generic_javascript_obfuscation5 in sagrada-familia.edu.ar

On 2020-09-15T02:20:24.927388+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://sagrada-familia.edu.ar/wp-conte… referenced from http://www.sagrada-familia.edu.ar/ .

Code sample:

b'[\'textAlign\',\'float\',\'\xc2\xa6\xc2\x8b"\xc2\xb6*\'\',\'top\',\'right\',\'bottom\',\'left\',\'zIndex\',\'width\',\'marginTop\',\'marginRight\',\'\xc2\x99\xc2\xaa\xc3\xa0\xc2\x8aph\xc2\xb6\xc3\x9a&\',\'marginLeft\']),newPosition=\'\xc2\xad\xc3\xa9Z\xc2\xb6+\xc3\x9e\';switch(orgCSS.\xc2\xa6\xc2\x8b"\xc2\xb6*\'){case\'i\xc2\xbb(\xc2\x96\xc3\xab^\':case\'fixed\':newPosition=orgCSS.\xc2\xa6\xc2\x8b"\xc2\xb6*\';break}if(conf.wrapper==\'parent\'){sz_storeOrigCss($wrp)}else{$wrp.css(orgCSS)}$wrp.css({\'\xc2\xa2\xc3\xb7\xc2\xab~Z0\':\'hidden\',\'\xc2\xa6\xc2\x8b"\xc2\xb6*\'\':newPosition});sz_storeOrigCss($cfs);$cfs.data(\'_cfs_origCssZindex\',orgCSS.zIndex);$cfs.css({\'textAlign\':\'left\',\'float\':\'none\',\'\xc2\xa6\xc2\x8b"\xc2\xb6*\'\':\'i\xc2\xbb(\xc2\x96\xc3' … b"['width','innerWidth','outerWidth','height','innerHeight','outerHeight','left','top','marginRight',0,1,2,3],['height','innerHeight','outerHeight','width','innerWidth','outerWidth','top','left','\xc2\x99\xc2\xaa\xc3\xa0\xc2\x8aph\xc2\xb6\xc3\x9a&'," … b"['height','innerHeight','outerHeight','width','innerWidth','outerWidth','top','left','\xc2\x99\xc2\xaa\xc3\xa0\xc2\x8aph\xc2\xb6\xc3\x9a&',"

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).