generic_javascript_obfuscation in shop-adtm-assets.shpp.ext.zooplus.io

On 2019-11-21T21:31:23.428505+00:00 we found pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://shop-adtm-assets.shpp.ext.zoo... referenced from https://www.zooplus.es/ .

Code sample:

b'var l=[];c.forEach(~\xef\xbf\xbd\xdc\xb6*\'(e){z.isObject(e)&&(e.hideReferrer?e.message&&o.addMessage(e.message):l.push(e))}),~\xef\xbf\xbd\xdc\xb6*\' u(){l.length&&setTimeout(~\xef\xbf\xbd\xdc\xb6*\'(){var e=new Image,t=l.shift();e.src=t.url,o.onPageDestinationsFired.push(t),u()},100)}()}o.iframe?(a({message:"The destination publishing iframe is already attached and loaded."}),o.requestToProcess()):!d.subdomain&&d._getField("MCMID")?(o.subdomain=e,o.doAttachIframe=!0,o.url=o.getUrl(),o.readyToAttachIframe()?(o.iframeLoadedCallbacks.push(~\xef\xbf\xbd\xdc\xb6*\'(e){a({m' … b'\\xA0' … b'\\xA0' … b'\\x80' … b'atob' … b'"/info/offer/weihnachten"' … b'"/info/offer/karacsony"' … b'"/info/offer/christmas"' … b'"/info/offer/julemarked"' … b'"/customerpicturedisplay"' … b'"/info/offer/weihnachten"' … b'"/info/offer/karacsony"' … b'"/info/offer/christmas"' … b'"/info/offer/julemarked"' … b'"/customerpicturedisplay"' … b'"getMarketingCloudVisitorID"' … b'"getAnalyticsVisitorID"' … b'"getAudienceManagerBlob"' … b'"getAudienceManagerLocationHint"' … b'"getMarketingCloudVisitorID"' … b'"getAudienceManagerBlob"' … b'"getAudienceManagerLocationHint"' … b'"getAnalyticsVisitorID"' … b'"canSetThirdPartyCookies"' … b'"getMarketingCloudVisitorID"' … b'"getAnalyticsVisitorID"' … b'"getAudienceManagerLocationHint"' … b'"getAudienceManagerBlob"' … b'"isOptInStorageEnabled"' … b'"RLd54ffc39d94e49f2ab0ae165f7469168"' … b'"RLdf0c2dabcab44de6bd5df7eb71df0e19"' … b'"RL6a92eb9042bc4531837121a2e5f168a7"' … b'"RL55008b708ea447c78c5294bad3ce4a8a"' … b'"RLb260185671944caebdf853d564bbfe7a"' … b'"RLb340a4476ff34e49a5695f936ab06428"' … b'"RL7cab030a7f9f40ddb24666272eb50748"' … b'"RL266eb7e8a0454bd1af1bd6b8a5c827b1"' … b'"RL9e310bc1a34248a6a2f389d8b9712fb0"' … b'"RL6a931b1763954d66b018cd327ea73b64"' … b'"RLa17416f07b5b4193ae4b369ca26d9d3d"' … b'"application/javascript\\' … b'"RLa5d7c1ffae704c98ba6f4504a7b4a1f5"' … b'"RL6325a2f69a4c4b25b276da0179227d62"' … b'"RLcf652bf058a04febbb4cc618574f4466"' … b'"RL12bcfc5c400940c382e08d6719f20222"' … b'"RL052739f9d24e41ddaa27800fbc7f7840"' … b'"RL94c3ef511317486f9991f48ca677e6fb"' … b'"RL433d751ac33a432997a4fa7fb80e77e4"' … b'"RL88e3539f0d79449c96efec4816f66d74"' … b'"RL814b9bfde76146f9a1e5cb9b865f9572"' … b'"RLc815b3e136694bcca41831b28cceb21a"' … b'"RL4148073cf12b4f40955113b9c9d6eb4a"' … b'"RLdc3dc1f2be724793b21d665a6b225ede"' … b'"RL362ede8aa04e44bc8abf9ee36a390583"' … b'"RL26ea683e3a7646e0b4ecb17bd4f67810"' … b'"RL8ae5d51628004423934a23d1400a3008"' … b'"RLe4c779c7c67f4d3695e36936e57a5b93"' … b'"RL47782e7e37b542639067558bf36934ab"' … b'"RL8b6a01e3a89945fbb7daa7cb0875bc84"' … b'"RL99bb48e8908947a382714006082525f2"' … b"'application/javascript'" … b'"RL9bca88baf60e48628fea6b0bf04ce96a"' … b'"RLc348f8a5911e47b685ebe203c0690268"' … b'"RL3ce508a731a24ee692a2f8c9f6e2dad4"' … b'"RLc46e5154df584d37b2e675d44057a4b2"' … b'"RL277d2f710b2a427f82e4900bddec6a62"' … b'"RLc674dd5663014763b9447601dfe71b4d"' … b'"RL66553ad1c9574fa1b205335f2080d53d"' … b'"RL5eb87190b5ec4ff4ac1507bb66740c4a"' … b'"RLac5fa4e31d5645978d83ae06c55279a1"' … b'"RL790dd7732cfb44848718a95a90c04160"' … b'"RLe17653eae72d48ca84d0819240ed8fc5"' … b'"RLc87a8d63fb5d424c830bff5cf6d7e8f7"' … b'"RLc7120ae5fb3c45928825c458cba23bd0"' … b'"RLfd3e1d3cee0546d78d90d2cb1d070897"' … b'"RL472606be4bc54bdd826cc20f4568b021"' … b'"RLdd1af2ab100e40bdaa851c4982427fa4"' … b'"RL136298aad0d143cca884e8cf770e5289"' … b'"RLc4258bf189dd4182b541af4dab04da24"' … b'"RL24de137e99fb416aab7345c2f4545f5d"' … b'"RL86e6cb485532493c9e61374d8c4ccd33"' … b'"RL5dd8849c26634a5389a925e23b0b1f1e"' … b'"RLbfcfd666891545c09a931d02d3cddbe2"' … b'"RL1c26bc5925e943958d2331715e5f8108"' … b'"RL605494548fb14f2981979d78d9fe8d16"' … b'"RL668aaa374f0e4bdfb39aae6d48f8c85b"' … b'"RL9ccd0f951c2747caad4c4a083d4c5f5e"' … b'"RLb52738818aa445f39ef9c039b375533e"' … b'"RLad340eccb7c0458f95c8df3331bdd930"' … b'"RL7001e8d20d7645a597faea846130691a"' … b'"RLc78ea405406845a58da9afd8c84065ea"' … b'"RLca2fd01893b94658bbc6d464bb0b2173"' … b'"RL3ad3600375004f538d067fb4d9861795"' … b'"RL52557a1e162e4aa3ac06aa25335f863c"' … b'"RLa91e1f3578d3440bbae959d87214e978"' … b'"RL549e24e968aa445c9ef5aeb99559fa83"' … b'"RL83e1115f6d794de5897378c7ece85496"' … b'"RL57e7949f048b41cdbb84993da6b7edb3"' … b'"RLf940ff57425b47daa9fe5ea5ca32df79"' … b'"RL873c609847f64f898c2044f216c18c42"' … b'"RL1d0c8678ae434c00aea863342c906ddb"' … b'"RLe0b71b9c99274a4d8b8a37a0916388c0"' … b'"RL5d0ee59cb96047d9adccdd2e5944d8ea"' … b'"RL374b97e4ad1c40ae988fb21f6fea4aed"' … b'"RLe709c44edc604469be7fdb9d52b43df3"' … b'"RLe7b7dbc35acb43889011d8f92b1aae79"' … b'"RL504ff82afa0d441f8b3202d78bcd920d"' … b'"RL706fb757a2704feca3dd385106629fbe"' … b'"dataElementCookiesMigrated"'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!