It’s subtle, and typical enough to go unregarded, but there’s some misdirection going on. It’s a lot easier to see if we zoom in on it and deconstruct it:

<iframe src="about:blank" id="aXH5y3BEBJ3_RlPmTJxOQuw" frameborder=0 marginwidth=0 marginheight=0 scrolling=no allowtransparency=true width=300 height=250></iframe> <script type="text/javascript">

var all_urls = ['hxxps://weedlio.com/g/2jrVhZ0']

, all_urls_length = all_urls.length

, random_url_number = Math.floor(Math.random() * all_urls_length)

, random_url = all_urls[random_url_number];

document.getElementById("aXH5y3BEBJ3_RlPmTJxOQuw").src = random_url;

</script>

The JavaScript here is completely absent of any practical relevance. It’s a red herring for the guise of ad tech legitimacy, packaged to resemble a cache buster that we are all used to. However, the random number generated here is never applied and the entire 6 lines of code might as well be written like this:

document.getElementById("aXH5y3BEBJ3_RlPmTJxOQuw").src = 'hxxps://weedlio.com/g/2jrVhZ0';

All this does is set the destination of the ad iframe. Let’s render it:

On the surface we’re confronted with a native style ad, but of course there’s more going on… and what’s up with that rumbumptious[.]com domain? Let’s check what the iframe is actually serving up when this creative wins a bid: