We will explain about the characters such as \x2e and \161,\u etc. that are commonly found in WordPress malware infected files and how to read them back.

Unobfuscating backslash strings that are often found in malware

Malware code is often obfuscated, which means that it is difficult to tell what it is doing at a glance. There are also malicious programs that make full use of obfuscation to prevent malware from being detected.

Please keep in mind that obfuscation does not necessarily mean malware. Sometimes obfuscation is used to protect the confidentiality of themes, plug-ins, data, etc., or to improve convenience.

One of these obfuscation processes is to use a special character notation with slashes in the string.
This special notation is a way to programmatically specify a single character in UTF8 or Unicode, which is recognized and processed as a general string in the PHP program, but is difficult for humans to read.

For example, suppose the following program is included in the malware.

function_exists("\x661457\x6754\x5f\x637\x6e\x164\x656\x74\x73")

When I tried to echo (output) this \x string code on an online PHP executable site, I got the following results.

In other words, this string is the obfuscated version of file_get_contents.
You can also use echo to un-obfuscate in this way, but there are also online services for un-obfuscating, such as the following.

https://malwaredecoder.com/

http://php-decoder.site/

If the eval function is attached to the end of the malware file

eval is a function that interprets a string as program code and executes it, and is extremely common in malware that executes obfuscated strings such as those described above.

eval("\x661.............")

or another obfuscation function, base64_decode, is often used, as shown below

eval(base64_decode("YRJD........."))

In such cases, it is sometimes possible to rewrite eval as echo to de-obfuscate and find out what kind of program the malware is executing.
(There may be several more levels of obfuscated code on the nested.)

echo("\x661.............")

What if the obfuscated malware file is on a WordPress site?

In this case, we recommend that you perform a comprehensive malware scan, as it is possible that multiple malware files are located deep in the WordPress hierarchy or in folders on other sites on the server.

Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

If malware is detected, it means that your site has a vulnerability that allowed hackers to enter in the first place, so you will also need to take measures to prevent vulnerabilities.