Windows Analysis Report
https://link.mail.beehiiv.com/ls/click?upn=u001.fl7hrKpqiw6rleMq0yETnMUZuFsAAwCeO-2BH5ERPYbcqsWCpxHbnR-2BAMni5gDH0KguWznuzJ8-2BPLnfO8gj2j9yQl2ivfAsJY4Ezg7DDw3zzKfSzxTK3e4dxMSvOfBS7t3jD7uyMdaZpLpYA-2FoIuXpkYxxl3nOzWBw62nOLKDtQmnHprAllAUT7JIYUOdWTCNc6huay-2BA-2FIfT2dnkFc6AmqA-3D-3DxUjQ_ALlq5-2F4R3mneN

• EGA enabled

{
"riskscore": 2,
"reasons": "The code defines several functions but does not contain any suspicious behavior such as redirecting to phishing sites, tracking users, or creating advertisements. However, it is worth noting that the code contains complex structures and uses of Promises and generators which could potentially hide malicious behavior. Therefore, a risk score of 2 is assigned."
}
)

!function(){"use strict";var t=function(r,e){return t=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,r){t.__proto__=r}||function(t,r){for(var e in r)Object.prototype.hasOwnProperty.call(r,e)&&(t[e]=r[e])},t(r,e)};function r(r,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function n(){this.constructor=r}t(r,e),r.prototype=null===e?Object.create(e):(n.prototype=e.prototype,new n)}function e(t,r,e,n){return new(e||(e=Promise))((function(o,i){function u(t){try{s(n.next(t))}catch(t){i(t)}}function c(t){try{s(n.throw(t))}catch(t){i(t)}}function s(t){var r;t.done?o(t.value):(r=t.value,r instanceof e?r:new e((function(t){t(r)}))).then(u,c)}s((n=n.apply(t,r||[])).next())}))}function n(t,r){var e,n,o,i,u={label:0,sent:function(){if(1&o[0])throw o[1];return o[1]},trys:[],ops:[]};return i={next:c(0),throw:c(1),return:c(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function c(c){return function(s){return function(c){if(e)throw new TypeError("Generator is already executing.");for(;i&&(i=0,c[0]&&(u=0)),u;)try{if(e=1,n&&(o=2&c[0]?n.return:c[0]?n.throw||((o=n.return)&&o.call(n),0):n.next)&&!(o=o.call(n,c[1])).done)return o;switch(n=0,o&&(c=[2&c[0],o.value]),c[0]){case 0:case 1:o=c;break;case 4:return u.label++,{value:c[1],done:!1};case 5:u.label++,n=c[1],c=[0];continue;case 7:c=u.ops.pop(),u.trys.pop();continue;default:if(!(o=u.trys,(o=o.length>0&&o[o.length-1])||6!==c[0]&&2!==c[0])){u=0;continue}if(3===c[0]&&(!o||c[1]>o[0]&&c[1]<o[3])){u.label=c[1];break}if(6===c[0]&&u.label<o[1]){u.label=o[1],o=c;break}if(o&&u.label<o[2]){u.label=o[2],u.ops.push(c);break}o[2]&&u.ops.pop(),u.trys.pop();continue}c=r.call(t,u)}catch(t){c=[6,t],n=0}finally{e=o=0}if(5&c[0])throw c[1];return{value:c[0]?c[1]:void 0,done:!0}}([c,s])}}}Object.create;function o(t){var r="function"==typeof Symbol&&Symbol.iterator,e=r&&t[r],n=0;if(e)return e.call(t);if(t&&"number"==typeof t.length)return{next:function(){return t&&n>=t.length&&(t=void 0),{value:t&&t[n++],done:!t}}};throw new TypeError(r?"Object is not iterable.":"Symbol.iterator is not defined.")}function i(t,r){var e="function"==typeof Symbol&&t[Symbol.iterator];if(!e)return t;var n,o,i=e.call(t),u=[];try{for(;(void 0===r||r-- >0)&&!(n=i.next()).done;)u.push(n.value)}catch(t){o={error:t}}finally{try{n&&!n.done&&(e=i.return)&&e.call(i)}finally{if(o)throw o.error}}return u}function u(t,r,e){if(e||2===arguments.length)for(var n,o=0,i=r.length;o<i;o++)!n&&o in r||(n||(n=Array.prototype.slice.call(r,0,o)),n[o]=r[o]);return t.concat(n||Array.prototype.slice.call(r))}function c(t){return this instanceof c?(this.v=t,this):new c(t)}function s(t,r,e){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var n,o=e.apply(t,r||[]),i=[];return n={},u("next"),u("throw"),u("return"),n[Symbol.asyncIterator]=function(){return this},n;function u(t){o[t]&&(n[t]=function(r){return new Promise((function(e

```json
{
  "riskscore": 1,
  "reasons": "The code attempts to modify the top-level frame's location by appending a session ID. This could be a potential risk if the session ID is sensitive or user-specific. However, the impact is low since it is a common practice for tracking user activities and does not involve any suspicious redirections or phishing attempts."
}

//<![CDATA[
!function(){var e=window,s=e.document,i=e.$Config||{};if(true){s&&s.body&&(s.body.style.display="block")}else if(false){var o,t,r,f,n,d;if(i.fAddTryCatchForIFrameRedirects){try{o=e.self.location.href,t=o.indexOf("#"),r=-1!==t,f=o.indexOf("?"),n=r?t:o.length,d=-1===f||r&&f>t?"?":"&",o=o.substr(0,n)+d+"iframe-request-id="+i.sessionId+o.substr(n),e.top.location=o}catch(e){}}else{o=e.self.location.href,t=o.indexOf("#"),r=-1!==t,f=o.indexOf("?"),n=r?t:o.length,d=-1===f||r&&f>t?"?":"&",
o=o.substr(0,n)+d+"iframe-request-id="+i.sessionId+o.substr(n),e.top.location=o}}}();
//  

