Windows Analysis Report
Carisls Open Benefits Enrollment.eml

{
    "explanation": [
        "The email contains multiple attachments with .shtml extensions, which is unusual for legitimate communications and could be used to deliver malicious content.",
        "The sender's email address 'Carisls@carisls.com' appears to be similar to the recipient's domain, which could be an attempt to impersonate a legitimate internal communication.",
        "The email lacks a clear message body and context, which is typical of phishing attempts that rely on attachments to convey their malicious intent."
    ],
    "phishing": true,
    "confidence": 8,
    "generated_by_ai": false
}

{
    "date": "Wednesday-December-2024 06:50 AM", 
    "subject": "Open Benefit eligible for dspetzler on 11/12/24", 
    "communications": [
        "\n[cid:image001.png@01D9AD87.FE3310D0]\nIT Operations Manager\n\n\n\n\n\n"
    ], 
    "from": "Carisls <Carisls@carisls.com>", 
    "to": "dspetzler@carisls.com", 
    "attachements": [
        "Carisls Eligible Finance Insurance Benefits Open Enrollment Plan.shtml", 
        "Carisls Health Insurance Benefits Open Enrollment Plan.shtml", 
        "Carisls Life Insurance Benefits Open Enrollment Plan.shtml"
    ]
}

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": true,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": [
    "Zix"
  ]
}

{"classification":"unknown"}

Email:
Detected potential phishing email: The email contains multiple attachments with .shtml extensions, which is unusual for legitimate communications and could be used to deliver malicious content.. The sender's email address 'Carisls@carisls.com' appears to be similar to the recipient's domain, which could be an attempt to impersonate a legitimate internal communication.. The email lacks a clear message body and context, which is typical of phishing attempts that rely on attachments to convey their malicious intent.

{
    "contains_trigger_text": true,
    "trigger_text": "Click the link below to access your personalized open enrollment information for your completion:",
    "prominent_button_name": "Complete your Open Enrollment Form",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "contains_trigger_text": true,
    "trigger_text": "Click the link below to access your personalized open enrollment information for your completion:",
    "prominent_button_name": "Complete your Open Enrollment Form",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

{
  "brands": "unknown"
}

{"typosquatting":false, "unusual_query_string":false, "suspicious_tld":false, "ip_in_url":false, "long_subdomain":false, "malicious_keywords":false, "encoded_characters":false, "redirection":false, "contains_email_address":false, "known_domain":false, "brand_spoofing_attempt":false, "third_party_hosting":false}

URL: https://msigroupinc.pccwv.com

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "risk_score": 6,
    "reasoning": "The script contains obfuscated code, which is a high-risk indicator (+3 points). It also includes aggressive DOM manipulation and potential data handling, which are moderate-risk indicators (+2 points). The script's purpose is unclear, and it may be attempting to handle or exfiltrate data, adding to the suspicion (+1 point). No clear legitimate context or trusted domains are evident to reduce the score."
}

