Today, let's get our hands dirty by analyzing an "interesting" sample that I found in-the-wild earlier today. There are multiple interesting parts of this sample; the first one is that they don’t really hide/obfuscate their stuff. They left it in plain text, and exposed the contents of their server. (By accident, I think.)
Let's move to the second interesting point: the index.html contains a malicious Windows binary, coded in hex, which will be translated back to binary by calling the JavaScriptunescape function. The author also used a document.write call, and (I think) was hoping that the translated binary would trigger a prompt by the browser to be downloaded.
read more.........http://www.bluecoat.com/security-blog/2013-01-18/dive-water-hole?utm_source=twitterfeed&utm_medium=twitter