generic_javascript_obfuscation5 in www.google.com

On 2020-04-25T06:18:18.073684+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.google.com/xjs/_/js/k=xjs.s… referenced from http://www.google.com/ .

Code sample:

b"['sy9g','sy9c','sylg','sylh','syli','sylw','Fkg7bd','sy9d','sy9f','sy9e','sy9h','sylk','syln','sy4f','sy9b','sylj','syll','sylu','sylt','sylv','HcFEGb','sy4j','sym6','IvlUe','sy4d','sy4e','sy5c','sy5d','sylx','sylz','MC8mtf','OF7gzc','sy9s','sy9u','sy9v','sya5','RMhBfe','T4BAC','TJw5qb','TbaHGc','Y33vzc','sy4g','cdos','sy4c','sy4b','cr','hsm','sylm','sym4','sym5','iDPoPb','jsa','syv','sy5h','sy6t','sy7n','sy7m','sy7o','sy7q','sy7p','sy8c','syae','sym0','sym1','sym2','sym3','sym7','mvYTse','tg8oTe','sycl','s" … b'["connectEnd","r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","cst"],["domainLookupEnd",\n"domainLookupStart","dnst"],["redirectEnd","redirectStart","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["domainLookupEnd",\n"domainLookupStart","dnst"],["redirectEnd","redirectStart","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["redirectEnd","redirectStart","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",' … b'["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","ppunt"],["r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","cstt"],["domInteractive","navigationStart",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).