer=docs1.excite.com/myfunctions.js)

publish.vx.roo.com/excitemini/miniplaylist/ status: (referer=docs1.excite.com/myfunctions.js)

www.google-analytics.com/urchin.js status: (referer=www.excite.com/)

utm.trk.excite.com/__utm.gif status: (referer=utm.excite.com/u.js)

ad.doubleclick.net/adj/5480.iac.excite/about:blank status: (referer=ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667)

docs1.excite.com/iframe.html status: (referer=www.excite.com/)

www.excite.com/education/financial-aid/pell-grants-application status: (referer=www.excite.com/)

docs1.excite.com/ie.js status: (referer=www.excite.com/)

rd.excite.com/sp/em status: (referer=docs1.excite.com/myfunctions.js)

www.excite.com/tv/favs.jsp status: (referer=docs1.excite.com/myfunctions.js)

docs1.excite.com/exUni.js status: (referer=www1.excite.com/security/0,17167,,00.html)

registration.excite.com/excitereg/register.jsp/excitereg/register.jsp status: (referer=docs1.excite.com/myfunctions.js)

www1.excite.com/home/toolbar/overview/1,3755,,00.html status: (referer=docs1.excite.com/myfunctions.js)

www1.excite.com/home/horoscope/index/0,1854,_L0_0_0_1,00.html status: (referer=docs1.excite.com/myfunctions.js)

www1.excite.com/security/ status: (referer=www1.excite.com/security/0,17167,,00.html)

pagead2.googlesyndication.com/pagead/js/r20121023/r20110914/abg.js status: (referer=ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667)

docs1.excite.com/ie.js status: (referer=www.excite.com/)

sports.excite.com/ status: (referer=docs1.excite.com/myfunctions.js)

service.urchin.com/__utm.gif status: (referer=utm.excite.com/u.js)

today.excite.com/celebbday.html status: (referer=docs1.excite.com/myfunctions.js)

docs1.excite.com/functions.js status: (referer=www.excite.com/)

ad.doubleclick.net/adj/5480.iac.excite/<html><head><script> status: (referer=ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667)

s0.2mdn.net/879366/1_2.js status: (referer=ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667)

www.excite.com/tv/prog.jsp? status: (referer=docs1.excite.com/myfunctions.js)

Warning: reading file /storagefiles/2ce1//58a82a9204be5ad4bdc78e54659602e0459b failed
Warning: reading file /storagefiles/366a//a48f91ec5214058d2fcf4650593c555e0899 failed

All Malicious or Suspicious Elements of Submission

suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
www1.excite.com/security/0,17167,,00.html benign
[nothing detected] (metarefresh) www1.excite.com/security/0,17167,,00.html
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 24917 bytes 11bc8d16204d03ddeac6d14eee3014f3bc071a30
     info: [javascript variable] URL=ae.excite.com
     info: [img] ak.imgfarm.com/ex/logo.gif
     info: [img] ak.imgfarm.com/images/spacer.gif
     info: [iframe] excitedegrees.elearners.com/qdfIframe.aspx?tsource=ccdec2&amp;cssurl=http:/s3.amazonaws.com/degreesexcite/css/iframe-widget-left.css
     info: [iframe] www1.excite.com/security/
     info: [script] docs1.excite.com/exUni.js
     info: [decodingLevel=0] found JavaScript
     error: line:8: SyntaxError: missing ; before statement:
          error: line:8:            Javascript enabled browsers
          error: line:8: .................^
     file: 11bc8d16204d03ddeac6d14eee3014f3bc071a30: 24917 bytes

Decoded Files
11bc/8d16204d03ddeac6d14eee3014f3bc071a30 from www1.excite.com/security/0,17167,,00.html (24917 bytes, 968 hidden) download


ak.imgfarm.com/ex/emc.gif benign
[nothing detected] (jsvar) ak.imgfarm.com/ex/emc.gif
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 94 bytes 43824438468cfb2e9c8c47816af589356b8c663b
     file: 43824438468cfb2e9c8c47816af589356b8c663b: 94 bytes

