generic_javascript_obfuscation in images-eu.ssl-images-amazon.com

On 2019-12-24T19:18:36.071833+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://images-eu.ssl-images-amazon.com… referenced from https://www.amazon.in/MS-International-… .

Code sample:

b'var f=[],g,h=0,k;null!=(k=a[h]);h++)if("number"===typeof k&&(k+=""),k){if("string"===typeof k)if(Nb.test(k)){k=k.replace(Xa,"\\x3c' … b'var d=[],e=~\xe9\xdc\xb6*\'(a,b){b=c.isFunction(b)?b():b;d[d.length]=encodeURIComponent(a)+"\\x3d' … b'var e=[];a(b,c).each(~\xe9\xdc\xb6*\'(){var b=a(this);if(!b.data("a-image-already-loaded")){b.data("a-image-already-loaded",!0);var c=m(b),f=a("\\x3c' … b'\\x26' … b'\\xA0' … b'\\xA0' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'"getBoundingClientRect"' … b'"RequestAnimationFrame"' … b'"CancelRequestAnimationFrame"' … b'"transitionSlideCircularFirstCardIndex"' … b'"registerCarouselClass"' … b'"registerCarouselClass"' … b'"hideHeaderCloseButtonLayout"' … b'"carduiExpandControlFooter"' … b'%20'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).