Base64 & URL-encoded document body

To evade static analysis, the document body can be wrapped in several JavaScript functions such as decodeURIComponent and atob in order to evade analysis. This helps defeat simple scanners which don't evaluate JavaScript.

References

Recent Detections

  • hxxps://document[.]lates-proposale[.]workers[.]dev/
  • hxxps://document-product[.]rototetiined[.]workers[.]dev/
  • hxxps://docshared-river-96de[.]fri9hlxh[.]workers[.]dev/
  • hxxps://sregs-wave-b583[.]u6e6h11v[.]workers[.]dev/
  • hxxps://cloud-reconncet-9f0e[.]czwl05dv[.]workers[.]dev/
  • hxxp://storageapi[.]fleek[.]co/f025dba3-de1a-432c-b712-d39aebb24...
  • hxxps://storageapi[.]fleek[.]co/f025dba3-de1a-432c-b712-d39aebb2...
  • hxxps://storageapi[.]fleek[.]co/8339fe48-d7d7-41b9-8739-db625827...
  • hxxps://xbgpjmphuhshwrjpmdj-xtjrxlsisljpuorbeur-plzrapqynqarggwf...
  • hxxps://nisfbqeazmfsmxxm48pk[.]app[.]link/e/0V5s8CAVzub

IOK Rule (edit)

title: Base64 & URL-encoded document body
description: |
  To evade static analysis, the document body can be wrapped in several
  JavaScript functions such as `decodeURIComponent` and `atob` in order
  to evade analysis.
  This helps defeat simple scanners which don't evaluate JavaScript.
related:
  - hex-encoded-body
references:
  - https://urlscan.io/result/f6387380-2258-4113-8375-0195ecd1e268
  
detection:

  documentWriteBase64AndURLDecode:
    html|contains: "document.write(decodeURIComponent(atob("

  condition: documentWriteBase64AndURLDecode

tags:
  - anti-analysis