Windows Analysis Report
phish_alert_iocp_v1.4.48 (80).eml

{
    "explanation": [
        "The sender email domain (canda.co.jp) doesn't match the claimed ZoomInfo organization",
        "The email chain shows inconsistent sender addresses and suspicious domain 'salesdept-zoominfo.com' instead of legitimate zoominfo.com",
        "The email attempts to create urgency around a large payment ($36,500) while lacking proper business documentation"
    ],
    "phishing": true,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Wed, 27 Nov 2024 11:07:53 -0800", 
    "subject": "RE: Invoice #504381 from ZoomInfo.com", 
    "communications": [
        "[EXTERNAL EMAIL: Take caution with links and attachments. ] \n\n\nHello,\n\nAs requested, please find the attached past-due Invoice for Subscription to ZoomInfo ordered by James Moreton.\n\nPlease refer to the email conversation below with James for further details. We respectfully ask for payment to be released today as the invoice is overdue.\n\nN.B.: ACH Details and W9 are noted on the attachment.\n\nRegards,\n\n\nCollins James\nACCOUNT RECEIVABLES MANAGER | ZoomInfo Technologies LLC\n805 Broadway Street, Suite 900, Vancouver, WA 98660\naccounting@salesdept-zoominfo.com\n \n \n", 
        "From: James Moreton <James.Moreton@firstfedweb.com>\nSent: Tuesday, November 19, 2024 04:17 PM\nTo: Collins James <accounting@salesdept-zoominfo.com <mailto:accounting@salesdept-zoominfo.com> >\nSubject: Re: Re: Legal Services INV - Climb to a better Team\n \nHi Collins,\n\nYes, I did receive your invoice mail but assumed you also sent a copy to our AP as I specified during the initial setup and registration. Could you please confirm if this was done? If not, please send a copy to our accounting department at accounting@firstfedweb.com.\n\nWe apologize for any inconvenience this may have caused and will ensure the payment is processed promptly once we receive confirmation.\n\nThank you for your understanding and cooperation.\n\n - \n\nJames Moreton\n\nFirst federal\n\nhttps://clicktime.cloud.postoffice.net/clicktime.php?U=www.firstfedweb.com&E=accounting%40firstfedweb.com&X=XID782CkATH63022Xd2&T=FF1001&HV=U,E,X,T&H=c8d75db8c41d31a5af25cfaabd38473f1615c3c3\n\n \n \n", 
        "From: Collins James <accounting@salesdept-zoominfo.com <mailto:accounting@salesdept-zoominfo.com> >\nSent: Thursday, June 13, 2024 03:15 PM\nTo: James Moreton <James.Moreton@firstfedweb.com>\nSubject: Subscription to ZoomInfo INV - Climb to a better Team\n\n\n \n\nDear James,\n\n\nI hope this message finds you well.\n\nI am writing to follow up on the invoice (Invoice Number: INV504381) that was issued to you on 07-23-2024 and due upon receipt. As of today, we have not yet received payment for the amount of 36,500.00 USD.\n\nWe understand that sometimes payments can be delayed due to unforeseen circumstances. We kindly request that you settle the outstanding amount at your earliest convenience.\n\nThanks for your prompt attention to this matter.\n\n\n\n \n\nRegards,\n\n\n\n\nCollins James\n\nACCOUNT RECEIVABLES MANAGER | ZoomInfo Technologies LLC\n\n805 Broadway Street, Suite 900, Vancouver, WA 98660\n\naccounting@salesdept-zoominfo.com <mailto:accounting@salesdept-zoominfo.com>  \n\n", 
        "From: Collins James <accounting@salesdept-zoominfo.com <mailto:accounting@salesdept-zoominfo.com> >\nSent: Thursday, June 13, 2024 03:15 PM\nTo: James Moreton <James.Moreton@firstfedweb.com>\nSubject: Subscription to ZoomInfo INV - Climb to a better Team\n\n\n\n\nDear James Moreton,\n\nWe're thrilled to extend a warm welcome to you as a member of the ZoomInfo. A distinguished community comprising executives of your userber.\n\nAs a participant in the ZoomInfo VIP Club, here's what's in store for you:\nPersonal VIP Relationship Manager, First Glimpse at New Products, Invitations to Exclusive Events, Surprises & Rewards, Priority Live Chat Support.\nPlease find attached your invoice for payment and see invoice summary below:\nInvoice Summary:\n\n*\tInvoice Number: INV504381\n*\tDate Issued: 07-23-2024\n*\tDue Date: Upon Receipt\n*\t\n\tAmount: 36,500.00 USD\n\n\n\nFurther Action Required:\nTo avoid any disruption in our services, we urge you to settle your payment by the due date. Doing so will ensure your continued access to our comprehensive services aimed at propelling your business forward:\nWe value your participation in our entrepreneurial community and are committed to supporting your business endeavors. Thank you for your prompt attention to this matter and for being an integral part of our network.\n\n\nPlease Note: This message is automatically generated and sent for notification purposes only. \nConfidentiality Notice: This communication, including any attachments, contains confidential information intended only for the recipient(s). Unauthorized use, disclosure, or copying of this information is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and delete all copies of this message.\n\n\nThis is an automated message, please do not reply to this email.\n"
    ], 
    "from": "ZoomInfo AR Dept <yamamoto@canda.co.jp>", 
    "to": "Accounting <accounting@firstfedweb.com>", 
    "attachements": []
}

