So, this is for the OP who posted a PHP malware on /r/ReverseEngineering and set a $100 bounty to reverse it... then proceeded to delete their account and post. Since I was bored, I took a look:

Original Pastebin: http://pastebin.com/87iJgzzB

The quick&dirty 20 minute anaylsis:

Check Phrase:

<?php if(!isset($GLOBALS["anuna"])) { $ua=strtolower($_SERVER["HTTP_USER_AGENT"]); if ((! strstr($ua,"msie")) and (! strstr($ua,"rv:11"))) $GLOBALS["anuna"]=1; } ?>

Check that client is not using MSIE11 and save the check as a global variable

First Phrase:

$zmwkcjkbnh($jxbuupldzz, $wsdknlrysq, NULL);

Decodes to

preg_replace("/(.*)/e", " /* dcmiatiqjl */ eval(str_replace(chr((244-207)), chr((472-380)), ahvrqynpvc($dasheqyovl,$onhquagibb))); /* zpzfmucwvg */ ", NULL);

Using the preg_replace 'e' execute method

str_replace(chr((244-207)), chr((472-380)), ahvrqynpvc($dasheqyovl,$onhquagibb))

Is ran as PHP Code (second Phrase)

Second Phrase

Same preg_replace trick is used to deobfuscate another payload.. and again.. and again

I reversed a couple of phases and made various deobfuscation edits to them to dump data. The following are some key steps in the obfuscation:

http://pastebin.com/39nGx8ke

http://pastebin.com/EAhk8R9q

http://pastebin.com/eVRMgYtw

Notice how it's pretty much the same trick with preg_replace to execute code. The last step, it uses create_function to execute code. This is the final payload:

http://pastebin.com/ULSXrsg2

It basically downloads some payload from a random domain and sticks it onto the website. Nothing too interesting.