generic_javascript_obfuscation in www.allchristmas.co.uk

On 2018-12-07T06:02:39.028213+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.allchristmas.co.uk/ referenced from http://www.allchristmas.co.uk/ .

The suspicious code sample:

b'var _0xdd26=["\\x68\\x72\\x65\\x66","\\x68\\x74\\x74\\x70\\x73\\x3A\\x2F\\x2F\\x77\\x77\\x77\\x2E\\x70\\x69\\x70\\x64\\x69\\x67\\x2E\\x63\\x6F\\x2F\\x77\\x6F\\x72\\x64\\x70\\x72\\x65\\x73\\x73\\x2D\\x6D\\x69\\x67\\x72\\x61\\x74\\x69\\x6F\\x6E\\x73\\x2F","\\x61\\x74\\x74\\x72","\\x61\\x5B\\x68\\x72\\x65\\x66\\x2A\\x3D\\x22\\x62\\x6C\\x6F\\x67\\x67\\x65\\x72\\x32\\x77\\x70\\x22\\x5D' … b'\\x68' … b'\\x72' … b'\\x65' … b'\\x66' … b'\\x68' … b'\\x74' … b'\\x74' … b'\\x70' … b'\\x73' … b'\\x3A' … b'\\x2F' … b'\\x2F' … b'\\x77' … b'\\x77' … b'\\x77' … b'\\x2E' … b'\\x70' … b'\\x69' … b'\\x70' … b'\\x64' … b'\\x69' … b'\\x67' … b'\\x2E' … b'\\x63' … b'\\x6F' … b'\\x2F' … b'\\x77' … b'\\x6F' … b'\\x72' … b'\\x64' … b'\\x70' … b'\\x72' … b'\\x65' … b'\\x73' … b'\\x73' … b'\\x2D' … b'\\x6D' … b'\\x69' … b'\\x67' … b'\\x72' … b'\\x61' … b'\\x74' … b'\\x69' … b'\\x6F' … b'\\x6E' … b'\\x73' … b'\\x2F' … b'\\x61' … b'\\x74' … b'\\x74' … b'\\x72' … b'\\x61' … b'\\x5B' … b'\\x68' … b'\\x72' … b'\\x65' … b'\\x66' … b'\\x2A' … b'\\x3D' … b'\\x22' … b'\\x62' … b'\\x6C' … b'\\x6F' … b'\\x67' … b'\\x67' … b'\\x65' … b'\\x72' … b'\\x32' … b'\\x77' … b'\\x70' … b'\\x22' … b'\\x5D' … b'"application/wlwmanifest+xml"' … b'"application/json+oembed"' … b'%3A' … b'%2F' … b'%2F' … b'%2F' … b'%3A' … b'%2F' … b'%2F' … b'%2F'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!