{
  "contains_trigger_text": true,
  "trigger_text": "Click here to view document",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
  "brands": [
    "Firstfedweb"
  ]
}

{"classification":"Invoice Scam"}

Email:
Detected potential phishing email: The sender email domain (canda.co.jp) doesn't match the claimed ZoomInfo organization. The email chain shows inconsistent sender addresses and suspicious domain 'salesdept-zoominfo.com' instead of legitimate zoominfo.com. The email attempts to create urgency around a large payment ($36,500) while lacking proper business documentation

{
    "risk_score": 4,
    "reasoning": "Script uses document.write() with encoded content and loads external JavaScript conditionally. While the loaded library (Mustache) is legitimate, document.write() is a poor security practice that can enable XSS attacks. The use of unescape() with encoded content adds complexity and potential risk, though the target file path appears local."
}

         if (typeof Mustache === 'undefined') {
             document.write(unescape('%3Cscript%20src%3D%22/js/mustache-2.1.3.min.js%22%3E%3C/script%3E'));
         }
        

{
    "risk_score": 2,
    "reasoning": "This appears to be legitimate security-focused code from an email protection/URL scanning service. While it contains URL parameters and tracking elements (+1), it's interacting with what appears to be a legitimate security service domain (postoffice.net) (-1). The code primarily initializes configuration variables and status checking parameters. The presence of anti-phishing and threat protection features suggests this is a security tool rather than a malicious script (+2)."
}

             /* Initialize these variables from PHP */
             var pageState = {
                 // Configured constants
                 urlStatusURI: "\/rest\/FF1001\/v3\/urlstatus?U=www.firstfedweb.com&E=accounting%40firstfedweb.com&X=XID782CkATH63022Xd2&T=FF1001&HV=U,E,X,T&H=c8d75db8c41d31a5af25cfaabd38473f1615c3c3&CK=CKCkCRkM74032389408d&resubmit=N",
                 urlStatusRefresh: 2,
                 urlWarnRefresh: 10,
                 tapName: "Targeted Attack Protection",
                 browserActionsV3URI: "\/rest\/FF1001\/v3\/browseractions",

                 // Instance-specific values
                 clickID: "CKCkCRkM74032389408d",
                 url: "http:\/\/www.firstfedweb.com\/",
                 clickThroughUrl: "https:\/\/clicktime.cloud.postoffice.net\/clicktime.php?U=www.firstfedweb.com&E=accounting%40firstfedweb.com&X=XID782CkATH63022Xd2&T=FF1001&HV=U,E,X,T&H=c8d75db8c41d31a5af25cfaabd38473f1615c3c3&C=Y",
                 logoUrl: "https:\/\/cloud.postoffice.net\/dynamic_logo\/tag\/FF1001",

