generic_javascript_obfuscation5 in abs.twimg.com

On 2020-06-28T20:50:24.660582+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://abs.twimg.com/responsive-web/we… referenced from https://twitter.com/mcraffets .

Code sample:

b'["da","de","en","en-gb","es","et","eu","fi","fil","fr","ga","gl","ht","hu","id","it","lt","lv","nl","no","ms","pl","pt","sk","sl","sv","tr","vi"],M={"en-gb":"en","en-ss":"en",fil:"tl",he:"iw",id:"in",msa:"ms",' … b'["createLocalApiErrorHandler","disableTranslation","}\xc3\xab\\\xc2\x85:\xc3\x9a\xc2\x9e\xc3\x89Z\xc2\xb6*\'","header","style","\xc2\xb2\xc3\xaai\xc2\x95\xc3\xa9\xc2\x9e\xc2\x9e\xc3\x96\xc2\xa5-\xc2\xa9\xc3\xa0","translation","translationFetchStatus","tweetId","\xc2\xba\xc3\x87\xc2\xab-\xc2\xa9\xc3\xa0\xc2\xb9\xc2\xa8\x1e",' … b'["createLocalApiErrorHandler","disableTranslation","}\xc3\xab\\\xc2\x85:\xc3\x9a\xc2\x9e\xc3\x89Z\xc2\xb6*\'","header","style","\xc2\xb2\xc3\xaai\xc2\x95\xc3\xa9\xc2\x9e\xc2\x9e\xc3\x96\xc2\xa5-\xc2\xa9\xc3\xa0","translation","translationFetchStatus","tweetId","\xc2\xba\xc3\x87\xc2\xab-\xc2\xa9\xc3\xa0\xc2\xb9\xc2\xa8\x1e",' … b'["bottomControl","createLocalApiErrorHandler","decoration","followRequestReceived","history","\xc2\x96\xc2\x87\x1a\xc2\xb6*\'","hideBlocked","isBlocking","isBlockedBy","isDeviceFollowing","isFollowing","log","onClick","promotedItemId","\xc2\xb1\xc3\x8a\xc3\xa2m\xc3\xa0\x1c\xc2\xb6*\'","scribeData","scribeNamespace","\xc2\xb2\x1a.\xc2\x95\xc3\x94\xc2\x9c\xc2\xae&\xc3\x9e","user","cellClickable","isInSidebar",' … b'["cn","iid","original_referer","nid","ref_src","ref_url","s","partner","uid",' … b'["r\xc2\x89\xc3\xad{\x1bS\xc3\x81\xc3\xa7\xc2\xad","r\xc2\x89\xc3\xad{\x1bS\xc3\x81\xc3\xa7\xc2\xadId","createLocalApiErrorHandler","\xc2\x8a\xc3\x83\xc3\xa2\xc2\x9ew\xc2\x9d","log","onTweetDismiss","promotedContent","\xc2\xae\'!I\xc3\x8a\xc3\xa2m\xc3\xa0\x1c\xc2\xb6*\'","scribeData","scribeNamespace","socialContext","tweet","withHideReply","history","\xc2\x96\xc2\x87\x1a\xc2\xb6*\'",' … b'["v+)\xc2\x95\xc2\xac\xc2\x93{\x1bQjx\x1e","z{b\xc2\xb6\'\xc2\xac","entityBaseUrl","excludeCardUrl","hitHighlights","lang","linkColor","linkify","\xc2\x9d\xc2\xabb\xc2\xbd\xc3\xa2\x03","numberOfLines","onEntityClick","quotedTweetId","\xc2\xaa\xc3\xaa-y\xc3\x94\xc3\xb0y\xc3\xabOz\xc2\xb9\xc2\x9a\xc2\x96)\xc3\xa4","style","text","underlineLinks","withCardLinks","withMediaLinks",' … b'["apiErrorHandlerMap","bottomFetchStatus","createLocalApiErrorHandler","entryConfiguration","entries","v+&\xc2\x8a\xc3\x8b\x1etI\xc3\xad\xc2\xae\'\xc2\xac","fetchBottom","}\xc3\xab\\\xc2\x84\xc2\x89\xc3\xa2\xc2\xb6&\xc2\xa5","}\xc3\xab\\\xc2\x84\xc2\x89\xc3\xa2\xc2\xb6&\xc2\xa5OrTop","}\xc3\xab\\\xc2\x84\xc3\xaam\xc2\x8a\xc2\x89\xc3\xac","fetchTopOptions","loadingAccessibilityLabel","markAllRead","olderAtTop","onEntriesUpdate","pinnedEntry","preprocessEntryList","processCallback","renderUnavailable","scribeData","shouldFetchInitialOnBottomRetry","\xc2\xb6)\xc2\x9e\xc2\x96)\xc3\x9eExist","\xc2\xb6)\xc2\x9e\xc2\x96)\xc3\x9eRef","unavailableReason","updateInstreamVideoEntries",' … b'["letter-spacing","line-height","font-family","font-weight","font-size","font-style","tab-size","text-rendering","text-transform","width","text-indent","padding-top","padding-right","padding-bottom","padding-left","border-top-width","border-right-width","border-bottom-width","border-left-width",' … b'["reply","retweet","quote_tweet","like","send_via_dm","add_to_n\xc2\x8a$\xc2\x99\xc2\xaa\xc3\xa4s","add_to_moment","pin_to_profile",' … b'["broadcast_height","broadcast_id","broadcast_is_360","broadcast_source","broadcast_thumbnail_small","broadcast_thumbnail","broadcast_\xc2\xb6)\xc2\x9er\xc2\x87^","broadcast_replay_edited_start_time","broadcast_url","broadcast_width","broadcaster_twitter_id","broadcaster_\xc2\xba\xc3\x87\xc2\xab\xc2\x9d\xc2\xa9\xc2\x9e","broadcaster_display_name","broadcast_media_id","broadcast_state"],s=["broadcast_height","id","is_360","broadcast_source","thumbnail_small","thumbnail","\xc2\xb6)\xc2\x9er\xc2\x87^","replay_edited_start_time","url","broadcast_width","broadcaster_twitter_id","bro' … b'["broadcast_height","id","is_360","broadcast_source","thumbnail_small","thumbnail","\xc2\xb6)\xc2\x9er\xc2\x87^","replay_edited_start_time","url","broadcast_width","broadcaster_twitter_id","broadcaster_\xc2\xba\xc3\x87\xc2\xab\xc2\x9d\xc2\xa9\xc2\x9e","broadcaster_display_name",' … b'["accessibilityLabel","y\xc3\x98\xc2\xadi\xc2\xb9^","errorText","helperText","Icon","iconStyle","invalid","label","onBlur","\xc2\xa2p\xc2\xa1jx\x1e","onSubmitEditing","onFocus","onKeyDown","onKeyPress","onKeyUp","showValidationIcon","style",' … b'["accessibilityLabel","i\xc3\x8bb\xc2\xbd\xc3\xa4\xc3\xa1\xc2\xbaf\xc3\x82\xc2\xa2Z+","i\xc3\x8bb\xc2\xbd\xc3\xa4\xc3\xabi\xc3\x89\x02\xc2\xa2Z+","v+\x1anW\xc2\x9d","onValueChange","style","thumbColor","trackColor",' … b'["author","broadcast_height","broadcast_id","broadcast_is_360","broadcast_media_id","broadcast_requires_fine_grain_geoblocking","broadcast_source","broadcast_thumbnail","broadcast_width","broadcaster_\xc2\xba\xc3\x87\xc2\xab\xc2\x9d\xc2\xa9\xc2\x9e","event_badge","event_category","event_id","event_title","event_thumbnail","event_thumbnail_color","event_thumbnail_media_size_crops_16x9_h","event_thumbnail_media_size_crops_16x9_w","event_thumbnail_media_size_crops_16x9_x","event_thumbnail_media_size_crops_16x9_y","remind_me_notification_id","rem' … b'["card_url","player_image","player_image_small","player_image_original","promo_image","promo_image_original","title","vanity_url","website_url",' … b'["card_url","broadcast_title","event_subtitle","event_thumbnail","event_thumbnail_original","event_title","summary_photo_image","summary_photo_image_original","thumbnail_image","thumbnail_image_original","title",' … b'["card_url","domain","event_subtitle","event_thumbnail","event_thumbnail_original","event_title","host_name","summary_photo_image","summary_photo_image_original","thumbnail","thumbnail_image","thumbnail_original","title",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).