generic_javascript_obfuscation5 in connect.facebook.net

On 2020-08-01T23:46:39.205576+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://connect.facebook.net/it_IT/sdk.… referenced from http://www.electronetmodena.it/ .

Code sample:

b'["\x11.@\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","\x11.@\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdPrototype","ES5Date","\x11.E\xef\xbf\xbdw-\xef\xbf\xbd\xef\xbf\xbd\xcf\xae\xef\xbf\xbdh\xef\xbf\xbd*^","ES5Object","ES5StringPrototype","\x11.\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","\x11.\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdPrototype","\x11.\xef\xbf\xbdj\xd7\x8f\xef\xbf\xbd\xef\xbf\xbdh\xef\xbf\xbd*^","ES6Number","ES6Object","ES7ArrayPrototype","ES7Object","ES7StringPrototype",' … b'["css:fb.css.base","css:fb.css.dialog","css:fb.css.iframewidget"]});__d("UriNeedRawQuerySVConfig",[],{"uris":["dms.netmng.com","doubleclick.net","r.msn.com","watchit.sky.com","graphite.instagram.com","www.kfc.co.th","learn.pantheon.io","www.landmarkshops.in","www.ncl.com","s0.wp.com","www.tatacliq.com","bs.serving-sys.com","kohls.com","lazada.co.th","xg4ken.com","technopark.ru","officedepot.com.mx","bestbuy.com.mx","booking.com"]});__d("JSSDKXDConfig",[],{"XXdUrl":"\\/x\\/connect\\/xd_arbiter\\/?version=46","us' … b'["dms.netmng.com","doubleclick.net","r.msn.com","watchit.sky.com","graphite.instagram.com","www.kfc.co.th","learn.pantheon.io","www.landmarkshops.in","www.ncl.com","s0.wp.com","www.tatacliq.com","bs.serving-sys.com","kohls.com","lazada.co.th","xg4ken.com","technopark.ru","officedepot.com.mx","bestbuy.com.mx","booking.com"]});__d("JSSDKXDConfig",[],{"XXdUrl":"\\/x\\/connect\\/xd_arbiter\\/?version=46","useCdn":true});__d("JSSDKCanvasPrefetcherConfig",' … b'["Array","Boolean","Date","\x16\xef\xbf\xbd\xdc\xb6*\'","Null","Number","Object","Regexp","String","Undefined"],"forEach",!0,~\xef\xbf\xbd\xdc\xb6*\'(a){i(a,ES(h,"bind",' … b'["DOMWrapper","GlobalCallback","JSSDKCssConfig","Log","dotAccess","sdk.Content","sdk.DOM","sdk.v\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdr",' … b'["blob","cmms","fb","fba","}\xef\xbf\xbd\xef\xbf\xbd\xc2\x8a\xef\xbf\xbd","fb-ama","fb-\xc2\x8a\xef\xbf\xbdr\x16\xef\xbf\xbd","fb-\xc2\x8a\xef\xbf\xbdr\x16\xef\xbf\xbd-secure","fb-messenger","fb-messenger-public","fb-messenger-group-thread","fb-page-messages","fb-pma","fbcf","fbconnect","fbinternal","}\xef\xbf\xbd\xef\xbf\xbdn)^\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","fbrpc","file","ftp","gtalk","http","https","mailto","wss","ms-app","intent","itms","itms-apps","lasso","market","svn+ssh","fbstaging","tel","sms","\xef\xbf\xbd\xef\xbf\xbd\xdb\x95\xef\xbf\xbd\xef\xbf\xbd","sftp","\xef\xbf\xbd\x16\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdi","moments","flash","fblite","chrome-extension","webcal","fb124024574287414","fb1240245742' … b'["ApiBatcher","ApiClientUtils","Assert","ChunkedRequest","CORSRequest