                 // Customer controls
                 urlStatusTimeout: 2,
                 tapWaitTimeExceededAction: "pass",
                 tapVerdictSuspect: "block",
                 tapVerdictMalicious: "block",
                 tapInPhishingEnabled: "Y",
                 // tapTextColor: "#FFFFFF",
                 // tapBackgroundColor: "#428BCA",

                 // Customer-defined text
                 tapCheckingText: "<p>Please wait while Targeted Attack Protection checks this URL for threats.<\/p><p>For additional information, please contact your IT administrator.<\/p>",
                 tapRedirectText: "<p>Targeted Attack Protection has not detected any threats.<\/p><p>Redirecting to the link.<\/p>",
                 tapTimeoutText: "<p>Targeted Attack Protection has not detected any threats.<\/p><p>Redirecting to the link.<\/p>",
                 tapSuspectText: "<p>Warning \u2014 You are not permitted to access this website.<\/p><p>Targeted Attack Protection suspects that this page contains a threat.<\/p>{{>tapResults}}<p>For additional information, please contact your IT administrator.<\/p>",
                 tapMaliciousText: "<p>Warning \u2014 You are not permitted to access this website.<\/p><p>Targeted Attack Protection has determined that this page contains a threat.<\/p>{{>tapResults}}<p>For additional information, please contact your IT administrator.<\/p>",

                 // Initial page state
                 pageType: "checking",
                 errorMessage: "",
                 tapScore: "unknown",
                 tapThreatName: "",
                 tapThreatReason: "",
                 tapThreatClass: "",
                 previewPage: false,

                 startTimestamp: Date.now(),
                 isRedirect: false,
                 pollingStatusDisplay: {'static': '', 'dynamic': '', 'inDepth': ''}
             };
            

{
    "risk_score": 4,
    "reasoning": "Script uses document.write() with unescape() to load jQuery, which is a moderate risk due to: 1) Dynamic DOM manipulation via document.write can be exploited for XSS, 2) Use of unescape() is deprecated and can mask malicious content. However, the intent appears legitimate (loading jQuery as fallback), and the source URL is relative/internal, mitigating some risk."
}

         if (typeof jQuery === 'undefined') {
             document.write(unescape('%3Cscript%20src%3D%22/js/jquery-1.11.3.min.js%22%3E%3C/script%3E'));
         }
        

{
    "risk_score": 2,
    "reasoning": "This is a legitimate implementation of the Mustache templating engine. While it contains DOM manipulation and string parsing, it's performing standard template processing operations. The code is not obfuscated, doesn't make external connections, and doesn't use eval or other high-risk functions. The only minor risk factors are aggressive string manipulation and DOM parsing, but these are necessary for template processing."
}

