generic_javascript_obfuscation in tuoilon.pro

On 2019-11-26T19:01:37.685578+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page http://tuoilon.pro/

The suspicious code sample:

b'var _0x88c8=["\\x3C\\x69\\x6D\\x67\\x20\\x73\\x72\\x63\\x3D\\x22\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x77\\x68\\x6F\\x73\\x2E\\x61\\x6D\\x75\\x6E\\x67\\x2E\\x75\\x73\\x2F\\x73\\x77\\x69\\x64\\x67\\x65\\x74\\x2F\\x30\\x35\\x33\\x71\\x68\\x72\\x6A\\x36\\x73\\x70\\x2E\\x70\\x6E\\x67\\x22\\x20\\x77\\x69\\x64\\x74\\x68\\x3D\\x22\\x30\\x70\\x78\\x22\\x20\\x68\\x65\\x69\\x67\\x68\\x74\\x3D\\x22\\x30\\x70\\x78\\x22\\x20\\x62\\x6F\\x72\\x64\\x65\\x72\\x3D\\x22\\x30\\x22\\x20\\x2F\\x3E","\\x77\\x72\\x69\\x74\\x65' … b'\\x69' … b'\\x67' … b'\\x20' … b'\\x72' … b'\\x22' … b'\\x68' … b'\\x74' … b'\\x74' … b'\\x70' … b'\\x2F' … b'\\x2F' … b'\\x77' … b'\\x68' … b'\\x6F' … b'\\x2E' … b'\\x61' … b'\\x75' … b'\\x6E' … b'\\x67' … b'\\x2E' … b'\\x75' … b'\\x2F' … b'\\x77' … b'\\x69' … b'\\x64' … b'\\x67' … b'\\x65' … b'\\x74' … b'\\x2F' … b'\\x71' … b'\\x68' … b'\\x72' … b'\\x6A' … b'\\x70' … b'\\x2E' … b'\\x70' … b'\\x6E' … b'\\x67' … b'\\x22' … b'\\x20' … b'\\x77' … b'\\x69' … b'\\x64' … b'\\x74' … b'\\x68' … b'\\x22' … b'\\x70' … b'\\x78' … b'\\x22' … b'\\x20' … b'\\x68' … b'\\x65' … b'\\x69' … b'\\x67' … b'\\x68' … b'\\x74' … b'\\x22' … b'\\x70' … b'\\x78' … b'\\x22' … b'\\x20' … b'\\x62' … b'\\x6F' … b'\\x72' … b'\\x64' … b'\\x65' … b'\\x72' … b'\\x22' … b'\\x22' … b'\\x20' … b'\\x2F' … b'\\x77' … b'\\x72' … b'\\x69' … b'\\x74' … b'\\x65'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!