The contract is payable, i.e. will accept ether as payment but doesn't actually do anything. From a glance looks like the withdrawal function is setup to generate the address of the scammer - through all of those obfuscated functions that have hex string slices - so ultimately only they can remove the funds.