From blog.sucuri.net
During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:
var _0x446d=["_mauthtoken","indexOf","cookie","userAgent","vendor","opera","hxxps://zeep.ly/ev4Va","googlebot","test","substr","getTime","_mauthtoken=1; path=/;expires=","toUTCString","location"];
In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va. These redirect URLs may change from site to site, otherwise the code remains the same for this injection.