[GhostLight]

Hi,

The attached javascript came from http : / / 77977db0 (dot) linkbucks (dot) com/
McAfee recognizes this as "Exploit-PDF.rt.gen", which I find unusual for a JavaScript.

Any hints on how to de-obfuscate it would be welcome.

[Xylitol]

https://github.com/einars/js.decrypt.javacrypt should work if it's JavaCrypt, and if not try online services like http://jsunpack.jeek.org http://wepawet.iseclab.org

edit:
ok i used the scratchpad of firefox to decode it after removing JavaCrypt.
It give me a md5 hash at the end: 40badeec8a0ee2cfff89a6e0d933f24d
it's probably a legit stuff used by linkbucks.

[GhostLight]

Thanks,

it turns out this hash is used in a request to download a very tiny .gif file.