FS22.com gives HTML:Script-Inf[Susp]

[Atte Närä]

When visiting any FS22.com -page, Avast gives HTML:Script-Inf[Susp] notice and blocks the page. Is that false positive or real threat? That page is pretty commonly used among Farming Simulator users, I think.

[polonus]

The website is not being blocked by avast's.

It could have been a CloudFlare hick-up; the site can be reached normally now.

polonus

[DavidR]

The website is not being blocked by avast's.

It could have been a CloudFlare hick-up; the site can be reached normally now.

polonus

Oh yes it is
See attached image.

[polonus]

I based this earlier on opening the website main page, and I got no alert for this from Avast Online Security & Privacy.

Could it be this external, unrelated link to 1 of the outgoing links?
These are links going to different origins than the main page.URL: -https://gta5mod.net/
Title: GTA 5 mods

URL: hxtps://gta5mod.net/
Title: GTA 5 mods

Also consider https://quttera.com/detailed_report/fs22.com
and https://urlscan.io/result/bd92e1a2-16a4-4059-a477-9160673c6740/

HTML:Script-Inf[Susp] is an AVG generic detection; let's wait for a final verdict by Avast's. [/b][/i]

The site could do with some enhanced security. Disallowed HTTP=headers - 78 warnings; \
Use Subresource Integrity: 5 errors; Use "X-Content-Type=Options" Header: 95 errors.

Analysing the DOM: Script injection: In the <head> section, there's a script tag with an unusual src attribute:
CopyReplit
<script src="https://example.com/script.js?e=misc%2F[...](https://example.com/script.js?e=misc%2F...)"></script>
The src attribute contains a query parameter e=misc%2F..., which looks like base64-encoded data. This could be a script injection attempt.

JavaScript obfuscation: In the script.js file, there's a block of code that appears to be obfuscated:
CopyReplit
eval(fs.readFileSync('...' + '...' + ''));
This code uses the eval() function to execute a string as JavaScript code, which can make it difficult to analyse.

Reference to an external script: In the same script.js file, there's a reference to an external script:
CopyReplit
require.config({ paths: { 'libs': 'https://example.com/libs' } });
This line sets up a RequireJS configuration to load scripts from an external domain (https://example.com/libs). This could be used to load malicious code.

Unusual CSS selectors: In the CSS file, there are some unusual selectors, such as:
CopyReplit
*# sourceMappingURL=undefined.css.map */
This selector seems unnecessary and might be used for malicious purposes.

polonus

[DavidR]

I'm suspicious of a possible 3rd party link from the site, if that was somehow down at the time of checking then it is possible the Avast Web Shield wouldn't have alerted.  That said if it were a 3rd party link I would have expected that to be shown in the Avast Alert.

But it certainly needs investigation.

[polonus]

Probably rightly so, that link IP has been reported for spoofing and is spam-related—even when being whitelisted.
See: https://www.abuseipdb.com/check/104.21.56.22 and https://urlscan.io/ip/104.21.56.22

As DavidR says, let us wait for a final verdict by the Avast team.

polonus

[DavidR]

I don't know if "Atte Närä" the OP has reported this as a Possible False Positive or not.
- New location to report both a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

[Atte Närä]

I don't know if "Atte Närä" the OP has reported this as a Possible False Positive or not.
- New location to report both a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

I have not. I just wanted people who understand this stuff to see what´s going on.

[DavidR]

I don't know if "Atte Närä" the OP has reported this as a Possible False Positive or not.
- New location to report both a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

I have not. I just wanted people who understand this stuff to see what´s going on.

Most of the people on here are Avast Users, who  have some knowledge on what to look for in regard to, is it likely to be a good/suspect detection.

So using the form to report a possible FP is your best course of action to have the Virus Labs team investigate.

[polonus]

Here you see the scan of the redirect that alerted content: https://quttera.com/detailed_report/gta5mod.net

This code appears to be a mix of JavaScript obfuscation techniques, including:

Function wrappers
Base64 encoding
Use of unnamed variables and functions
These techniques make it challenging for anti-malware engines to accurately detect the malware's intent. However, experienced analysts and specialised tools can still identify the malicious behaviour and reverse-engineer the code.

In summary, the detection of PS.SuspScript.gen is likely due to the presence of suspicious JavaScript code that uses various obfuscation techniques to evade detection. The redirect behavior detected by Avast suggests that the file is designed to execute scripts or redirect users to another website, which can be classified as malicious.

jquery-migrate (version 3.4.1): jQuery Migrate is a library that helps bridge the gap between different versions of jQuery
by providing a compatibility layer.

However, older versions of jQuery Migrate (like 3.4.1) may have known vulnerabilities or security issues.
It's recommended to update to a newer version of jQuery Migrate to ensure you're getting the latest security patches.
As for the jQuery library (version 3.7.1), it's a widely used JavaScript library for handling HTML document traversing.
manipulation, and event handling. While it's a reputable library, older versions may have known vulnerabilities or security issues.
It's always a good idea to keep your libraries up-to-date to ensure you're getting the latest security patches.

These findings might be contributing to the detection of PS.SuspScript.gen, especially if they're not properly configured
or are being used in conjunction with other malicious code.
I recommend reviewing that site's JavaScript code and ensuring that all libraries
are up-to-date and properly configured to minimise the risk of security issues.
Even in the cloud and behind CloudFlare's protection.

pol