Base64-encoded document body

To evade static analysis, the document body can returned base64 encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

References

https://urlscan.io/result/3b445b90-5d04-4b36-b29a-cdee4bf9a28e
https://urlscan.io/search/#hash%3A71f119e31661198a11f2c5a24f9a3e01c4b405413efde35a7fb838beb15611df

IOK Rule (edit)

title: Base64-encoded document body
description: |
  To evade static analysis, the document body can returned base64 encoded in the response
  where JavaScript can decode it and append it to the DOM.
  This helps defeat simple scanners which don't evaluate JavaScript.
references:
  - https://urlscan.io/result/3b445b90-5d04-4b36-b29a-cdee4bf9a28e
  - https://urlscan.io/search/#hash%3A71f119e31661198a11f2c5a24f9a3e01c4b405413efde35a7fb838beb15611df
detection:
  documentWriteBase64Unescape:
    html|contains: "document.write(atob("

  condition: documentWriteBase64Unescape

tags:
  - anti-analysis