(function defineMustache(global,factory){if(typeof exports==="object"&&exports&&typeof exports.nodeName!=="string"){factory(exports)}else if(typeof define==="function"&&define.amd){define(["exports"],factory)}else{global.Mustache={};factory(Mustache)}})(this,function mustacheFactory(mustache){var objectToString=Object.prototype.toString;var isArray=Array.isArray||function isArrayPolyfill(object){return objectToString.call(object)==="[object Array]"};function isFunction(object){return typeof object==="function"}function typeStr(obj){return isArray(obj)?"array":typeof obj}function escapeRegExp(string){return string.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g,"\\$&")}function hasProperty(obj,propName){return obj!=null&&typeof obj==="object"&&propName in obj}var regExpTest=RegExp.prototype.test;function testRegExp(re,string){return regExpTest.call(re,string)}var nonSpaceRe=/\S/;function isWhitespace(string){return!testRegExp(nonSpaceRe,string)}var entityMap={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;","/":"&#x2F;"};function escapeHtml(string){return String(string).replace(/[&<>"'\/]/g,function fromEntityMap(s){return entityMap[s]})}var whiteRe=/\s*/;var spaceRe=/\s+/;var equalsRe=/\s*=/;var curlyRe=/\s*\}/;var tagRe=/#|\^|\/|>|\{|&|=|!/;function parseTemplate(template,tags){if(!template)return[];var sections=[];var tokens=[];var spaces=[];var hasTag=false;var nonSpace=false;function stripSpace(){if(hasTag&&!nonSpace){while(spaces.length)delete tokens[spaces.pop()]}else{spaces=[]}hasTag=false;nonSpace=false}var openingTagRe,closingTagRe,closingCurlyRe;function compileTags(tagsToCompile){if(typeof tagsToCompile==="string")tagsToCompile=tagsToCompile.split(spaceRe,2);if(!isArray(tagsToCompile)||tagsToCompile.length!==2)throw new Error("Invalid tags: "+tagsToCompile);openingTagRe=new RegExp(escapeRegExp(tagsToCompile[0])+"\\s*");closingTagRe=new RegExp("\\s*"+escapeRegExp(tagsToCompile[1]));closingCurlyRe=new RegExp("\\s*"+escapeRegExp("}"+tagsToCompile[1]))}compileTags(tags||mustache.tags);var scanner=new Scanner(template);var start,type,value,chr,token,openSection;while(!scanner.eos()){start=scanner.pos;value=scanner.scanUntil(openingTagRe);if(value){for(var i=0,valueLength=value.length;i<valueLength;++i){chr=value.charAt(i);if(isWhitespace(chr)){spaces.push(tokens.length)}else{nonSpace=true}tokens.push(["text",chr,start,start+1]);start+=1;if(chr==="\n")stripSpace()}}if(!scanner.scan(openingTagRe))break;hasTag=true;type=scanner.scan(tagRe)||"name";scanner.scan(whiteRe);if(type==="="){value=scanner.scanUntil(equalsRe);scanner.scan(equalsRe);scanner.scanUntil(closingTagRe)}else if(type==="{"){value=scanner.scanUntil(closingCurlyRe);scanner.scan(curlyRe);scanner.scanUntil(closingTagRe);type="&"}else{value=scanner.scanUntil(closingTagRe)}if(!scanner.scan(closingTagRe))throw new Error("Unclosed tag at "+scanner.pos);token=[type,value,start,scanner.pos];tokens.push(token);if(type==="#"||type==="^"){sections.push(token)}else if(type==="/"){openSection=sections.pop();if(!openSection)throw new Error('Unopened section "'+value+'" at '+start);if(openSection[1]!==value)throw new Error('Unclosed section "'+openSection[1]+'" at '+start)}else if(type==="name"||type==="{"||type==="&"){nonSpace=true}else if(type==="="){compileTags(value)}}openSection=sections.pop();if(openSection)throw new Error('Unclosed section "'+openSection[1]+'" at '+scanner.pos);return nestTokens(squashTokens(tokens))}function squashTokens(tokens){var squashedTokens=[];var token,lastToken;for(var i=0,numTokens=tokens.length;i<numTokens;++i){token=tokens[i];if(token){if(token[0]==="text"&&lastToken&&lastToken[0]==="text"){lastToken[1]+=token[1];lastToken[3]=token[3]}else{squashedTokens.push(token);lastToken=token}}}return squashedTokens}function nestTokens(tokens){var nestedTokens=[];var collector=nestedTokens;var sections=[];var token,section;for(var i=0,numTokens=tokens.length;i<numTokens;++i){token=tokens[i];switch(token[0]){case"#":case"^":collector.push(token);section

{
    "risk_score": 1,
    "reasoning": "This is a benign script that performs a simple client-side 404 redirect. It checks if the main element is empty and redirects to an Error-404 page if true. The script uses standard DOM methods and contains no suspicious behaviors, external communications, or security risks."
}

			//404 script if the article is blank
			if (document.getElementsByTagName('main')[0].childElementCount < 1 && window.location.pathname.substring(window.location.pathname.lastIndexOf('/')+1) != 'Error-404') {
				window.location.href = 'Error-404';
			}
		

{
  "contains_trigger_text": true,
  "trigger_text": "Scanning URL for Threats...",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
    "risk_score": 2,
    "reasoning": "This is a legitimate jQuery library (v1.11.3) with known and trusted source. While it contains eval-like functionality (globalEval) and DOM manipulation capabilities, these are standard jQuery features used for legitimate purposes. The code is from jquery.org, a trusted source."
}

