Blackhole kit's obfuscation and url parameters have been changed.
Deobfuscated version of code from hxxp://aefrwt6yuy54r3efd.cz.cc/t/db0f207c93faa50fc806110f89c15067 can be found here:
Have been waiting on this, seen alot of small changes to the BH URLs lately.
I have been planing on doing a small write up of how to read black hole URLs. But with the recent changes most of it has changed, but I'll just post some of my notes here quick anyway.
The payload URL from black hole on the following format: http://<domain>/l.php?f=458&e=2
the first letter can be random, but both parameters 'f' and 'e' are more static. I'm not 100% what 'f' is used for but 'e' is used to report which exploit was successful to download the payload.
So by looking at this number you can see which exploit triggered on the victim.
e = 3 -> Java skyline, CVE-2010-3552
e = 2 -> Java Webstart, CVE-2010-0886
e = 4 -> MDAC
e = 7 -> HCP
e = 6 -> PDF
There might be more but those are the most common and those i know of.
Now looking over the new URL format, without having alot of URLs and data to compare it seems this value of 'e' has been kept to some degree.
Lets take the following example:
It looks like the last digit ('6' in this instant) has been kept as a way to record which exploit was successful. From my first glances at this, it does look like the values has changed for the exploits though. In other words 6 does not equal a PDF exploit in the new BH code.