Decoded Files
4382/4438468cfb2e9c8c47816af589356b8c663b from ak.imgfarm.com/ex/emc.gif (94 bytes, 76 hidden) download


webmail.excite.com/c55d4374/gds/rich.php benign
[nothing detected] webmail.excite.com/c55d4374/gds/rich.php
     status: (referer=www.google.com/trends/hottrends)saved 22709 bytes 4d2b4547bb6f5e9361ef5d7e0509079be9233da3
     info: [javascript variable] URL=ak.imgfarm.com/ex/lep.gif
     info: [javascript variable] URL=ak.imgfarm.com/ex/emc.gif
     info: [javascript variable] URL=ak.imgfarm.com/ex/zoom.gif
     info: [javascript variable] URL=www.excite.com
     info: [script] utm.excite.com/u.js
     info: [img] ak.imgfarm.com/ex/reg/logo.gif
     info: [img] ak.imgfarm.com/ex/joinNow300.gif
     info: [img] webmail.excite.com/c55d4374/gds/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable hp
     error: undefined variable hp.style
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var hp.style = 1;
          error: line:1: ....^
     error: undefined variable document.loginbox
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var document.loginbox = 1;
          error: line:1: ....^
     info: Decoding option browser=Opera and browser=Firefox,      3593 bytes
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista,      541 bytes
     info: [var httpRequest] URL=www1.excite.com/security/0,17167,,00.html
     info: [var lepImage] URL=ak.imgfarm.com/ex/lep.gif
     info: [var emcImage] URL=ak.imgfarm.com/ex/emc.gif
     info: [var zoomImage] URL=ak.imgfarm.com/ex/zoom.gif
     info: [var footerHtml] URL=webmail.excite.com/c55d4374/gds/
     info: [var newurl] URL=webmail.excite.com/c55d4374/gds/
     info: [script] ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667
     info: [decodingLevel=1] found JavaScript
     file: 4d2b4547bb6f5e9361ef5d7e0509079be9233da3: 22709 bytes
     file: 429a3a834f26f1c0d75d731cd5ffc34a9f489f6c: 3593 bytes

Decoded Files
4d2b/4547bb6f5e9361ef5d7e0509079be9233da3 from webmail.excite.com/c55d4374/gds/rich.php (22709 bytes, 191 hidden) download

429a/3a834f26f1c0d75d731cd5ffc34a9f489f6c from webmail.excite.com/c55d4374/gds/rich.php (3593 bytes) download


www.excite.com/ benign
[nothing detected] (jsvar) www.excite.com/
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 92214 bytes be21a9cc3816a0ab89dd5b3ebf0d3a8862f280ba
     info: [javascript variable] URL=www.excite.com/education/financial-aid/pell-grants-application
     info: [javascript variable] URL=www.excite.com
     info: [meta refresh] URL=www1.excite.com/security/0,17167,,00.html
     info: [script] docs1.excite.com/ie.js
     info: [script] docs1.excite.com/ie.js
     info: [script] www.google-analytics.com/urchin.js
     info: [img] ak.imgfarm.com/images/spacer.gif
     info: [img] ak.imgfarm.com/ex/spacer.gif
     info: [img] ak.imgfarm.com/images/newsnavS7.gif
     info: [iframe] docs1.excite.com/iframe.html
     info: [img] ak.imgfarm.com/ex/20020329dac.gif
     info: [img] i1img.com/images/spacer.gif
     info: [img] ak.imgfarm.com/images/iwon/iwonclassic.gif
     info: [img] imgfarm.com/images/ads/300x170/300-X-170.gif?
     info: [iframe] http
     info: [decodingLevel=0] found JavaScript
     error: undefined variable NAV_NS
     error: undefined variable NAV_MAC
     error: undefined variable NAV_VER
     info: [var _ugifpath] URL=utm.trk.excite.com/__utm.gif
     info: [var newurl] URL=utm.trk.excite.com/__utm.gif
     info: [script] docs1.excite.com/functions.js
     info: [script] docs1.excite.com/myfunctions.js
     info: [decodingLevel=1] found JavaScript
     file: be21a9cc3816a0ab89dd5b3ebf0d3a8862f280ba: 92214 bytes
     file: 32e37c8b24f8754edf7cbe89c2f72112be1f86ac: 2204 bytes

Decoded Files
be21/a9cc3816a0ab89dd5b3ebf0d3a8862f280ba from www.excite.com/ (92214 bytes, 3062 hidden) download

32e3/7c8b24f8754edf7cbe89c2f72112be1f86ac from www.excite.com/ (2204 bytes, 1 hidden) download


ak.imgfarm.com/ex/zoom.gif benign
[nothing detected] (jsvar) ak.imgfarm.com/ex/zoom.gif
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 581 bytes 848a2d79a143b4a4c04932f0198be555e955caa1
     info: [0] no JavaScript
     file: 848a2d79a143b4a4c04932f0198be555e955caa1: 581 bytes