","%#\xef\xbf\xbd=\x17\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd-","Log","ObservableMixin","QueryString","UrlMap",' … b'["Log","ObservableMixin","QueryString","UrlMap","sdk.Cookie","sdk.feature","sdk.getContextType","sdk.Impressions","sdk.Runtime","sdk.Scribe","sdk.SignedRequest","sdk.UA","sdk.URI",' … b'["JSSDKXDConfig","Log","QueryString","Queue","UrlMap","guid","isFacebookURI","resolveWindow","sdk.Event","sdk.feature","sdk.RPC","sdk.Runtime","sdk.Scribe",' … b'["Log","QueryString","UrlMap","r\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xe3\x9b\x8d\xef\xbf\xbd-\x16\xef\xbf\xbd&","flattenObject","guid","\xef\xbf\xbd{\x1e\xef\xbf\xbd\xef\xbf\xbd\x1f\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","resolveURI","sdk.api","sdk.Auth","sdk.Content","sdk.Dialog","sdk.DOM","sdk.Event","sdk.Extensions","sdk.fbt","sdk.feature","sdk.\x16\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd*\'\xef\xbf\xbd\xef\xbf\xbd,","sdk.getContextType","sdk.Impressions","sdk.Native","sdk.openMessenger","sdk.RPC","sdk.Runtime","sdk.Scribe","sdk.UA",' … b'["FB","Log","sdk.Auth","sdk.Cookie","sdk.Event","sdk.Runtime","sdk.SignedRequest","sdk.ui","sdk.warnInsecure"],(~\xef\xbf\xbd\xdc\xb6*\'(a,b,c,d,e,f){b("FB").provide("",' … b'["Assert","sdk.Canvas.Environment","sdk.Event","FB","sdk.Canvas.IframeHandling","sdk.Canvas.Navigation","sdk.Canvas.Plugin","sdk.RPC","sdk.Runtime","sdk.Canvas.Tti"],(~\xef\xbf\xbd\xdc\xb6*\'(a,b,c,d,e,f){b("FB").provide("Canvas",' … b'["Log","1\xef\xbf\xbd\xda\x81\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd+","QueryString","sdk.Cookie","sdk.ErrorHandling","sdk.Event","sdk.MBasicInitializer","sdk.PlatformVersioning","sdk.Runtime","sdk.UA",' … b'["Log","ObservableMixin","QueryString","Type","UrlMap","guid","sdk.Auth","sdk.createIframe","sdk.DOM","sdk.Event","sdk.PlatformVersioning","sdk.PluginUtils","sdk.Runtime","sdk.UA","sdk.URI",' … b'["!\xef\xbf\xbd\xda\x99\xef\xbf\xbd\xef\xbf\xbd\x08\xef\xbf\xbd","QueryString","UrlMap","sdk.DOM","sdk.Event","sdk.PluginUtils","sdk.Runtime","sdk.UA",' … b'["!\xef\xbf\xbd\xda\x99\xef\xbf\xbd\xef\xbf\xbd\x08\xef\xbf\xbd","Log","guid","\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\x12\xef\xbf\xbd\xef\xbf\xbd","sdk.Auth","sdk.Dialog","sdk.ErrorHandling","sdk.feature","sdk.getContextType","sdk.Impressions","sdk.PluginUtils","sdk.Runtime","sdk.Scribe","sdk.ui","sdk.UIServer",' … b'["!\xef\xbf\xbd\xda\x99\xef\xbf\xbd\xef\xbf\xbd\x08\xef\xbf\xbd","UrlMap","sdk.Content","sdk.createIframe","sdk.DialogUtils","sdk.DOM","sdk.Event","sdk.Runtime","sdk.UA",' … b'["!\xef\xbf\xbd\xda\x99\xef\xbf\xbd\xef\xbf\xbd\x08\xef\xbf\xbd",">[\xef\xbf\xbd\xef\xbf\xbdp\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","PluginTags","XFBML","sdk.feature","sdk.XFBML.Comments","sdk.XFBML.CommentsCount","sdk.XFBML.LoginButton","sdk.XFBML.Quote","sdk.XFBML.Save","sdk.XFBML.ShareButton",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!