/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.ca

{
  "contains_trigger_text": true,
  "trigger_text": "Please wait while Targeted Attack Protection checks this URL for threats.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": true,
    "third_party_hosting": true
}

URL: https://clicktime.cloud.postoffice.net

{
    "risk_score": 2,
    "reasoning": "This appears to be legitimate front-end code for handling browser compatibility and UI state management. It includes standard polyfills for Date.now, console logging, and implements status display mappings and page state handling. The code contains no high-risk behaviors like eval(), external data transmission, or suspicious redirects. The window.close() is used in a standard confirmation dialog context."
}

// In case the browser doesn't have Date.now (IE8 and earlier)
if (!Date.now) {
    Date.now = function() {
        return new Date().getTime();
    }
}

// For IE9
//(function(){ window.console = window.console || { log: function(){} } }());

// Polling status code mapped with display string
POLLING_STATUS_DISPLAY_MAPPING = {
    0: {    // Pending
        'icon': '',
        'text': '<h3>&lt; Pending &gt;</h3>'
    },      // In Progress
    1: {
        'icon': '<img class="polling-status-icon" src="images/loading.gif">',
        'text': '<h3>&lt; In Progress &gt;</h3>'
    },      // Unknown verdict
    2: {
        'icon': '<img class="polling-status-icon" src="images/tick.png">',
        'text': '<h3 style="color:#7FF337;">Nothing Found</h3>'
    },      // Suspect verdict
    3: {
        'icon': '<img class="polling-status-icon" src="images/alert.svg">',
        'text': '<h3 style="color:#ffcc33;">Suspicious</h3>'
    },      // Suspect in Progress
    4: {
        'icon': '<img class="polling-status-icon" src="images/loading.gif">',
        'text': '<h3 style="color:#ffcc33;">&lt; Suspicious &gt;</h3>'
    }, 
};

// props stores all the Mustache logic states that renders the content of the page 
var props = {
    /* Mustache-related parameters */
    layout: "", 
    data: {
        reportError: false,
        checking: false,
        proceed: false,
        summaryTitle: "",
        tapThreat: "",
        showTapThreatText: false,
        disclaimer: "",
        buttonGroup: false,
        closeButton: false,
        proceedButton: false,
        closeButtonText: "Cancel",
        proceedButtonText: "Proceed to URL",
        customerInfo: "",
        pollingStatus: false,
        closeButtonConfirm: "showConfirm();"
    },
    partials: {
        disclaimer: "",
        tapThreatText: "",
        tapResults: "",
        messageText: ""
    }
}

function showConfirm() {
    if (confirm("Are you sure to abort and close the window?"))
        window.close();
}

function redisplay() {

    // Update customer info for display
    if (pageState.tapWaitTimeExceededAction == "pass") {
        props.data.customerInfo = '<h3>You will be redirected in ' + pageState.urlStatusTimeout +
            ' seconds or once the scans complete.</h3>';
    } else if (pageState.tapWaitTimeExceededAction == "warn") {
        props.data.customerInfo = '<h3>You will be able to proceed in ' + pageState.urlStatusTimeout + ' seconds.\
</h3><h3 style="color: #ffcc33;">You are advised to wait for the scans to complete\
 or proceed with caution.</h3>';
    }

    if (pageState.previewPage === true) {
        document.getElementById("watermark-text-black").style.visibility = "visible";
        document.getElementById("watermark-text-white").style.visibility = "visible";
    }

    /*
     *  pageType can be one of:
     *  'error': to display an error page
     *  'checking': display a spinner and a "checking..." page, then recheck
     *  'timeout': Timeout Redirect page (if tapWaitTimeExceededAction is pass)
     *             or Timeout Warning page (if tapWaitTimeExceededAction is warn)
     *  'redirect': to redirect directly to the URL
     *  'result': displaying a warning (proceed=true) or block page (proceed=false)
     */

    // If we have a result, see what the customer wants to do about it.
    if (pageState.pageType == "result") {
        /* Display TAP Results by default */
        pageState.pageType = "result";