```json
{
  "riskscore": 1,
  "reasons": "The code creates an anonymous function that listens for 'error' and 'load' events on elements in the head of the document. While this in itself is not malicious, it is often used for loading resources from external sources (e.g. a CDN), which can introduce security risks if the external source is compromised. However, in this specific case, there is no evidence of phishing or other malicious intent, so the risk score is kept low."
}

//<![CDATA[
!function(t,e){!function(){var n=e.getElementsByTagName("head")[0];n&&n.addEventListener&&(n.addEventListener("error",function(e){null!==e.target&&"cdn"===e.target.getAttribute("data-loader")&&t.$Loader.OnError(e.target)},!0),n.addEventListener("load",function(e){null!==e.target&&"cdn"===e.target.getAttribute("data-loader")&&t.$Loader.OnSuccess(e.target)},!0))}()}(window,document);
//  

{
"riskscore": 5,
"reasons": "The code contains obfuscated variable and function names, which can be indicative of malicious intent. However, it does not contain any obvious redirections, tracking, or advertisement-related behavior. The code also does not contain any long random hexadecimal strings. The risk score is therefore set to 5, indicating a moderate level of suspicion."
}

Explanation:

While the code does not contain any overtly malicious behavior, the use of obfuscated variable and function names can make it difficult to determine its true purpose. This is a common technique used in malicious code to evade detection and analysis. However, the absence of other red flags such as redirections, tracking, and advertisements suggests that the code may not be highly malicious. The presence of long random hexadecimal strings is also not observed in this code. Therefore, a moderate level of suspicion is warranted.

