generic_javascript_obfuscation in cdn.jsdelivr.net

On 2017-09-21T11:55:14.791623+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://cdn.jsdelivr.net/npm/yandex-m... referenced from http://fleurmusic.com/ .

Code sample:

b'var h=[\'\\x3ciframe name\\x3d"\',g,\'"\\x3e\\x3c/iframe\\x3e\',\'\\x3cform action\\x3d"\',this._buildUrl(a,b.get),\'" method\\x3d"post" target\\x3d"\',g,\'" enctype\\x3d"\',this.enctype,\'"\\x3e\'];e.forEachKey(b.post,~\xef\xbf\xbd\xdc\xb6*\'(a){e.mergeArrays(h,[\'\\x3cinput type\\x3d"hidden" autor\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd^\\x3d"off" autocorrect\\x3d"off"\',\' autocapitalize\\x3d"off" spellcheck\\x3d"false" name\\x3d"\',a,\'"/\\x3e\'])});e.mergeArrays(h,["\\x3c' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'\\x26' … b'"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"' … b'"R0lGODlhAQABAO+/vQAAAAAAAAAAIe+/vQQBAAAAACwAAAAAAQABAAACAkQBADs\\' … b'"R0lGODlhAQABAO+/vQEAAAAA77+977+977+9Ie+/vQQBAAABACwAAAAAAQABAAACAkwBADs\\' … b'"aHR0cHM6Ly95YW5kZXgucnUvcG9ydGFsL2dlbmVyYXRlXzIwNA\\'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!