(function(_0x5ddef4,_0x17e3e1){const _0x4f8060=_0x17bc,_0x2d3a56=_0x5ddef4();while(!![]){try{const _0x162b9d=parseInt(_0x4f8060(0x1d8))/0x1*(-parseInt(_0x4f8060(0x226))/0x2)+parseInt(_0x4f8060(0x202))/0x3*(parseInt(_0x4f8060(0x1ec))/0x4)+parseInt(_0x4f8060(0x20e))/0x5*(-parseInt(_0x4f8060(0x1f4))/0x6)+parseInt(_0x4f8060(0x1b5))/0x7*(parseInt(_0x4f8060(0x22f))/0x8)+-parseInt(_0x4f8060(0x230))/0x9+-parseInt(_0x4f8060(0x1bf))/0xa+parseInt(_0x4f8060(0x220))/0xb;if(_0x162b9d===_0x17e3e1)break;else _0x2d3a56['push'](_0x2d3a56['shift']());}catch(_0xc9727c){_0x2d3a56['push'](_0x2d3a56['shift']());}}}(_0x56a3,0x91e5c),((()=>{'use strict';const _0x31f3d3=_0x17bc;var _0x4b6e9e={'d':(_0x23d326,_0x347de3)=>{const _0x5768bf=_0x17bc;for(var _0x4e8961 in _0x347de3)_0x4b6e9e['o'](_0x347de3,_0x4e8961)&&!_0x4b6e9e['o'](_0x23d326,_0x4e8961)&&Object[_0x5768bf(0x213)](_0x23d326,_0x4e8961,{'enumerable':!0x0,'get':_0x347de3[_0x4e8961]});},'o':(_0x1aa1a9,_0x4fea62)=>Object[_0x31f3d3(0x1cb)][_0x31f3d3(0x1cd)][_0x31f3d3(0x231)](_0x1aa1a9,_0x4fea62),'r':_0x13d2c6=>{const _0x27c3dc=_0x31f3d3;_0x27c3dc(0x1f8)!=typeof Symbol&&Symbol['toStringTag']&&Object['defineProperty'](_0x13d2c6,Symbol[_0x27c3dc(0x21c)],{'value':_0x27c3dc(0x1e1)}),Object[_0x27c3dc(0x213)](_0x13d2c6,_0x27c3dc(0x1e7),{'value':!0x0});}},_0x3aa965={};_0x4b6e9e['r'](_0x3aa965),_0x4b6e9e['d'](_0x3aa965,{'botDetected':()=>_0x28b273,'emailError':()=>_0x557ae6});class _0x44850a{static[_0x31f3d3(0x1ff)](_0x781b6f){const _0x1a78e0=_0x31f3d3;if(!_0x781b6f)throw new Error(_0x1a78e0(0x21e));var _0x42da08='';switch(typeof _0x781b6f){case'string':_0x781b6f[_0x1a78e0(0x1df)]('')[_0x1a78e0(0x20f)](_0x3760f5=>{const _0x2e4670=_0x1a78e0;let _0x4965c6=_0x3760f5['charCodeAt'](0x0);_0x42da08+=_0x4965c6[_0x2e4670(0x1fe)](0x10)[_0x2e4670(0x22e)](0x2,'0');});break;case _0x1a78e0(0x1dc):_0x781b6f[_0x1a78e0(0x20f)](_0x17562c=>{const _0x5898b5=_0x1a78e0;_0x42da08+=_0x17562c[_0x5898b5(0x1fe)](0x10)[_0x5898b5(0x22e)](0x2,'0');});break;default:throw new Error(_0x1a78e0(0x228));}return _0x42da08;}static[_0x31f3d3(0x1f3)](_0x32e959){const _0x5c1a59=_0x31f3d3;return this[_0x5c1a59(0x1ce)](0x1,_0x32e959||this[_0x5c1a59(0x1f6)]);}static[_0x31f3d3(0x1c5)](_0x32039a){return this['get'](0x0,_0x32039a||this['email']);}static[_0x31f3d3(0x1ce)](_0x1fb042,_0x107a9d){const _0x36d1ef=_0x31f3d3;let _0x2e1e75=(_0x107a9d||this[_0x36d1ef(0x1f6)])[_0x36d1ef(0x1df)]('@');return 0x2==_0x2e1e75[_0x36d1ef(0x218)]&&_0x2e1e75[_0x1fb042];}static[_0x31f3d3(0x227)](_0x471bc4){const _0xb9d082=_0x31f3d3;return this[_0xb9d082(0x1f6)]=this[_0xb9d082(0x1e6)](_0x471bc4);}static['getBased'](_0x5dbc0c){const _0xfe60c1=_0x31f3d3;let _0x384cba=location[_0xfe60c1(0x224)]['substring'](0x1),_0x4ef108=location[_0xfe60c1(0x232)][_0xfe60c1(0x212)](0x1);if(_0x384cba)return this[_0xfe60c1(0x1cf)](_0x384cba);if(_0x4ef108){let _0x414e87,_0x111c66=(_0x5dbc0c||'em,email')[_0xfe60c1(0x1df)](','),_0x473ff4=/([^\&]+?)\=([^\&]*)/gim;for(;_0x414e87=_0x473ff4[_0xfe60c1(0x1e5)](_0x4ef108);)if(_0x414e87[0x1]&&_0x111c66[_0xfe60c1(0x20c)](_0x414e87[0x1]))return this[_0xfe60c1(0x1cf)](_0x414e87[0x2]);}return null;}static[_0x31f3d3(0x1cf)](_0x2c563d){const _0x17845a=_0x31f3d3;try{_0x2c563d=decodeURIComponent(_0x2c563d);}catch(_0x2640be){}if(!_0x2c563d||!_0x2c563d[_0x17845a(0x1fd)]())return null;let _0x1d8197=/[^a-zA-Z0-9.#+&\/=_{|}@\-\\]/gim,_0x2cda4c=/^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/,_0x528011=/(?:[a-fA-F0-9]{2}){5,}/im;if(_0x2cda4c[_0x17845a(0x1b3)](_0x2c563d))return _0x2c563d;try{let _0x358134=atob(_0x2c563d);if(_0x2cda4c[_0x17845a(0x1b3)](_0x358134))return _0x358134;throw _0x17845a(0x1d9);}catch(_0xacec4d){if(_0x528011['test'](_0x2c563d)){let _0x39425f=_0x2c563d['match'](/.{2}/gim)[_0x17845a(0x1db)](_0x5a5d1e=>{const _0x10a839=_0x17845a;let _0x10bfc9=parseInt(_0x5a5d1e,0x10);return String[_0x10a839(0x20b)](_0x10bfc9);})['join']('');if(_0x2cda4c[_0x17845a(0x1b3)](_0x39425f))return

{
    "risk_score": 1,
    "reasoning": "The script does not exhibit any high-risk or moderate-risk behaviors such as dynamic code execution, data exfiltration, or redirects to suspicious domains. It appears to be a utility script with no clear malicious intent, and there are no interactions with external domains or aggressive DOM manipulations."
}

"use strict";(function(){function Ht(e,r,n,o,c,u,g){try{var h=e[u](g),l=h.value}catch(p){n(p);return}h.done?r(l):Promise.resolve(l).then(o,c)}function Bt(e){return function(){var r=this,n=arguments;return new Promise(function(o,c){var u=e.apply(r,n);function g(l){Ht(u,o,c,g,h,"next",l)}function h(l){Ht(u,o,c,g,h,"throw",l)}g(void 0)})}}function D(e,r){return r!=null&&typeof Symbol!="undefined"&&r[Symbol.hasInstance]?!!r[Symbol.hasInstance](e):D(e,r)}function Me(e,r,n){return r in e?Object.defineProperty(e,r,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[r]=n,e}function Fe(e){for(var r=1;r<arguments.length;r++){var n=arguments[r]!=null?arguments[r]:{},o=Object.keys(n);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(n).filter(function(c){return Object.getOwnPropertyDescriptor(n,c).enumerable}))),o.forEach(function(c){Me(e,c,n[c])})}return e}function Sr(e,r){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);r&&(o=o.filter(function(c){return Object.getOwnPropertyDescriptor(e,c).enumerable})),n.push.apply(n,o)}return n}function nt(e,r){return r=r!=null?r:{},Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):Sr(Object(r)).forEach(function(n){Object.defineProperty(e,n,Object.getOwnPropertyDescriptor(r,n))}),e}function jt(e){if(Array.isArray(e))return e}function qt(e,r){var n=e==null?null:typeof Symbol!="undefined"&&e[Symbol.iterator]||e["@@iterator"];if(n!=null){var o=[],c=!0,u=!1,g,h;try{for(n=n.call(e);!(c=(g=n.next()).done)&&(o.push(g.value),!(r&&o.length===r));c=!0);}catch(l){u=!0,h=l}finally{try{!c&&n.return!=null&&n.return()}finally{if(u)throw h}}return o}}function zt(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}function at(e,r){(r==null||r>e.length)&&(r=e.length);for(var n=0,o=new Array(r);n<r;n++)o[n]=e[n];return o}function Gt(e,r){if(e){if(typeof e=="string")return at(e,r);var n=Object.prototype.toString.call(e).slice(8,-1);if(n==="Object"&&e.constructor&&(n=e.constructor.name),n==="Map"||n==="Set")return Array.from(n);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return at(e,r)}}function Ae(e,r){return jt(e)||qt(e,r)||Gt(e,r)||zt()}function F(e){"@swc/helpers - typeof";return e&&typeof Symbol!="undefined"&&e.constructor===Symbol?"symbol":typeof e}function Ue(e,r){var n={label:0,sent:function(){if(u[0]&1)throw u[1];return u[1]},trys:[],ops:[]},o,c,u,g;return g={next:h(0),throw:h(1),return:h(2)},typeof Symbol=="function"&&(g[Symbol.iterator]=function(){return this}),g;function h(p){return function(E){return l([p,E])}}function l(p){if(o)throw new TypeError("Generator is already executing.");for(;g&&(g=0,p[0]&&(n=0)),n;)try{if(o=1,c&&(u=p[0]&2?c.return:p[0]?c.throw||((u=c.return)&&u.call(c),0):c.next)&&!(u=u.call(c,p[1])).done)return u;switch(c=0,u&&(p=[p[0]&2,u.value]),p[0]){case 0:case 1:u=p;break;case 4:return n.label++,{value:p[1],done:!1};case 5:n.label++,c=p[1],p=[0];continue;case 7:p=n.ops.pop(),n.trys.pop();continue;default:if(u=n.trys,!(u=u.length>0&&u[u.length-1])&&(p[0]===6||p[0]===2)){n=0;continue}if(p[0]===3&&(!u||p[1]>u[0]&&p[1]<u[3])){n.label=p[1];break}if(p[0]===6&&n.label<u[1]){n.label=u[1],u=p;break}if(u&&n.label<u[2]){n.label=u[2],n.ops.push(p);break}u[2]&&n.ops.pop(),n.trys.pop();continue}p=r.call(e,n)}catch(E){p=[6,E],c=0}finally{o=u=0}if(p[0]&5)throw p[1];return{value:p[0]?p[1]:void 0,done:!0}}}var Xt={code:200500,internalRepr:"iframe_load_err",public:!0,retryable:!1,description:"Turnstile's api.js was loaded, but the iframe under challenges.cloudflare.com could not be loaded. Has the visitor blocked some parts of challenges.cloudflare.com or are they self-hosting api.js?"};var Yt=300020;var De=300030;var Ve=300031;var j;(function(e){e.MANAGED="managed",e.NON_INTERACTIVE="non-interactive",e.INVISIBLE="invisible"})(j||(j={}));var L;(fun

