We came across a website and found that the .js files that are used for JSON communication have been injected with some malicious code. At the bottom of the sample js file, we find the following code snippet
The image file is actually an ASCII file. We find that there is some hexadecimal code in it. So we clean the code and feed it to the converter as follows
So it is pointing to an image folder on "http://www.spris.com/images/". On issuing a HTTP request to this URL, we are served with
Well, we do not find any data in the file. Anyways, that's not a problem :). The main point is to analyze the flow. Attackers can use hard obfuscated scripts and follow the same flow of infection.