Windows Analysis Report
https://enerpac.my.salesforce.com/00QNx000009t34v

• EGA enabled

```json
{
  "riskscore": 7,
  "reasons": "The JavaScript code captures screen dimensions and automatically submits the login form, which can be indicative of a phishing attempt. The code does not provide any user feedback or validation before submission, which is a common tactic used in phishing attacks to capture user credentials."
}

function handleLogin(){document.login.un.value=document.login.username.value;document.login.width.value=screen.width;document.login.height.value=screen.height;document.getElementById("Login").disabled=true;document.getElementById("login_form").submit();}function lazyload(){document.getElementById("pwcapsicon").src="/img/icon/capslock_blue.png";document.getElementById("marketing").src="https://c.salesforce.com/login-messages/promos.html";}loader();

```json
{
  "riskscore": 0,
  "reasons": "The provided JavaScript code appears to be related to Salesforce login session management. It does not contain any suspicious or malicious elements. It includes variables for server URLs, user interface text, and session states, which are typical for legitimate web applications. No harmful actions or data exfiltration attempts are present."
}

var SFDCSessionVars={"server":"https:\/\/login.salesforce.com\/login\/sessionserver212.html","im":true,"ah":"active","save":"Save","saveOne":"Save 1 Change","sum":"#p# Saved Usernames","iaac":false,"hac":"Choose a Username","suo":"1 Saved Username","title":" | Salesforce","saveMany":"Save #p# Changes","lpt":"Login","lllbl":"Lightning Login","host":"login.salesforce.com","le":true,"heu":"Edit Username List","ic":false,"lh":false,"ur":"https:\/\/enerpac.my.salesforce.com","hidp":"Log In Using","ih":"inactive","dc":"Username removed. Click Save to Commit Changes."};

```json
{
  "phishing_score": 2,
  "brands": "Salesforce, Enerpac",
  "phishing": false,
  "suspicious_domain": false,
  "has_loginform": true,
  "has_captcha": false,
  "setechniques": false,
  "reasons": "The URL 'https://enerpac.my.salesforce.com/?ec=302&startURL=%2F00QNx000009t34v' appears to be a subdomain of Salesforce, which is a legitimate domain. The login page looks authentic and is hosted on a Salesforce subdomain, which is commonly used for Salesforce customer portals. There are no obvious social engineering techniques or suspicious elements in the image. Therefore, it is unlikely to be a phishing site."
}

```json
{
  "riskscore": 1,
  "reasons": "The code appears to be handling the loading of resources from a CDN and includes error handling for those resources. There are no obvious signs of malicious behavior such as data exfiltration or credential harvesting. The risk is minimal."
}