Decoded Files
848a/2d79a143b4a4c04932f0198be555e955caa1 from ak.imgfarm.com/ex/zoom.gif (581 bytes, 381 hidden) download


webmail.excite.com/c55d4374/gds/ benign
[nothing detected] (var newurl) webmail.excite.com/c55d4374/gds/
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 22709 bytes a622ccdcdce6bb01a585dbcfb8af94516f17463c
     info: [javascript variable] URL=ak.imgfarm.com/ex/lep.gif
     info: [javascript variable] URL=ak.imgfarm.com/ex/emc.gif
     info: [javascript variable] URL=ak.imgfarm.com/ex/zoom.gif
     info: [javascript variable] URL=www.excite.com
     info: [script] utm.excite.com/u.js
     info: [img] ak.imgfarm.com/ex/reg/logo.gif
     info: [img] ak.imgfarm.com/ex/joinNow300.gif
     info: [img] webmail.excite.com/c55d4374/gds/
     file: a622ccdcdce6bb01a585dbcfb8af94516f17463c: 22709 bytes

Decoded Files
a622/ccdcdce6bb01a585dbcfb8af94516f17463c from webmail.excite.com/c55d4374/gds/ (22709 bytes, 191 hidden) download


utm.excite.com/u.js benign
[nothing detected] (script) utm.excite.com/u.js
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 16639 bytes b24fa2ba78b6b20ab1d7464e869790e9ebfdd1be
     info: [javascript variable] URL=utm.trk.excite.com/__utm.gif
     info: [javascript variable] URL=service.urchin.com/__utm.gif
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Image
     error: line:150: TypeError: Image is not a constructor
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox and browser=Opera and browser=Firefox,      0 bytes
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista,      544 bytes
     info: [var _ugifpath] URL=utm.trk.excite.com/__utm.gif
     info: [var _ugifpath2] URL=service.urchin.com/__utm.gif
     info: [var newurl] URL=service.urchin.com/__utm.gif
     file: b24fa2ba78b6b20ab1d7464e869790e9ebfdd1be: 16639 bytes
     file: caee576b2a739f3d4914ed31728ae65395b35f35: 17253 bytes
     file: 2ce158a82a9204be5ad4bdc78e54659602e0459b: 16952 bytes
     file: 366aa48f91ec5214058d2fcf4650593c555e0899: 17076 bytes
     file: acc4cf64610296d609f30eec804f3bdf9b9cad4f: 544 bytes

Decoded Files
b24f/a2ba78b6b20ab1d7464e869790e9ebfdd1be from utm.excite.com/u.js (16639 bytes, 132 hidden) download

caee/576b2a739f3d4914ed31728ae65395b35f35 from utm.excite.com/u.js (17253 bytes, 132 hidden) download

2ce1/58a82a9204be5ad4bdc78e54659602e0459b from utm.excite.com/u.js 366a/a48f91ec5214058d2fcf4650593c555e0899 from utm.excite.com/u.js acc4/cf64610296d609f30eec804f3bdf9b9cad4f from utm.excite.com/u.js (544 bytes) download


ak.imgfarm.com/ex/lep.gif benign
[nothing detected] (jsvar) ak.imgfarm.com/ex/lep.gif
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 165 bytes 79d7011c6871495540a68f31b774cf1a82c5701d
     info: [0] no JavaScript
     file: 79d7011c6871495540a68f31b774cf1a82c5701d: 165 bytes

Decoded Files
79d7/011c6871495540a68f31b774cf1a82c5701d from ak.imgfarm.com/ex/lep.gif (165 bytes, 105 hidden) download