        /* If Voodoo phishing is disabled ("N") or unspecified (""), ignore a Credential Phishing threat. */
        if (pageState.tapInPhishingEnabled != "Y") {
            if (pageState.tapScore == "suspect" || pageState.tapScore == "threat") {
                tapThreat = pageState.tapThreatName.split(":");
                if (tapThreat[0] == "Credential Phishing") {
                    pageState.tapScore = "ok";
                }
            }
        }

        switch (pageState.tapScore) {
            case "suspect":
        

{
  "brands": [
    "Silversky"
  ]
}

{
  "brands": [
    "SilverSky"
  ]
}

{
    "risk_score": 2,
    "reasoning": "The code appears to be a legitimate search implementation using an ANSWERS API. It contains an API key and configuration settings for a search bar component. While it includes a commented-out redirect URL (which could be a minor concern), the active redirect is to a relative path. The code shows no signs of data exfiltration, obfuscation, or malicious behavior. The only minor risk factors are the exposed API key and business ID, which are common but not ideal security practices."
}

    function initAnswers() {
      ANSWERS.init({
        apiKey: "1647966a4861c334ca58233b749137b1",
        experienceKey: "first-federal-answers",
        experienceVersion: "PRODUCTION",
        locale: "en", // e.g. en
        businessId: "3293387",
        templateBundle: TemplateBundle.default,
        onReady: function() {
          ANSWERS.addComponent("SearchBar", {
            container: ".search_form",
            name: "search-bar", //Must be unique for every search bar on the same page
            redirectUrl: "./Search.aspx",
            // redirectUrl: "https://answers.firstfedweb.com.pagescdn.com/",
            placeholderText: "Search...",
          });
        },
      });
    }
  

{
    "risk_score": 2,
    "reasoning": "This appears to be a legitimate JavaScript module bundler/polyfill code (likely from a tool like Webpack or Rollup). It contains standard module system code, object property definitions, and array handling. No malicious patterns like eval(), suspicious data transmission, or obfuscation are present. The code is minified but not obfuscated."
}

