Or at least their length.
The payload itself is predictable and dull – addition of an iframe to the page in order to load further malware. But the manner in which this payload is hidden made me chuckle. The bulk of the injected script consists of a long string of words, which is split into an array (
DayahDet in the code snippet shown below).
Decryption to the payload consists of the following steps. For each pair of words in the array, construct a string from the length (minus 1) of the words (in hex).
str = (myArray[i].length-1).toString(16)+(myArray[i+1].length-1).toString(16)
The characters used in the words is immaterial – only the length matters. The exact same payload could be obfuscated as follows: