Obfuscated HTML

Question

I'm looking at a potential phishing site and I see that some of the HTML is obfuscated. It's not Base64. All the links look like this:

<link 
href="6bkaQeQe69e/st-oU9kY4its4s5Zz2ykykffaNIgaVVtdtPSne0d3bxTbrLcyxygfAd0LXBQWdxowKsvc7G5BVrze6S8kPP"
rel="stylesheet" />

Some of the class names are also obfuscated. I was thinking that it's an obfuscation method that the browser must understand. Any ideas where to start?

I found some more that I missed before, a Base64 encoded script.

script src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUoZGVjb2RlVVJJQ29tcG9uZW50KGVzY2FwZShhdG9iKGRvY3VtZW50LnF1ZXJ5U2VsZWN0b3IoInVkZE5ldWxERVBmTkt5TCIpLmdldEF0dHJpYnV0ZSgiZHVkY0RBRkRBaFhHZFVEIikpKSkpO0JSWWpZT0pMS3lvVnhXblpwdmlMPSJrVkhjcHdUZlpxRldjbnIiOw==">

That decodes to: document.write(decodeURIComponent(escape(atob(document.querySelector("uddNeulDEPfNKyL").getAttribute("dudcDAFDAhXGdUD")))));BRYjYOJLKyoVxWnZpviL="kVHcpwTfZqFWcnr";

After the body> is defined the next tag is uddneuldepfnkyl> and the entire rest of the page is between it and its closing tag.

There is a statement dudcDAFDAhXGdUD= and then a long base64 string that represents the entire HTML page.

I don't see any references in the code to BRYjYOJLKyoVxWnZpviL anywhere.

Answer 1

It's tough to know for sure without the entire HTML, however, the JavaScript command alone gets the attribute "dudcDAFDAhXGdUD" from the first element "uddNeulDEPfNKyL" on the page, decodes that element from Base64, and writes it to the document.

The reference "BRYjYOJLKyoVxWnZpviL" is set as a variable in that script, where its value is "kVHcpwTfZqFWcnr". If you don't see this variable being referenced, it's possible that it is simply a throw-away variable in attempt to confuse anti-malware/email filters and isn't actually used.