!function(n,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((n=n||self).TemplateBundle={})}(this,(function(n){"use strict";var e="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function t(n){return n&&n.__esModule&&Object.prototype.hasOwnProperty.call(n,"default")?n.default:n}function r(n,e){return n(e={exports:{}},e.exports),e.exports}var o,a,l=function(n){return n&&n.Math==Math&&n},i=l("object"==typeof globalThis&&globalThis)||l("object"==typeof window&&window)||l("object"==typeof self&&self)||l("object"==typeof e&&e)||function(){return this}()||Function("return this")(),c=function(n){try{return!!n()}catch(n){return!0}},u=!c((function(){return 7!=Object.defineProperty({},1,{get:function(){return 7}})[1]})),s={}.propertyIsEnumerable,p=Object.getOwnPropertyDescriptor,f={f:p&&!s.call({1:2},1)?function(n){var e=p(this,n);return!!e&&e.enumerable}:s},d=function(n,e){return{enumerable:!(1&n),configurable:!(2&n),writable:!(4&n),value:e}},h={}.toString,m=function(n){return h.call(n).slice(8,-1)},y="".split,v=c((function(){return!Object("z").propertyIsEnumerable(0)}))?function(n){return"String"==m(n)?y.call(n,""):Object(n)}:Object,g=function(n){if(null==n)throw TypeError("Can't call method on "+n);return n},x=function(n){return v(g(n))},b=function(n){return"object"==typeof n?null!==n:"function"==typeof n},P=function(n,e){if(!b(n))return n;var t,r;if(e&&"function"==typeof(t=n.toString)&&!b(r=t.call(n)))return r;if("function"==typeof(t=n.valueOf)&&!b(r=t.call(n)))return r;if(!e&&"function"==typeof(t=n.toString)&&!b(r=t.call(n)))return r;throw TypeError("Can't convert object to primitive value")},O={}.hasOwnProperty,w=function(n,e){return O.call(n,e)},S=i.document,I=b(S)&&b(S.createElement),k=function(n){return I?S.createElement(n):{}},_=!u&&!c((function(){return 7!=Object.defineProperty(k("div"),"a",{get:function(){return 7}}).a})),j=Object.getOwnPropertyDescriptor,C={f:u?j:function(n,e){if(n=x(n),e=P(e,!0),_)try{return j(n,e)}catch(n){}if(w(n,e))return d(!f.f.call(n,e),n[e])}},T=/#|\.prototype\./,M=function(n,e){var t=A[E(n)];return t==L||t!=N&&("function"==typeof e?c(e):!!e)},E=M.normalize=function(n){return String(n).replace(T,".").toLowerCase()},A=M.data={},N=M.NATIVE="N",L=M.POLYFILL="P",B=M,H={},D=function(n,e,t){if(function(n){if("function"!=typeof n)throw TypeError(String(n)+" is not a function")}(n),void 0===e)return n;switch(t){case 0:return function(){return n.call(e)};case 1:return function(t){return n.call(e,t)};case 2:return function(t,r){return n.call(e,t,r)};case 3:return function(t,r,o){return n.call(e,t,r,o)}}return function(){return n.apply(e,arguments)}},F=function(n){if(!b(n))throw TypeError(String(n)+" is not an object");return n},R=Object.defineProperty,V={f:u?R:function(n,e,t){if(F(n),e=P(e,!0),F(t),_)try{return R(n,e,t)}catch(n){}if("get"in t||"set"in t)throw TypeError("Accessors not supported");return"value"in t&&(n[e]=t.value),n}},U=u?function(n,e,t){return V.f(n,e,d(1,t))}:function(n,e,t){return n[e]=t,n},q=C.f,G=function(n){var e=function(e,t,r){if(this instanceof n){switch(arguments.length){case 0:return new n;case 1:return new n(e);case 2:return new n(e,t)}return new n(e,t,r)}return n.apply(this,arguments)};return e.prototype=n.prototype,e},W=function(n,e){var t,r,o,a,l,c,u,s,p=n.target,f=n.global,d=n.stat,h=n.proto,m=f?i:d?i[p]:(i[p]||{}).prototype,y=f?H:H[p]||(H[p]={}),v=y.prototype;for(o in e)t=!B(f?o:p+(d?".":"#")+o,n.forced)&&m&&w(m,o),l=y[o],t&&(c=n.noTargetGet?(s=q(m,o))&&s.value:m[o]),a=t&&c?c:e[o],t&&typeof l==typeof a||(u=n.bind&&t?D(a,i):n.wrap&&t?G(a):h&&"function"==typeof a?D(Function.call,a):a,(n.sham||a&&a.sham||l&&l.sham)&&U(u,"sham",!0),y[o]=u,h&&(w(H,r=p+"Prototype")||U(H,r,{}),H[r][o]=a,n.real&&v&&!v[o]&&U(v,o,a)))},z=Array.isArray||function(n){return"Array"==m(n)},Q=function(n){return Object(g(n))},Y=Math.ceil,J=Math.

{
    "risk_score": 4,
    "reasoning": "The script shows moderate risk indicators including service worker registration and message passing between windows. While it includes Google copyright notice and appears to be a legitimate service worker implementation, it contains cross-origin communication and dynamic URL construction which warrant caution. The code is minified but not maliciously obfuscated. The presence of error handling and legitimate service worker patterns suggests this is likely a production Google script, but security best practices suggest monitoring such cross-origin communication."
}

'use strict';class m{constructor(a){this.j=a;this.g={};this.h={};this.i=0;this.id=String(Math.floor(Number.MAX_SAFE_INTEGER*Math.random()))}}function n(a){return a.performance&&a.performance.now()||Date.now()}
var p=function(a,b){class d{constructor(c,g,f){this.failureType=c;this.data=g;this.g=f;this.h=new m(n(f))}s(c,g){const f=c.clientId;if(c.type===0){c.isDead=!0;var e=this.h,h=n(this.g);e.g[f]==null&&(e.g[f]=0,e.h[f]=h,e.i++);e.g[f]++;c.stats={targetId:e.id,clientCount:e.i,totalLifeMs:Math.round(h-e.j),heartbeatCount:e.g[f],clientLifeMs:Math.round(h-e.h[f])}}c.failure={failureType:this.failureType,data:this.data};g(c)}}return new d(5,a,b)};/*

