generic_javascript_obfuscation in www.lirescan.me

On 2019-10-03T20:28:44.696668+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.lirescan.me/nanatsu-no-taiz…

The suspicious code sample:

b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b"'prepareProxyRedirect'" … b"'getElementsByTagName'" … b"'stopImmediatePropagation'" … b"'clearTimeoutIGhhcyBub3QgYmVlbiBkZWZpbmVk'" … b"'removeQWxsTGlzdGVuZXJz'" … b"'getExtentionDialyUrl'" … b"'removeRXZlbnRMaXN0ZW5lcg=='" … b"'recoveryWindowFunctions'" … b"'getBoundingClientRect'" … b"'broadcastQ2FsbHNpZ24='" … b"'zfgloadedinterstitial'" … b"'objectLCBpZnJhbWUsIGVtYmVkLCB2aWRlbywgYXVkaW8='" … b"'returnIChmdW5jdGlvbigpIHt9LmNvbnN0cnVjdG9yKCJyZXR1cm4gdGhpcyIpKCApKTs='" … b"'zmnw7zpgP78g6n3Cfat0va74Q8p9bu6u8Nnor2ji8kVwajudzlrZxgrsxckCckk9nlwmTf0r1o3svD7mpkf620'" … b"'mmzMsyhP906OfcoOayzOgahUmmzB3ooR906M4mh'" … b"'prepareProxyRedirect'" … b"'getElementsByTagName'" … b"'stopImmediatePropagation'" … b"'clearTimeoutIGhhcyBub3QgYmVlbiBkZWZpbmVk'" … b"'removeQWxsTGlzdGVuZXJz'" … b"'getExtentionDialyUrl'" … b"'removeRXZlbnRMaXN0ZW5lcg=='" … b"'recoveryWindowFunctions'" … b"'getBoundingClientRect'" … b"'broadcastQ2FsbHNpZ24='" … b"'zfgloadedinterstitial'" … b"'objectLCBpZnJhbWUsIGVtYmVkLCB2aWRlbywgYXVkaW8='" … b"'returnIChmdW5jdGlvbigpIHt9LmNvbnN0cnVjdG9yKCJyZXR1cm4gdGhpcyIpKCApKTs='" … b"'6v3jilb6RehwtypBmj9n6wtuVfypy5sgyFux7pu4uaJ3jzhol7hV4p7f8y6Yjt0wy7icDm97ozpelVev57qsoq'" … b"'tvfYz7xTg9mLml4Qh7fInjxTtvfVax4Lg9mPbvx'" … b"'prepareProxyRedirect'" … b"'getElementsByTagName'" … b"'stopImmediatePropagation'" … b"'clearTimeoutIGhhcyBub3QgYmVlbiBkZWZpbmVk'" … b"'removeQWxsTGlzdGVuZXJz'" … b"'getExtentionDialyUrl'" … b"'removeRXZlbnRMaXN0ZW5lcg=='" … b"'recoveryWindowFunctions'" … b"'getBoundingClientRect'" … b"'broadcastQ2FsbHNpZ24='" … b"'zfgloadedinterstitial'" … b"'objectLCBpZnJhbWUsIGVtYmVkLCB2aWRlbywgYXVkaW8='" … b"'returnIChmdW5jdGlvbigpIHt9LmNvbnN0cnVjdG9yKCJyZXR1cm4gdGhpcyIpKCApKTs='" … b"'yhha7eyvI3paqvpzeQe8bwloflXqxzcpkgtRapj4jyypQz5xx6ennImlmgd0spPv0t78s52Z9gtb1tfdMgv7ztl7t'" … b"'lrnIr35J85uB3r5JktuNff5CwhuZr35VxfnZehc'" … b"'6bnipx1jWxi506l72Cfg7h7zbbEjspvntqrYei10l7ppVrk9bp061Zt6y7547nWw89nal55N7u5j7u5gSc39xpsjd'" … b"'1w6GwihUdk6H86hLeizVkuhCq6zL78oAdk6Yjwo'"

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!