generic_javascript_obfuscation5 in www.riyadonline.com

On 2020-06-21T13:52:56.139116+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.riyadonline.com/ib/js/rol-l… referenced from https://www.riyadonline.com/ib/login.ht… .

Code sample:

b'["source","\xc2\xa6\xc2\xba-\xc2\xa1\xc3\x8a%","authority","\xc2\xba\xc3\x87\xc2\xab"w\xc3\xa8","user","\xc2\xa5\xc2\xab,\xc3\x82\xc2\x8a\xc3\x9d","host","port","\xc2\xad\xc3\xa9Z\xc2\xb6+\xc3\x9e","path","directory","file","queryString","anchor"],anchorDetails:"anchorDetails",parameterDetails:{name:"parameters",' … b'["constructor","remoteGroup","groupOnSort","\xc2\x82\xc2\xba.\xc2\xa48\xc2\xab","clearGrouping","groupBy","sort","applyGroupField","applyGrouping",' … b'["arabicAddress1","arabicAddress2","arabicAddress3","arabicName","m\xc2\xa9\xc3\xa4O*^","code","zf\xc2\xa2\xc2\x94\x07]\xc2\xad\xc3\xab,","englishAddress1","englishAddress2","englishAddress3","englishName","valueDate",{name:"v+)\xc2\x95\xc2\xac\xc2\x85\xc2\x89\xc3\xa9]",' … b'["code","iSO2","name","\xc2\x89\xc2\xb6\xc2\xa7E\xc3\xaa\xc2\xae\xc2\x8a\xc2\xb7\xc2\x9d","ibanLength","ibanPrefix","ibanEffectiveDate","hasStatesFlag","isBlacklistFlag","states"]),sortInfo:{field:"name",' … b'["accountNumber","accountNumberMask","accountType","address","j\xc3\xb6\xc2\xa2\xc2\x95\xc2\xa6\xc3\xa5x\x16\xc2\xa5jw\x1e","blockedAmount","bookedBalance","r\xc3\xaa\xc3\xabzw2","r\xc3\xab-\xc2\xa2g\xc2\xab5\xc2\xa9\xc2\x9e","y\xc3\xb7\xc3\x9er\xc3\x98\xc2\xafx\x16\xc2\xa5jw\x1e","~\xc2\xb8\xc2\x9e\xc2\x9d\xc3\x99r5\xc2\xa9\xc2\x9e","iBAN","passBalance","status","i\xc3\x8bb\xc2\xbd\xc2\xabb\xc2\xa2t\xc2\xadj\xc3\x9b\xc2\xac","stopStatus","\xc2\x9a)\xc3\xa2\xc2\x9a\xc3\xa9\xc2\x8fk)\xc2\x9e\xc2\x9e\xc3\x90&\xc2\xa2\xc3\xa9\xc3\xad",{name:"available_balance_string",' … b'["productType","cardNumber","q\xc2\xaa\xc3\x9dO*^","expiryDate","status","accountNumber","accountType","accountNickName","r\xc3\xaa\xc3\xabzw2","zf\xc3\xa8\xc2\xb2\xc3\x87\xc2\x9d5\xc2\xa9\xc2\x9e","i\xc3\x8bb\xc2\xbd\xc2\xab^\x01\xc2\xb9^","\xc2\xb2\xc3\x9a)\x01\xc2\xb9^",' … b'["\xc3\x99\xc2\x8a\xc3\x99\xc2\x86\xc3\x98\xc2\xa7\xc3\x99\xc2\x8a\xc3\x98\xc2\xb1","\xc3\x99\xc2\x81\xc3\x98\xc2\xa8\xc3\x98\xc2\xb1\xc3\x98\xc2\xa7\xc3\x99\xc2\x8a\xc3\x98\xc2\xb1","\xc3\x99\xc2\x85\xc3\x98\xc2\xa7\xc3\x98\xc2\xb1\xc3\x98\xc2\xb3","\xc3\x98\xc2\xa7\xc3\x98\xc2\xa8\xc3\x98\xc2\xb1\xc3\x99\xc2\x8a\xc3\x99\xc2\x84","\xc3\x99\xc2\x85\xc3\x98\xc2\xa7\xc3\x99\xc2\x8a\xc3\x99\xc2\x88","\xc3\x99\xc2\x8a\xc3\x99\xc2\x88\xc3\x99\xc2\x86\xc3\x99\xc2\x8a\xc3\x99\xc2\x88","\xc3\x99\xc2\x8a\xc3\x99\xc2\x88\xc3\x99\xc2\x84\xc3\x99\xc2\x8a\xc3\x99\xc2\x88","\xc3\x98\xc2\xa7\xc3\x98\xc2\xba\xc3\x98\xc2\xb3\xc3\x98\xc2\xb7\xc3\x98\xc2\xb3","\xc3\x98\xc2\xb3\xc3\x98\xc2\xa8\xc3\x98\xc2\xaa\xc3\x99\xc2\x85\xc3\x98\xc2\xa8\xc3\x98\xc2\xb1","\xc3\x98\xc2\xa7\xc3\x99\xc2\x83\xc3\x98\xc2\xaa\xc3\x99\xc2\x88\xc3\x98\xc2\xa8\xc3\x98\xc2\xb1","\xc3\x99\xc2\x86\xc3\x99\xc2\x88\xc3\x99\xc2\x81\xc3\x99\xc2\x85\xc3\x98\xc2\xa8\xc3\x98\xc2\xb1",' … b'["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"],numerals:["1","2","3","4","5","6","7","8","9","0"],repeaters:["1111","2222","3333","4444","5555","6666","7777","8888","9999",' … b'["1","2","3","4","5","6","7","8","9","0"],repeaters:["1111","2222","3333","4444","5555","6666","7777","8888","9999",' … b'["1111","2222","3333","4444","5555","6666","7777","8888","9999",' … b'["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y",' … b'["#change=\xc2\xab,\xc3\x82\xc2\x8a\xc3\x9d/view/view"],call:"change_details"},{views:["#displayPIN/view/view","cardN\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xb7\xc2\xab/create/view","creditCardLimit/create/view","createFavoriteBill/create/view","moneyN\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xb7\xc2\xab/view/view","paymentsAndBills/view/view"],call:"transaction"},{views:["I\xc2\xa7Zt\x18\xc2\xa5\xc2\x96\xc3\x8f\xc3\xaf\xc2\x89\xc3\xac?\xc2\xbe\'\xc2\xb0","registerolp/view/view","createFavoriteBill/create/view","governmentServices/create/view"],call:"standing_order"},{views:["createMoneyExpressBeneficiaryDisplay/view/view","createIntraBankBeneficiaryDisplay/view/view","' … b'["#displayPIN/view/view","cardN\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xb7\xc2\xab/create/view","creditCardLimit/create/view","createFavoriteBill/create/view","moneyN\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xb7\xc2\xab/view/view","paymentsAndBills/view/view"],call:"transaction"},{views:["I\xc2\xa7Zt\x18\xc2\xa5\xc2\x96\xc3\x8f\xc3\xaf\xc2\x89\xc3\xac?\xc2\xbe\'\xc2\xb0","registerolp/view/view","createFavoriteBill/create/view","governmentServices/create/view"],call:"standing_order"},{views:["createMoneyExpressBeneficiaryDisplay/view/view","createIntraBankBeneficiaryDisplay/view/view","createDomesticBeneficiaryDisplay/view/view","createForeignBene'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).