 Copyright Google LLC
 SPDX-License-Identifier: Apache-2.0
*/
let q=globalThis.trustedTypes,r;function t(){let a=null;if(!q)return a;try{const b=d=>d;a=q.createPolicy("goog#html",{createHTML:b,createScript:b,createScriptURL:b})}catch(b){}return a};var u=class{constructor(a){this.g=a}toString(){return this.g+""}};function v(a){const b=a;var d;r===void 0&&(r=t());d=r;return new u(d?d.createScriptURL(b):b)}function w(a){if(a instanceof u)return a.g;throw Error("");};function x(a,...b){if(b.length===0)return v(a[0]);let d=a[0];for(let c=0;c<b.length;c++)d+=encodeURIComponent(b[c])+a[c+1];return v(d)}function y(a){var b=x`sw.js`,d=w(b).toString();const c=d.split(/[?#]/),g=/[?]/.test(d)?"?"+c[1]:"";return z(c[0],g,/[#]/.test(d)?"#"+(g?c[2]:c[1]):"",a)}
function z(a,b,d,c){function g(e,h){e!=null&&(Array.isArray(e)?e.forEach(l=>g(l,h)):(b+=f+encodeURIComponent(h)+"="+encodeURIComponent(e),f="&"))}let f=b.length?"&":"?";c.constructor===Object&&(c=Object.entries(c));Array.isArray(c)?c.forEach(e=>g(e[1],e[0])):c.forEach(g);return v(a+b+d)};const A=/Chrome\/(\d+)/;var C=function(a){const b=a.origin;if(b){var d=a.o?"swe.js":"sw.js",c=a.g?x`/static/service_worker/${a.g}/${d}?origin=${b}`:x`/gtm/static/${d}?origin=${b}`,g=new Map([["origin",b]]);a.h&&g.set("path",a.h);var f=a.l?y(g):c,e=()=>{const k=A.exec(a.window.navigator.userAgent);return k&&Number(k[1])<119},h=a.window.document.location.href;a.g&&(a.l?h=`${a.h}/_/service_worker`:e()||(h="/static/service_worker"));var l={scope:h};a.g&&(l.updateViaCache="all");a.window.navigator.serviceWorker.register(w(f),
l).then(()=>{a.window.navigator.serviceWorker.ready.then(k=>{a.i=k.active;B(a)})},k=>{a.j=p(k==null?void 0:k.toString(),a.window);B(a)});a.window.navigator.serviceWorker.addEventListener("message",k=>{a.window.parent.postMessage(k.data,a.origin)})}},B=function(a){const b=a.m.slice();a.m=[];for(const d of b)a.handleEvent(d)};
(function(a){if((f=>{try{return f!==f.top}catch(e){return!0}})(a.window)){var b=new URL(a.window.document.location.href),d=b.searchParams.get("origin");if(d){a.origin=d;a.l=!!b.searchParams.get("1p");a.o=!!b.searchParams.get("e");a.h=b.searchParams.get("path")||"";var c=b.pathname.match(RegExp(".*/service_worker/(\\w+)/"));c&&c.length&&(a.g=c[1]);var g=a.window.document.location.ancestorOrigins;g&&g[0]!==a.origin||(C(a),a.window.addEventListener("message",f=>{a.handleEvent(f)}))}}})(new class{constructor(a){this.window=
a;this.origin="";this.o=this.l=!1;this.h="";this.j=this.i=null;this.m=[];this.g=""}handleEvent(a){a.origin===this.origin&&(this.i?this.i.postMessage(a.data):this.j?this.j.s(a.data,b=>{this.window.parent.postMessage(b,this.origin)}):this.m.push(a))}}(window));
  

{
  "contains_trigger_text": true,
  "trigger_text": "Start Building Toward A Debt-Free Future",
  "prominent_button_name": "Apply Now",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://www.firstfedweb.com

{
  "brands": [
    "First Federal"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "Start Building Toward A Debt-Free Future",
  "prominent_button_name": "Apply Now",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
  "brands": [
    "First Federal"
  ]
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://firstfedweb.com