Author Topic: Suspicious JavaScript Obfuscation detected....  (Read 126 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31275
  • malware fighter
Suspicious JavaScript Obfuscation detected....
« on: April 15, 2019, 04:58:17 PM »
See: https://urlquery.net/report/2e444bfc-676d-4fe1-9f69-a0328f141d36
Flagged here: https://www.virustotal.com/en/url/407a9bcd9439b69f041c4fe8ace1156ac439dd4ce69dc245885790f5796f1b8d/analysis/1555338643/
blacklisted external links & blacklisted iframes: https://quttera.com/detailed_report/dmuller.net

https://sitecheck.sucuri.net/results/dmuller.net
Blocked for me javascript to -http://s47.sitemeter.com/js/counter.js?site=s47phoenixnet
Site also blacklisted by Yandex: https://www.yandex.com/infected?url=dmuller.net

Also detected: -http://mailhide.recaptcha.net/d?k=01lgAndaS1VU6rqbxzR7LMyA==&c=mgS5PlYSw5ukLXrkwl2eC-ttQigM7YLCzZmUwTNH-9E=   1
additional links like -EXTRALINK##-http://s47.sitemeter.com/js/counter.js?site=s47phoenixnet   1
EXTRALINK##-http://s47.sitemeter.com/stats.asp?site=s47phoenixnet   1
EXTRALINK##-http://s47.sitemeter.com/meter.asp?site=s47phoenixnet   1
FILE##v3track.php?trackref%3Dhttp%3a%2f%2fgoogle.com&trackuri%3D%2fspaceflight%2findex.php&trackdim%3Dx&trackcountry%3Dru
various ecxternal links extphp etc.

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31275
  • malware fighter
Re: Suspicious JavaScript Obfuscation detected....
« Reply #2 on: April 15, 2019, 10:05:07 PM »
Hi Pondus,

Thanks for demonstrating this is again part of the same long ongoing malware campaig, involving:
   -http://sd5doozry8.com/ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d

We have met this one a couple of times before,

Damian aka polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!