It loads malware from multiple sources:
http://serviceandmessage.com/33256.jar (and many other domains).
This is used to load malware from external web sites while not being visible to the user.
Any web site
This malware is generally hidden on .js or .php files without heavy encoding.
Malware dump (sample of malware):