If this was found on a webpage, you might just overlook it as something benign. It’s a clever concept!
It starts off by defining an array of hexadecimal values which look like a representation of different colors.
The function “div_pick_colors” concatenates them into one long string after ignoring the pound sign. You end up with this:
The same function then grabs two characters at a time and does some fancy footwork to convert it into a malicious redirect. Here’s the code that does the conversion:
s += String.fromCharCode(parseInt(c_clr, 16) – 15);
Let’s go through this quickly…
Get the first two characters from the string above (which is “4b”).
Convert it from hexadecimal to decimal (you’ll get “75”).
Subtract 15 from the decimal value (which is “60”).
The rest of the code appends the date/time value to the URL and executes the code.
In case you’re wondering what those hexadecimal values actually look like if they rendered into colors, well it looks like this:
It kinda looks like a scarf I got for Christmas.