generic_javascript_obfuscation in gunimalpengu.com

On 2019-12-02T04:31:10.501828+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://gunimalpengu.com/YFCVTL?tag_id=…

The suspicious code sample:

b'var Z5=[arguments];Z5[4]=\'A\';Z5[6]=typeof s977===typeof{}?s977:typeof a977===typeof{}?a977:this;m5=4;break;case 32:Z5[5]={};Z5[5].C=[\'o\'];Z5[5].S=~\xe9\xdc\xb6*\'(){var V1=typeof U977===\'~\xe9\xdc\xb6*\'\';return V1;};Z5[29]=Z5[5];Z5[87]={};Z5[87].C=[\'v7\',\'y7\'];Z5[87].S=~\xe9\xdc\xb6*\'(){var R1=~\xe9\xdc\xb6*\'(k1){return k1&&k1[\'b\'];};var u1=/\\x2e/.o977(R1+[]);return u1;};m5=42;break;case 72:Z5[34]={};Z5[34].C=[\'v7\'];Z5[34].S=~\xe9\xdc\xb6*\'(){var v1=~\xe9\xdc\xb6*\'(){return"01".substr(1);};var n1=!/\\x30/.o977(v1+[]);return n1;};Z5[79]=Z5[34];m5=68;break;case 24:' … b'var f1=[];try{for(var g1 in console)f1.A977(g1);S1=f1.length===0;}catch(b1){}var T1=S1;return T1;};Z5[43]=Z5[16];Z5[99]={};Z5[99].C=[\'j\'];Z5[99].S=~\xe9\xdc\xb6*\'(){var P1=~\xe9\xdc\xb6*\'(){return\'aaaa|a\'.substr(0,3);};var K1=!/\\u007c/.o977(P1+[]);return K1;};Z5[65]=Z5[99];m5=76;break;case 148:Z5[20]++;m5=125;break;}}};return e5[9];break;}}}();A7mm.r5="L5";A7mm.X5=~\xe9\xdc\xb6*\' (){return typeof A7mm.o5.R9===\'~\xe9\xdc\xb6*\'\'?A7mm.o5.R9.apply(A7mm.o5,arguments):A7mm.o5.R9;};A7mm.L5=~\xe9\xdc\xb6*\' (){return typeof A7mm.o5.R9===\'~\xe9\xdc\xb6*\'\'?A7mm.o5.R9.app' … b'\\x21' … b'\\x78' … b'\\x2e' … b'\\x61' … b'\\x69' … b'\\x72' … b'\\x6e' … b'\\x28' … b'\\x2e' … b'\\x65' … b'\\x67' … b'\\x72' … b'atob'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!