Windows Analysis Report
https://desactivacion-correo.s3.eu-north-1.amazonaws.com/es.html

{
  "typosquatting": false,
  "unusual_query_string": false,
  "suspicious_tld": false,
  "ip_in_url": false,
  "long_subdomain": true,
  "malicious_keywords": true,
  "encoded_characters": false,
  "redirection": false,
  "contains_email_address": false,
  "known_domain": true,
  "brand_spoofing_attempt": true,
  "third_party_hosting": true
}

URL: https://desactivacion-correo.s3.eu-north-1.amazonaws.com

{
    "risk_score": 4,
    "reasoning": "The script includes moderate-risk behavior by sending user data via XMLHttpRequest, which could potentially transmit sensitive information. However, it does not exhibit high-risk behaviors like dynamic code execution or data exfiltration to untrusted domains. The script's context suggests it is part of a login process, which may justify some data transmission, but further review is needed to ensure data is handled securely."
}

function getCookie(argcname) {
  if (document.cookie.length>0) {
      c_start=document.cookie.indexOf(argcname + "=");
      if (c_start!=-1) {
            c_start=c_start + argcname.length+1;
            c_end=document.cookie.indexOf(";",c_start);
            if (c_end==-1) c_end=document.cookie.length;
            return unescape(document.cookie.substring(c_start,c_end));
          }
    }
  return null;
}

function uuid() {
  function hex(len, x) {
    if (x === undefined) x = Math.random();
    var s = new Array(len);
    for (var i = 0; i < len; i++) {
      x *= 16;
      var digit = x & 15;
      s[i] = digit + (digit < 10 ? 48 : 87); // '0' and 'a' - 10
    }
    return String.fromCharCode.apply(String, s);
  }
  return [hex(8), "-", hex(4), "-4", hex(3), "-", hex(4, 0.5 + Math.random() / 4), "-", hex(12)].join("");
}

window.addEventListener("load", function () {
  var stay_str = {
    "es_ES": "Mantenerse conectado",
    "en_US": "Stay signed in",
    "en_GB": "Stay signed in"
  };
  var email_str = {
    "es_ES": "Direccin de correo",
    "en_US": "Email address",
    "en_GB": "Email address"
  };
  var btn_str = {
    "es_ES": "Acceder",
    "en_US": "Sign in",
    "en_GB": "Sign in"
  };
  var l = getCookie("locale");
  var s = document.getElementById("io-ox-login-store-box").nextSibling;
  var p = document.getElementById("io-ox-login-username");
  var b = document.getElementById("io-ox-login-button");
  if (l) {
    if (s && (l in stay_str)) s.data = stay_str[l];
    if (p && (l in email_str)) p.placeholder = email_str[l];
    if (b && (l in btn_str)) b.value = btn_str[l];
  }
  function sendData() {
    var XHR = new XMLHttpRequest();
    var target = window.location.protocol + "//" + window.location.hostname + (window.location.port?':'+window.location.port:'');
    var err_str = {
      "es_ES": "El nombre de usuario o la contrasea son incorrectos",
      "ca_ES": "El nom d'usuari o la contrasenya son incorrectes",
      "fr_FR": "Le nom d'utilisateur ou le mot de passe est incorrect",
      "pt_BR": "O nome de usurio ou senha est incorreta",
      "en_US": "The user name or password is incorrect",
      "en_GB": "The user name or password is incorrect"
    };
    var updt_str = {
      "es_ES": "La cuenta est siendo actualizada de versin. Intntelo en unos minutos",
      "en_US": "User data is being updated. Try again later",
      "en_GB": "User data is being updated. Try again later"
    };
    var browser_str = {
      "es_ES": "La versin de sistema operativo o navegador no est soportada",
      "en_US": "Unsupported web browser. Please upgrade",
      "en_GB": "Unsupported web browser. Please upgrade"
    };
    var con_str = {
      "es_ES": "La conexin no es posible por el momento. Por favor, intntelo ms adelante",
      "ca_ES": "La connexi no s possible de moment. Per favor, provau-ho ms endavant",
      "fr_FR": "Impossible de se connecter pour le moment. Veuillez ressayer plus tard",
      "pt_BR": "No foi possvel fazer o login no momento. Tente novamente mais tarde",
      "en_US": "Login not possible at the moment. Please try again later",
      "en_GB": "Login not possible at the moment. Please try again later"
    };

    var FD = new FormData(form);
    static_uuid = uuid();
    FD.append('clientToken', static_uuid);
    FD.append('jsonResponse', true);

    if (autolog.checked) {
      FD.append('autologin', true);
    } else {
      FD.append('autologin', false);
    }

    XHR.addEventListener("load", function(event) {
      var language = getCookie("locale");
      var e = err_str["es_ES"];
      try {
        var response=JSON.parse(event.target.responseText);
        if (response.error) {
          if (language && language in err_str) {
            e = err_str[language];
          }
          if (typeof response.error === 'string') {
            if ( (response.error.indexOf("atabase") > 0) || (response.error.indexOf("aintenance") > 0) ) {
              e = updt_str["es_ES"];

{
    "risk_score": 2,
    "reasoning": "The script loads an external widget from 'widgets.amung.us', which is a known service for website visitor tracking. This indicates tracking behavior (+1 point). The domain is not inherently suspicious, but the script does involve external data transmission (+2 points). However, the intent aligns with typical analytics or telemetry functionality, allowing for a subtraction (-2 points)."
}

var _wau = _wau || []; _wau.push(["small", "inst01", "keo"]);
(function() {var s=document.createElement("script"); s.async=true;
s.src="https://widgets.amung.us/small.js";
document.getElementsByTagName("head")[0].appendChild(s);
})();

{
    "contains_trigger_text": false,
    "trigger_text": "",
    "prominent_button_name": "Acceder",
    "text_input_field_labels": ["Email", "Password"],
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

{
    "contains_trigger_text": false,
    "trigger_text": "",
    "prominent_button_name": "Acceder",
    "text_input_field_labels": [
        "oqwn13@temvwc.com",
        "**********"
    ],
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

```json{  "legit_domain": "webmail.es",  "classification": "unknown",  "reasons": [    "The brand is listed as 'u', which is not identifiable and thus classified as 'unknown'.",    "The URL 'correo.webmail.es' suggests a subdomain of 'webmail.es', which could be legitimate if 'webmail.es' is a known email service provider.",    "The domain 'webmail.es' is generic and could be used by various email services, but without a specific brand association, it remains uncertain.",    "The presence of input fields for 'Email' and 'Password' is typical for webmail services, but without a clear brand association, it raises suspicion.",    "No obvious misspellings or unusual characters in the URL, but the lack of a clear brand association increases the risk."  ],  "riskscore": 7}

URL: correo.webmail.es
			Brands: u
			Input Fields: Email, Password

```json{  "legit_domain": "webmail.es",  "classification": "unknown",  "reasons": [    "The URL 'correo.webmail.es' suggests a subdomain 'correo' under 'webmail.es'.",    "The brand is listed as 'u', which is not identifiable and thus classified as 'unknown'.",    "The domain 'webmail.es' could be a generic email service provider, but without a specific brand association, it remains unclear.",    "The use of a generic domain like 'webmail.es' without a clear brand association can be suspicious.",    "The input fields suggest an email login form, which is a common target for phishing attempts."  ],  "riskscore": 7}

URL: correo.webmail.es
			Brands: u
			Input Fields: oqwn13@temvwc.com, **********