//<![CDATA[
!function(t,e){!function(){var n=e.getElementsByTagName("head")[0];n&&n.addEventListener&&(n.addEventListener("error",function(e){null!==e.target&&"cdn"===e.target.getAttribute("data-loader")&&t.$Loader.OnError(e.target)},!0),n.addEventListener("load",function(e){null!==e.target&&"cdn"===e.target.getAttribute("data-loader")&&t.$Loader.OnSuccess(e.target)},!0))}()}(window,document);
//  

```json
{
  "riskscore": 1,
  "reasons": "The JavaScript code appears to be part of a legitimate authentication process, likely for a Microsoft-related service. The URLs and parameters used are consistent with Microsoft's authentication and Single Sign-On (SSO) mechanisms. There are no obvious signs of malicious activity, such as obfuscated code or suspicious external domains. The presence of long random hexadecimal strings is noted but considered no risk. Overall, the code seems to be safe."
}

//<![CDATA[
$Config={"iMaxStackForKnockoutAsyncComponents":10000,"fShowButtons":true,"urlCdn":"https://aadcdn.msauth.net/shared/1.0/","urlDefaultFavicon":"https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico","urlPost":"/1602ae82-0266-40d6-910b-11680fe0f6a5/saml2?SAMLRequest=hZNdc6IwFIb%2FCpN7NKSiwlQ7CItarR8Y%2B8ENEzECLSRICIq%2FflltZ7p70T2TXJw5J%2B97Mnly%2F3DOUqWihUg4GwCtBYFCWcj3CYsGYItdtQ8ehveCZCnKTUuWMfPoUVJRKs1BJsxbZQBkwUxORCJMRjIqzDI0N9bT3EQtaOYFL3nIU6BYQtCibKxszoTMaLGhRZWEdOvNByAuy1yY7TZltMhJ2MrqliApFQdehLQV8uxB8AGEDoe3mOs9CyhOM0vCSHmd%2F0si5VHCWlkSFlzwQ8lZmrCrRFvrQkRoH6kQdbtqB%2B67qqHBnapp3T48UHjoEr19vRRQps4ABMi2mvCt%2FmpZ50%2BOdfp3%2Fymrrv66xRP1XJNSlTLf26NZhZ%2B105vw%2FRd74p2NqUfzwCW%2F1iGszkGE08XrEjkFlXvjcV0b1kUuvcXy3emN4rzexZW7nPLZ0dOMOniaTtL4pU4017lE49n8jnpRH75bnSgW%2BkeaZY96P5WFdZRueFyvNqM3f5KjmdYb6%2FgDk1MFVwdc7%2BpzRfx1aKA80%2Ffn3SLEMZJBcJmlbrLL7WjB%2BptpHfmJtGF0CLZ65Bw9Nt89YuH2kmQ9fmeT%2FYmNLodcxXY8HhUTIjlbPos7o3mIqRCSTpkoCSsHAEHUUaGuog7WDLNZCLYggj5QVp80jBJ2o%2BwndHa3JmFOMF6pq%2BUGA%2BX5i9amAXyyaV7di%2B9Q%2FixMvkgEw%2F9yd9%2F%2B7jH8TP%2F%2BDsPf\u0026RelayState=%2F00QNx000009t34v\u0026SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256\u0026Signature=iKVBiwIlzlcV6%2FpQ1xk3CQ3I665I6QW5BFGIAxWlw%2BfWbozzLxm5iAee7oLPy0fzNxuLeXePAm3Mj%2BV605kKB%2FdMyc1aUBUGqexpTHQW5eCOygrKguHIk2JPuNvmrh3I79R6EH7NQVWtq7TQFgyu3j3lHgewE0Hym6G%2FWsVe%2F0jOnz1U9BT4boyZlQuSociPNOmp5HOshU0teLf%2FQXAy1Rg0oBRQLzAVA1ixbPBjmmZCHWCeW5DJDLXEAi5wlT11w3QgcqwmwvBnI9EHRRMy5xK9FsZtsr%2FQgqFwR70lHxjTl0O8rop8OV3a7YMFp%2BstvLq9imNYCYYBAyCAD2P5wQZ2myUVmIM%2FiKeYjBj0JlBU8HWBDfcG2q4VhEveghlDVlYYcmwbhyRnq1U%2FmSMs93imhfUIs5zQHFajms7mHsaU5kRSV3oOYKghN4gx5xcg8hDh%2Fpa3cn9tTGuBjer2La5f4BCIpmQcK4kA5jlCU7XAH3xuSB14ia0vOxb4ON4U1RYn9inph8CoBhe9SsytIFEDJ82wh0sYnD5DFkACFsSZAn1r7AMOpLc0iALdanZZc6Ra5u8WioTtGTFaZ2jJNao%2Bdl2yZT48Bhk6LGOYDqJbJGOgm7ZgXb0BimqJF3FZU7zPlhf97yvtU38NiHomBm4wCZpnTooM1nadoPw6NCM%3D\u0026client-request-id=ff2b6e2f-b466-4827-ba02-d1d1cc2e1990\u0026sso_reload=True","iPawnIcon":0,"sPOST_Username":"","sFTName":"flowToken","fEnableOneDSClientTelemetry":true,"urlReportPageLoad":"https://login.microsoftonline.com/common/instrumentation/reportpageload?mkt=en-US","dynamicTenantBranding":null,"staticTenantBranding":null,"oAppCobranding":{},"iBackgroundImage":2,"fApplicationInsightsEnabled":false,"iApplicationInsightsEnabledPercentage":0,"urlSetDebugMode":"https://login.microsoftonline.com/common/debugmode","fEnableCssAnimation":true,"fAllowGrayOutLightBox":true,"fIsRemoteNGCSupported":true,"desktopSsoConfig":{"isEdgeAnaheimAllowed":true,"iwaEndpointUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/sso?client-request-id=ff2b6e2f-b466-4827-ba02-d1d1cc2e1990","iwaSsoProbeUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/ssoprobe?client-request-id=ff2b6e2f-b466-4827-ba02-d1d1cc2e1990","iwaIFrameUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/iframe?client-request-id=ff2b6e2

```json
{
  "riskscore": 2,
  "reasons": "The script checks if the current window is the top window and modifies the URL to include an iframe request ID if it is not. This behavior is often used to prevent clickjacking attacks and ensure the page is not loaded in an unauthorized iframe. However, without more context, it is difficult to determine if this is being used maliciously or for legitimate security purposes. The risk score is low but not zero due to the potential for misuse."
}

//<![CDATA[
!function(){var e=window,o=e.document,i=e.$Config||{};if(e.self===e.top){o&&o.body&&(o.body.style.display="block")}else if(!i.allowFrame){var s=e.self.location.href,l=s.indexOf("#"),n=-1!==l,t=s.indexOf("?"),f=n?l:s.length,d=-1===t||n&&t>l?"?":"&";s=s.substr(0,f)+d+"iframe-request-id="+i.sessionId+s.substr(f),e.top.location=s}}();
//