generic_javascript_obfuscation in images-eu.ssl-images-amazon.com

On 2019-12-17T12:38:09.062050+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://images-eu.ssl-images-amazon.com… referenced from https://www.amazon.in/MS-International-… .

Code sample:

b'var v=[];a(".nav-item",r.elem()).each(~\xe9\xdc\xb6*\'(){var b=a(this);v.push({link:b,panelKey:b.attr("data-nav-panelkey")})});if(0!==v.length){var u=!1,x=a("\\x3c' … b'var d=[],h=0;h<c.length;h++){var g={type:"bia",dp:"/dp/"+c[h].value+"/ref\\x3d"+c[h].refTag+"?crid\\x3d"+a.responseId,title:c[h].asinTitle,price:c[h].displayPrice,image:c[h].imageUrl,purchaseDate:c[h].purchaseDateDisplay,purchasedText:e};"amazonfresh"===a.alias&&(g.dp+="\\x26' … b'var b=[d.widget,":"],c=0;c<d.asins.length;c++){var f=d.asins[c];b.push(f.asin,"@");a.each(f,~\xe9\xdc\xb6*\'(a,d){"asin"!==a&&b.push(a,"\\x3d",d,"|")});b.splice(b.length-1,1);b.push(",")}0<d.asins.length&&b.splice(b.length-1,1);l&&(b.push(":","action\\x3d",d.action),a.each(d.meta,~\xe9\xdc\xb6*\'(a,d){b.push(",",a,"\\x3d' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'"hamburgerIosScrollSpy"' … b'"hamburgerMenuInteractionJS"' … b'"HamburgerMenuFirstLayerAJAXCall"' … b'"AmazonNavigationCards"' … b'"hMenuDesktopFirstLayer"' … b'"hMenuItemClickHandler"' … b'"hamburgerIosScrollSpy"' … b'"hMenuItemClickHandler"' … b'"hamburgerMenuInteractionJS"' … b'"updateHamburgerMenuMozartUpdateUrl"' … b'"hMenuItemClickHandler"' … b'"AmazonNavigationCards"' … b'"HMenuSecondLayerVariables"' … b'"notificationInteractionJS"' … b'"AmazonNavigationCards"' … b'"AmazonNavigationDesktopAssets"' … b'"1234567890abcdefghijklmnopqurstuvwxyz"' … b'"cartTemplateAvailable"' … b'"discoveryPanelSummary"' … b'"SDAYourAccountNoThanks"' … b'"navDisablePrimeTooltipData"' … b'"bindProvidersToEvents"' … b'"pseudoPrimeFirstBrowse"' … b'"pseudoPrimeFirstBrowseMessage"' … b'"pseudoPrimeFirstBrowseMessage"' … b'"cartTemplateAvailable"' … b'"bindGenzProvidersToEvents"' … b'"NavbarSSLPageReadyTrigger"' … b'"upnavAiryVideoAlignment"' … b'"AmazonNavigationCards"' … b'"transientFlyoutTrigger"' … b'"transientFlyoutContent"' … b'"packardGlowIngressJsEnabled"' … b'"AmazonNavigationCards"' … b'"HamburgerMenuFirstLayerAJAXCall"' … b'"HamburgerMenuFirstLayerAJAXCallDesktop"' … b'"HamburgerMenuFirstLayerAJAXCallDesktop"' … b'"HamburgerMenuAJAXCall"' … b'"searchDropdownMetrics"' … b'"onFocusWithSearchTerm"' … b'"onFocusEmptySearchTerm"' … b'"RecentHistoryFooterJS"' … b'"deliverydestinationtype"' … b'"GLUXRefreshController"' … b'"GLUXRefreshController"' … b'"AssociatesSiteStripeJS"' … b'"/associates/sitestripe/validateAsin"' … b'"/associates/sitestripe/getStoreTagMap"' … b'"/associates/sitestripe/setDefaultStoreTag"' … b'"/associates/sitestripe/hideSiteStripe"' … b'"/associates/sitestripe/showSiteStripe"' … b'"/associates/sitestripe/getShortUrl"' … b'%3D' … b'%3D' … b'%3D' … b'%12' … b'%12' … b'%36' … b'%60' … b'%2F' … b'%2F' … b'%32'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).