generic_javascript_obfuscation5 in 49.docs.google.com

On 2020-08-28T09:46:29.688679+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://49.docs.google.com/comments/d/A… referenced from https://sites.google.com/site/moversint… .

Code sample:

b'["APPLET","\\n"],["AREA","\\n"],["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["AREA","\\n"],["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["HR","\\n"],["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["IMG","\\t"],["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["INPUT","\\n"],["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["IFRAME","\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["KEYGEN","\\n"],["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["LINK","\\n"],["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["4\xe1Q\x00\xc1\x12","\\n"],["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",' … b'["4\xe4\x82D\x83\xd3","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[ra,"\\n"],["SOURCE","\\n"],["STYLE","\\n"],["TRACK","\\n"],["WBR",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!