Obfuscated HTML [closed]
I'm looking at a potential phishing site and I see that some of the HTML is obfuscated. It's not Base64. All the links look like this:
<link
href="6bkaQeQe69e/st-oU9kY4its4s5Zz2ykykffaNIgaVVtdtPSne0d3bxTbrLcyxygfAd0LXBQWdxowKsvc7G5BVrze6S8kPP"
rel="stylesheet" />
Some of the class names are also obfuscated. I was thinking that it's an obfuscation method that the browser must understand. Any ideas where to start?
I found some more that I missed before, a Base64 encoded script.
script src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUoZGVjb2RlVVJJQ29tcG9uZW50KGVzY2FwZShhdG9iKGRvY3VtZW50LnF1ZXJ5U2VsZWN0b3IoInVkZE5ldWxERVBmTkt5TCIpLmdldEF0dHJpYnV0ZSgiZHVkY0RBRkRBaFhHZFVEIikpKSkpO0JSWWpZT0pMS3lvVnhXblpwdmlMPSJrVkhjcHdUZlpxRldjbnIiOw==">
That decodes to: document.write(decodeURIComponent(escape(atob(document.querySelector("uddNeulDEPfNKyL").getAttribute("dudcDAFDAhXGdUD")))));BRYjYOJLKyoVxWnZpviL="kVHcpwTfZqFWcnr";
After the body> is defined the next tag is uddneuldepfnkyl> and the entire rest of the page is between it and its closing tag.
There is a statement dudcDAFDAhXGdUD= and then a long base64 string that represents the entire HTML page.
I don't see any references in the code to BRYjYOJLKyoVxWnZpviL anywhere.