generic_javascript_obfuscation in images-na.ssl-images-amazon.com

On 2019-12-24T19:18:36.685649+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://images-na.ssl-images-amazon.com… referenced from https://www.amazon.in/MS-International-… .

Code sample:

b'var v=[];a(".nav-item",r.elem()).each(~\xe9\xdc\xb6*\'(){var b=a(this);v.push({link:b,panelKey:b.attr("data-nav-panelkey")})});if(0!==v.length){var u=!1,x=a("\\x3c' … b'var g=[],l="";if(0<c.boxes){var h=Math.ceil(c.boxes);1===h?g.push(v.replace("{count}",h)):g.push(w.replace("{count}",h))}1===c.count?g.push(t.replace("{count}",c.count)):1<c.count&&g.push(m.replace("{count}",c.count));if(0<c.boxes){var h=Math.floor(c.boxes),k=Math.round(1E3*(c.boxes-h))/10;0===h||0===k?g.push(r.replace("{pct}",0===k?100:k)):g.push(q.replace("{pct}",k))}for(h=0;h<g.length;h++)l+="\\x3c' … b'var d=[],h=0;h<c.length;h++){var g={type:"bia",dp:"/dp/"+c[h].value+"/ref\\x3d"+c[h].refTag+"?crid\\x3d"+a.responseId,title:c[h].asinTitle,price:c[h].displayPrice,image:c[h].imageUrl,purchaseDate:c[h].purchaseDateDisplay,purchasedText:e};"amazonfresh"===a.alias&&(g.dp+="\\x26' … b'var b=[d.widget,":"],c=0;c<d.asins.length;c++){var f=d.asins[c];b.push(f.asin,"@");a.each(f,~\xe9\xdc\xb6*\'(a,d){"asin"!==a&&b.push(a,"\\x3d",d,"|")});b.splice(b.length-1,1);b.push(",")}0<d.asins.length&&b.splice(b.length-1,1);l&&(b.push(":","action\\x3d",d.action),a.each(d.meta,~\xe9\xdc\xb6*\'(a,d){b.push(",",a,"\\x3d' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'"hamburgerIosScrollSpy"' … b'"hamburgerMenuInteractionJS"' … b'"HamburgerMenuFirstLayerAJAXCall"' … b'"AmazonNavigationCards"' … b'"hMenuDesktopFirstLayer"' … b'"hMenuItemClickHandler"' … b'"hamburgerIosScrollSpy"' … b'"hMenuItemClickHandler"' … b'"hamburgerMenuInteractionJS"' … b'"updateHamburgerMenuMozartUpdateUrl"' … b'"hMenuItemClickHandler"' … b'"AmazonNavigationCards"' … b'"HMenuSecondLayerVariables"' … b'"notificationInteractionJS"' … b'"AmazonNavigationCards"' … b'"AmazonNavigationDesktopAssets"' … b'"1234567890abcdefghijklmnopqurstuvwxyz"' … b'"cartTemplateAvailable"' … b'"discoveryPanelSummary"' … b'"SDAYourAccountNoThanks"' … b'"navDisablePrimeTooltipData"' … b'"bindProvidersToEvents"' … b'"pseudoPrimeFirstBrowse"' … b'"pseudoPrimeFirstBrowseMessage"' … b'"pseudoPrimeFirstBrowseMessage"' … b'"cartTemplateAvailable"' … b'"bindGenzProvidersToEvents"' … b'"NavbarSSLPageReadyTrigger"' … b'"upnavAiryVideoAlignment"' … b'"AmazonNavigationCards"' … b'"transientFlyoutTrigger"' … b'"transientFlyoutContent"' … b'"packardGlowIngressJsEnabled"' … b'"AmazonNavigationCards"' … b'"HamburgerMenuFirstLayerAJAXCall"' … b'"HamburgerMenuFirstLayerAJAXCallDesktop"' … b'"HamburgerMenuFirstLayerAJAXCallDesktop"' … b'"HamburgerMenuAJAXCall"' … b'"searchDropdownMetrics"' … b'"onFocusWithSearchTerm"' … b'"onFocusEmptySearchTerm"' … b'"RecentHistoryFooterJS"' … b'"deliverydestinationtype"' … b'"GLUXRefreshController"' … b'"GLUXRefreshController"' … b'"AssociatesSiteStripeJS"' … b'"/associates/sitestripe/validateAsin"' … b'"/associates/sitestripe/getStoreTagMap"' … b'"/associates/sitestripe/setDefaultStoreTag"' … b'"/associates/sitestripe/hideSiteStripe"' … b'"/associates/sitestripe/showSiteStripe"' … b'"/associates/sitestripe/getShortUrl"' … b'%3D' … b'%3D' … b'%3D' … b'%12' … b'%12' … b'%36' … b'%60' … b'%2F' … b'%2F' … b'%32'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).