generic_javascript_obfuscation5 in docs.google.com

On 2020-03-16T05:15:41.210128+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://docs.google.com/comments/d/AAHR… referenced from https://sites.google.com/site/moversint… .

Code sample:

b'["APPLET","\\n"],["AREA","\\n"],["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["AREA","\\n"],["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["BASE","\\n"],["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["BR","\\n"],["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["COL","\\n"],["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["COMMAND","\\n"],["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["EMBED","\\n"],["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["FRAME","\\n"],["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["HR","\\n"],["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["IMG","\\t"],[fc,"\\n"],[ec,"\\n"],["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["ISINDEX","\\n"],["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["KEYGEN","\\n"],["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["LINK","\\n"],[wc,"\\n"],["4\xef\xbf\xbdD\xef\xbf\xbd\xef\xbf\xbd","\\n"],["META","\\n"],["OBJECT","\\n"],["PARAM","\\n"],[Tc,"\\n"],["SOURCE","\\n"],[Yc,"\\n"],["TRACK","\\n"],["WBR",' … b'["--","about","above","after","again","against",Td,"also","always","am","an","and","jy\xef\xbf\xbdw\x1e","another","any","are","aren\'t","as","ask","at","back","be","because","been","before","being","between","both","bugs","but","by","call","came","can","can\'t","cannot","cause","com","come","core","could","couldn\'t","did","didn\'t","discuss","do","does","doesn\'t","doing","don\'t","down","during","each","eng","especially","even","ever","every","few","find","for","from","get","go","goes","got","group","had",\n"hadn\'t","has",' … b'["color","date","u\xef\xbf\xbd^\xef\xbf\xbd)\xef\xbf\xbd","u\xef\xbf\xbd^\xef\xbf\xbd)\xef\xbf\xbd-local","email","month",xm,"\xef\xbf\xbd\xef\xbf\xbd,\xc2\x8a\xef\xbf\xbd","search","tel",Bn,"time","url",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!