docs1.excite.com/myfunctions.js benign
[nothing detected] (script) docs1.excite.com/myfunctions.js
     status: (referer=www.excite.com/)saved 154199 bytes 818db9291a72e13abaf2cc894cb2d12fe2f28936
     info: [javascript variable] URL=registration.excite.com/excitereg/register.jsp/excitereg/register.jsp
     info: [javascript variable] URL=rd.excite.com/sp/em
     info: [javascript variable] URL=www1.excite.com/home/toolbar/overview/1,3755,,00.html
     info: [javascript variable] URL=boards.excite.com
     info: [javascript variable] URL=www1.excite.com/home/horoscope/index/0,1854,_L0_0_0_1,00.html
     info: [javascript variable] URL=today.excite.com/celebbday.html
     info: [javascript variable] URL=movies.excite.com
     info: [javascript variable] URL=sports.excite.com
     info: [javascript variable] URL=www.excite.com/tv/prog.jsp?
     info: [javascript variable] URL=www.excite.com/tv/favs.jsp
     info: [javascript variable] URL=www.excite.com
     info: [img] ak.imgfarm.com
     info: [img] ak.imgfarm.com/ex/lg/lg.gif
     info: [img] i1img.com/ex/iconsB.gif
     info: [img] i1img.com/ex/signedIiconsD.gif
     info: [img] ak.imgfarm.com/ex/my/exHaveMail.gif
     info: [img] ak.imgfarm.com/images/spacer.gif
     info: [img] docs1.excite.com/+pollLogo+
     info: [img] ak.imgfarm.com/ex/weather/moon/moon
     info: [img] ak.imgfarm.com/ex/bullet.gif
     info: [img] ak.imgfarm.com/ex/my/PHexciteWHT.gif
     info: [img] docs1.excite.com/
     info: [iframe] publish.vx.roo.com/excitemini/miniplaylist/
     info: [img] ak.imgfarm.com/ex/sports/lilWhistle2.gif
     info: [img] media.expedia.com/media/content/shared/graphics/common/mail/TL.gif
     info: [img] media.expedia.com/media/content/shared/graphics/common/mail/TR.gif
     info: [img] media.expedia.com/media/content/shared/graphics/logos/exp/sflogo.gif
     info: [img] media.expedia.com/media/content/shared/graphics/other/left.gif
     info: [img] media.expedia.com/media/content/shared/graphics/other/right.gif
     info: [img] www.expedia.com/eta/blank.gif
     info: [img] media.expedia.com/media/content/shared/graphics/other/sftagline2.gif
     info: [img] media.expedia.com/media/content/shared/graphics/common/mail/BL.gif
     info: [img] media.expedia.com/media/content/shared/graphics/common/mail/BR.gif
     info: [img] ak.imgfarm.com/images/trk/myExciteTR.gif?
     info: [img] docs1.excite.com/+imgBtnE+
     info: [img] ak.imgfarm.com/ex/20020329dac.gif
     info: [img] i1img.com/images/spacer.gif
     info: [img] ak.imgfarm.com/images/iwon/iwonclassic.gif
     file: 818db9291a72e13abaf2cc894cb2d12fe2f28936: 154199 bytes

Decoded Files
818d/b9291a72e13abaf2cc894cb2d12fe2f28936 from docs1.excite.com/myfunctions.js (154199 bytes, 2371 hidden) download


ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667 benign
[nothing detected] (script) ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667
     status: (referer=webmail.excite.com/c55d4374/gds/rich.php)saved 10836 bytes 797dfe526beeee5f00a858bd8db2600006976df8
     info: [script] s0.2mdn.net/879366/1_2.js
     info: [embed] ad.doubleclick.net/adj/5480.iac.excite/
     info: [img] ad.doubleclick.net/adj/5480.iac.excite/
     info: [img] s0.2mdn.net/807725/EO_SingleFNoB300x250.gif
     info: [img] pagead2.googlesyndication.com/pagead/images/adchoices/icon.png
     info: [img] pagead2.googlesyndication.com/pagead/images/adchoices/en.png
     info: [script] pagead2.googlesyndication.com/pagead/js/r20121023/r20110914/abg.js
     info: [iframe] ad.doubleclick.net/adj/5480.iac.excite/about:blank
     info: [decodingLevel=0] found JavaScript
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox,      0 bytes
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox,      604 bytes
     info: DecodedIframe detected
     info: [var adsenseH21061] URL=ad.doubleclick.net/adj/5480.iac.excite/<html><head><script>
     info: [decodingLevel=1] found JavaScript
     file: 797dfe526beeee5f00a858bd8db2600006976df8: 10836 bytes
     file: 306c8889e6a49cf17109bfcf364fae964566e7a0: 604 bytes

Decoded Files
797d/fe526beeee5f00a858bd8db2600006976df8 from ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667 (10836 bytes, 41 hidden) download

306c/8889e6a49cf17109bfcf364fae964566e7a0 from ad.doubleclick.net/adj/5480.iac.excite/LOGIN;tile=1;sz=300x250;pos=bom;s=ex;ord=562667 (604 bytes) download