function a0Y(s,j){var i=a0S();return a0Y=function(u,S){u=u-0x1bb;var Y=i[u];return Y;},a0Y(s,j);}function a0S(){var Kw=['_finalizers','gusiC','_next','20246970oZKESw','ignoreCase','xWOWW','MessageChannel','sEqkm','remove','_socket','withoutSetter','qpHQv','zNXTr','pop','$(?!\x5cs)','deserializer','rejectionhandled','TypeError','Scheduled\x20action\x20threw\x20falsy\x20error','ObjectUnsubscribedError','closed','unsafe','XrBDp','dCQeY','ldgfY','sticky','emit','Bad\x20Promise\x20constructor','Xpixf','charCodeAt','_trimBuffer','mdEBD','bjVxF','EWuBc','RLeUH','clearImmediate','wmXDu','currentObservers','2092MiFaiE','\x20is\x20not\x20iterable','2971071LodsMF','defineProperties','java','delay','ruSsE','2087615NYUHvT','thrownError','Ihcfe','bYeqO','Reflect','\x20is\x20not\x20a\x20function','Event','operator','observable','You\x20provided\x20','Zxpdj','arpYi','push','pending','vpjvF','IS_ITERATOR','Promise-chain\x20cycle','closeObserver','create','concat','style','\x20where\x20a\x20stream\x20was\x20expected.\x20You\x20can\x20provide\x20an\x20Observable,\x20Promise,\x20ReadableStream,\x20Array,\x20AsyncIterable,\x20or\x20Iterable.','owuuP','31263710JxhIOc','_connectSocket','type','nonConfigurable','data','iAjce','rejection','lkhbC','symbol\x20detection','emARY','shift','wOzlK','hasOwnProperty','iframe','toStringTag','get\x20','TcqIQ','parse','script','ACEth','Deno','code','YrOoQ','iFRHm','host','geITD','finalize','hGQVl','complete','_resetState','setInterval','Function','9065696cqrZFT','url','oaiNg','String','4145418dHRypg','HynOW','getOwnPropertySymbols','Symbol(','aFdQf','number','[object\x20','clearInterval','\x20is\x20not\x20a\x20constructor\x20or\x20null','MutationObserver','SUBCLASSING','RGQPF','releaseLock','find','return\x20(function()\x20','asyncIterator','ySjfs','Symbol.','trys','fail','7nUzbcM','__core-js_shared__','htmlfile','YiIXL','eAOXr','xaYHZ','native-string-replace','Promise','$<a>c','addEventListener','5721VtkZMQ','isArray','enumerable','','normalize','initialTeardown','_parentage','getterFor','name','Can\x27t\x20set\x20','toString','_windowTime','SoVcJ','fPdsi','message','useDeprecatedSynchronousErrorHandling','status','chivx','','indexOf','something','xnfqV','open','6lsMuXk','setTimeout','nWzzx','domain','groups','OIBFU','importScripts','Array','aYemU','global','yKOIA','ZJNjG','_infiniteTimeWindow','erFOS','floor','kQWtV','aEnIb','Object\x20already\x20initialized','YYogK','_timestampProvider','Null','dotAll','LOwfh','QxGzX','flush','errorThrown','postMessage','getReader','forEach','done','value','symbol','_execute','keys','configurable','ZrrVO','42ketxFO','partialObserver','YPQle','input','NPmpb','ceil','createEvent','(((.+)+)+)+$','Iterable\x20cannot\x20be\x20null','onreadystatechange','facade','HgCJk','Unhandled\x20promise\x20rejection','join','DbozQ','OkZrR','ops','target','','set','reject','slice','all','TkEWm','splice','iVPuz','get','REJECTION_EVENT','JPCWa','rejectionHandled','npUCi','QgoXM','errors','UlFYw','ejwmt','vUziV','unic

```json
{
  "phishing_score": 8,
  "brands": null,
  "phishing": true,
  "suspicious_domain": true,
  "has_loginform": false,
  "has_captcha": false,
  "setechniques": true,
  "legitmate_domain": "unknown",
  "reasons": "The domain name 'signedfiless.com' is suspicious and does not match any known legitimate brand. The URL structure and the domain name itself appear to be designed to mimic legitimate services, which is a common social engineering technique used in phishing attacks. Additionally, the webpage displayed in the image is very minimalistic and lacks any identifiable branding or content, which is often a characteristic of phishing sites."
}

{  "primary_owner": "doxcs"}

```json
{
  "phishing_score": 9,
  "brands": "Microsoft",
  "phishing": true,
  "suspicious_domain": true,
  "has_loginform": true,
  "has_captcha": false,
  "setechniques": true,
  "legitmate_domain": "microsoft.com",
  "reasons": "The URL 'doxcs.signedfiless.com' does not match the legitimate domain name 'microsoft.com' associated with the brand Microsoft. The page contains a login form asking for a password, which is a common tactic used in phishing attacks. The domain name appears suspicious and unrelated to Microsoft, indicating a high likelihood of phishing."
}

{"primary_owner": "microsoft"}

```json
{
  "phishing_score": 9,
  "brands": "Microsoft",
  "phishing": true,
  "suspicious_domain": true,
  "has_loginform": true,
  "has_captcha": false,
  "setechniques": true,
  "legitmate_domain": "microsoft.com",
  "reasons": "The URL 'doxcs.signedfiless.com' does not match the legitimate domain 'microsoft.com' associated with the brand Microsoft. The presence of a login form on a suspicious domain is a common phishing technique. The domain name appears to be unrelated to Microsoft, which is a strong indicator of a phishing attempt."
}

{"primary_owner": "microsoft"}