generic_javascript_obfuscation in www.imeducate.com

On 2020-01-15T02:58:15.740331+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.imeducate.com/assets/comm... referenced from https://www.imeducate.com/ .

Code sample:

b'var n=[];t>0;n[--t]=e);return n.join("")}~\xe9\xdc\xb6*\' sprintf(){for(var e,t,n,i,r,a=0,o=arguments[a++],s=[],l="";o;){if(t=/^[^\\x25]+/.exec(o))s.push(t[0]);else if(t=/^\\x25{2}/.exec(o))s.push("%");else{if(!(t=/^\\x25(?:(\\d+)\\$)?(\\+)?(0|\'[^$])?(-)?(\\d+)?(?:\\.(\\d+))?([b-fosuxX])/.exec(o)))throw"Huh ?!";if(null==(e=arguments[t[1]||a++])||void 0==e)throw"Too few arguments.";if(/[^s]/.test(t[7])&&"number"!=typeof e)throw"Expecting number but found "+typeof e;switch(t[7]){case"b":e=e.toString(2);break;case"c":e=String.fr' … b'var e=[].slice;window.HAML=~\xe9\xdc\xb6*\'(){~\xe9\xdc\xb6*\' t(){}return t.escape=~\xe9\xdc\xb6*\'(e){return(""+e).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/\'/g,"&#39;").replace(/\\//g,"&#47;")},t.cleanValue=~\xe9\xdc\xb6*\'(e){switch(e){case null:case void 0:return"";case!0:case!1:return"\\x93' … b'\\x25' … b'\\x25' … b'\\x25' … b'\\xA0' … b'\\xA0' … b'\\x20' … b'\\x00' … b'\\xa0' … b'"navigationAsDateFormat"' … b'%20' … b'%10' … b'%10' … b'%10' … b'%10' … b'%10' … b'%10'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!