generic_javascript_obfuscation in data.ero-advertising.com

On 2019-12-29T02:19:50.562736+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page http://data.ero-advertising.com/eactrl/… referenced from http://smutmomtube.com/ .

Code sample:

b'\\x20' … b'\\x00' … b'\\xa0' … b'atob' … b'"n3/dk/dl+n2+n1+n0/ne/n7/nf/nq/55//nw+nv+nu/N/nt+ns/nr/i+np+nh/nn/nm/nl+nk/nj+ni/ng/mX+mG/mW+mq+mr/ms+mu/mv+mw+mx+my/mz+mA/mB/mC+mD+mE/mp/mF/mP/mV+mU+mT+mS/mR+mQ+mO/+mH+mN/mM/mL/mK+mJ+mI/nx/mY+ny+o8/oq/op+oo/om/ol/+ok+oi+o9+oh++og/oe/E+M0//od+oc/oa+ot+oj/ou+oE/kz/oK/oJ+oI/oH+oG/B++oF/oD/ow+oC+oB+oA+oz+oy/ox+ov+o7/nQ/o6/nB+nC/nD+nE++nF/nG/nH/nI/nJ/nK+nL+zw/nM+nN/nO/nA/nP+nZ+o5/o4+o3+o2+o1/o0+nY+nR/nX/nW+nV+nU/nT+lz++nS/nz/mn="' … b'"le/dk/dl+mm/kH//kI+kJ/X/kK+kL="'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).