generic_javascript_obfuscation5 in www.google.com

On 2020-08-28T17:10:52.018256+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.google.com/xjs/_/js/k=xjs.s… referenced from http://www.google.com/ .

Code sample:

b"['sy4g','sy92','sy96','sy97','IvlUe','sy1ku','VX3lP','sy8m','sy8o','sy8p','sy8q','sy93','sy95','sy94','sy98','sy99','sy9a','sydo','sydq','sydp','sydr','OF7gzc','T4BAC','yQ43ff','sy4b','sy4c','sy4f','sy4d','sy4e','sy10','sy45','sy46','sy5e','sy5f','sy91','syds','sydt','MC8mtf','TJw5qb','sy9t','vWNDde','Y33vzc','sy47','sy48','cdos','sy43','sy44','sy42','cr','hsm','rcWLFd','j5QhF','iDPoPb','jsa','sy4l','J5Ptqf','b1i7ke','sy11y','sdJMUb','sy4h','sy8g','sy8i','sy8j','sy8k','sy8h','sy8l','sy8f','syaz','mI3LFb','s" … b'["connectEnd","r\xef\xbf\xbd\xef\xbf\xbdy\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","cst"],["domainLookupEnd","domainLookupStart","dnst"],["\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-End","\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-Start","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",' … b'["domainLookupEnd","domainLookupStart","dnst"],["\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-End","\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-Start","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",' … b'["\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-End","\xef\xbf\xbd\xef\xbf\xbdb\xef\xbf\xbd\xef\xbf\xbd-Start","rdxt"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",' … b'["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","rqst"],["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",' … b'["\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eEnd","\xef\xbf\xbd\xef\xbf\xbd)\xef\xbf\xbd{\x1eStart","rspt"],["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",' … b'["connectEnd","secureConnectionStart","sslt"],["\xef\xbf\xbd\xef\xbf\xbdz\xef\xbf\xbdR\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd","navigationStart","rqstt"],["fetchStart","navigationStart","unt"],["unloadEventEnd","\xef\xbf\xbdyhi\xef\xbf\xbd/z{R\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).