Windows Analysis Report
http://172.104.75.98/owa/

• HCA enabled
• EGA enabled
• AMSI enabled

• Successful, ratio: 100%
• Number of executed functions: 0
• Number of non-executed functions: 0

```json
{
  "riskscore": 7,
  "reasons": "The code attempts to create ActiveX objects, which can be a security risk as they can execute arbitrary code on the user's machine. This is particularly concerning for non-IE browsers where ActiveX is not supported. Additionally, the use of document.write can lead to cross-site scripting (XSS) vulnerabilities."
}

```json
{
  "riskscore": 2,
  "reasons": "The provided JavaScript code primarily deals with UI elements such as placeholders and password visibility toggling. There is no evident malicious behavior such as data exfiltration or unauthorized access. However, the use of 'document.write' to insert a meta tag could be considered a minor risk due to potential for misuse in other contexts."
}

var mainLogonDiv = window.document.getElementById("mainLogonDiv");
        var showPlaceholderText = false;
        var mainLogonDivClassName = 'mouse';

        if (mainLogonDivClassName == "tnarrow") {
            showPlaceholderText = true;

            // Output meta tag for viewport scaling
            document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />');
        }
        else if (mainLogonDivClassName == "twide"){
            showPlaceholderText = true;
        }

        function setPlaceholderText() {
                window.document.getElementById("username").placeholder = "domain\\user name";
                window.document.getElementById("password").placeholder = "Password";
                window.document.getElementById("passwordText").placeholder = "Password";
        }

        function showPasswordClick() {
            var showPassword = window.document.getElementById("showPasswordCheck").checked;
            passwordElement = window.document.getElementById("password");
            passwordTextElement = window.document.getElementById("passwordText");
            if (showPassword)
            {
                passwordTextElement.value = passwordElement.value;
                passwordElement.style.display = "none";
                passwordTextElement.style.display = "inline";
                passwordTextElement.focus();
            }
            else
            {
                passwordElement.value = passwordTextElement.value;
                passwordTextElement.style.display = "none";
                passwordTextElement.value = "";
                passwordElement.style.display = "inline";
                passwordElement.focus();
            }
        }

```json
{
  "riskscore": 1,
  "reasons": "The provided JavaScript code appears to be part of a legitimate logon page, likely for a Microsoft service, given the copyright notice and the context of the code. The code handles user authentication, cookie management, and browser compatibility checks. There are no obvious signs of malicious activity such as data exfiltration, keylogging, or unauthorized access attempts. The only potential risk is the handling of cookies and user input, which could be exploited if not properly secured, but this is a common aspect of logon pages and does not inherently indicate malicious intent."
}

//  flogon.js
//
//  This file contains the script used by Logon.aspx
//
//Copyright (c) 2003-2006 Microsoft Corporation.  All rights reserved.

/// <summary>
/// OnLoad handler for logon page
/// </summary>
window.onload = function ()
{
    // If we are replacing the current window with the logon page, initialize the logon page UI now
    //
    if (a_fRC)
        initLogon();

    // Otherwise we need to find the window to replace with the logon page and redirect that window
    //
    else
        redir();
};

/// <summary>
/// Initializes the logon page
/// </summary>
function initLogon()
{
    try
    {
        //
        // we don't call document.execCommand("ClearAuthenticationCache","false"); anymore. As a part of the Pending-Notification
        // infrastructure, we are making a change to make sure startpage does not get loaded more than once. This solution is cookie
        // based. This execCommand was clearing all cookies in the scenario when a user logged on from a child window during an
        // FBA timeout. We do not want that to happen anymore. If this breaks anything, we may need to consider a different solution.
        //
        // Old Comments:
        // If the "Clear the Authentication Cache" flag is set to true and
        // we are coming from the logoff page , clear the cache. See bug 41770 and 5840 for details.
        //

        // Logoff the S-Mime control.
        //
        LogoffMime();
    }
    catch (e) { }

    // Check for username cookie
    //
    var re = /(^|; )logondata=acc=([0|1])&lgn=([^;]+)(;|$)/;
    var rg = re.exec(document.cookie);

    if (rg)
    {
        // Fill in username, set security to private, and restore the "use basic" selection
        //

        gbid("username").value = rg[3];

        try
        {
            var signInErrorElement = gbid("signInErrorDiv");
            if (signInErrorElement)
            {
                signInErrorElement.focus();
            }
            else
            {
                gbid("password").focus();
            }
        }
        catch (e)
        {}

        if (gbid("chkPrvt") && !gbid("chkPrvt").checked)
        {
            gbid("chkPrvt").click();
        }

        if (rg[2] == "1" && gbid("chkBsc"))	// chkBsc doesn't exist if the request comes from ECP
            gbid("chkBsc").click();

    }
    else
    {
        // The variable g_fFcs is set to false when the password gains focus,
        // so that we don't accidentally set focus to the username field while
        // the user is typing their password
        //
        if (g_fFcs)
        {
            try
            {
                gbid("username").focus();
            }
            catch (e)
            { }
        }
    }

    // OWA Premium currently supports
    // IE 7+, Safari 3+, Firefox 3+ for Windows / Mac
    if (IsOwaPremiumBrowser() && gbid("chkBsc"))	// chkBsc doesn't exist if the request comes from ECP
        gbid("chkBsc").disabled = false;

    // Are coo

```json
{
  "phishing_score": 9,
  "brands": "Outlook",
  "phishing": true,
  "suspicious_domain": true,
  "has_loginform": true,
  "has_captcha": false,
  "setechniques": true,
  "reasons": "The URL uses an IP address instead of a domain name, which is a common tactic in phishing attacks. The page mimics the Outlook login page, which is a well-known brand, to deceive users into entering their credentials. The legitimate Outlook login page would typically be hosted on a domain like 'outlook.com' or 'office.com', not an IP address."
}