Hex-encoded document body

To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM.

This helps defeat simple scanners which don't evaluate JavaScript.

Recent Detections

  • hxxp://mammoth-prickly-roast[.]glitch[.]me/hwidl.HTM?entity=4892...
  • hxxps://mammoth-prickly-roast[.]glitch[.]me/hwidl.HTM?entity=489...
  • hxxp://8342677[.]filesusr[.]com/html/9bc3f0_57f8092e47537d6977d6...
  • hxxps://ipfs[.]io/ipfs/QmfYoas1NJps71xipg1covy1GvYoePMFajqfdAr12...
  • hxxps://storageapi[.]fleek[.]co/2a24e042-97c6-4db6-8ed0-a07d8127...
  • hxxp://ldocf[.]org/idocf
  • hxxps://storageapi[.]fleek[.]co/ee32bcd7-1df0-4259-9c8e-f3b0601c...
  • hxxp://9[.]jvemlbioja6989[.]workers[.]dev/
  • hxxps://coloursofeurope[.]cn/europes/centrurylink/4a9b57/en
  • hxxps://gitlab[.]store[.]blog[.]travel-warnings[.]org/

IOK Rule (edit)

title: Hex-encoded document body
description: |
  To evade static analysis, the document body can returned hex encoded in the response
  where JavaScript can decode it and append it to the DOM.

  This helps defeat simple scanners which don't evaluate JavaScript.

detection:
  documentWriteUnescape:
    html|contains: "document.write(unescape("

  condition: documentWriteUnescape

tags:
  - anti-analysis