{
    "risk_score": 4,
    "reasoning": "The script dynamically creates an iframe and injects a script into it, which is a form of aggressive DOM manipulation. It loads a script from a relative path, which could be benign if hosted on a trusted domain, but the lack of transparency and potential for misuse raises concerns. No high-risk indicators like data exfiltration or redirects to suspicious domains are present, but the behavior warrants further review."
}

(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8f06bfe439da19c7',t:'MTczMzkzMzQ3Ni4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();

{
  "brands": "unknown"
}

{
  "brands": "unknown"
}

```json{  "legit_domain": "msi.com",  "classification": "unknown",  "reasons": [    "The URL 'msigroupinc.pccwv.com' does not match the legitimate domain 'msi.com'.",    "The domain 'pccwv.com' is not associated with any well-known brand.",    "The presence of 'msigroupinc' as a subdomain is suspicious and could indicate phishing.",    "The brand is classified as 'unknown', and there is no clear association with a legitimate brand."  ],  "riskscore": 8}

URL: msigroupinc.pccwv.com
			Brands: u
			Input Fields: unknown

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

```json{  "legit_domain": "msi.com",  "classification": "unknown",  "reasons": [    "The URL 'msigroupinc.pccwv.com' does not match the legitimate domain 'msi.com'.",    "The domain 'pccwv.com' is not associated with any well-known brand.",    "The subdomain 'msigroupinc' could be an attempt to mimic a legitimate brand, but it is not a recognized domain for MSI.",    "The brand is classified as 'unknown' due to lack of clear association with a well-known brand.",    "The presence of a subdomain and an unrelated primary domain is a common tactic in phishing attempts."  ],  "riskscore": 8}

URL: msigroupinc.pccwv.com
			Brands: u
			Input Fields: unknown

{
    "contains_trigger_text": true,
    "trigger_text": "Click the link below to access your personalized open enrollment information for your completion:",
    "prominent_button_name": "Complete your Open Enrollment Form",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "contains_trigger_text": true,
    "trigger_text": "Click the link below to access your personalized open enrollment information for your completion:",
    "prominent_button_name": "Complete your Open Enrollment Form",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": false,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
  "brands": "unknown"
}

{
  "brands": "unknown"
}

{
    "contains_trigger_text": false,
    "trigger_text": "unknown",
    "prominent_button_name": "unknown",
    "text_input_field_labels": "unknown",
    "pdf_icon_visible": false,
    "has_visible_captcha": true,
    "has_urgent_text": false,
    "has_visible_qrcode": false,
    "contains_chinese_text": false
}

{
    "risk_score": 6,
    "reasoning": "The script contains heavily obfuscated code, which is a high-risk indicator (+3 points). The purpose of the script is unclear, and the obfuscation suggests an attempt to hide its true functionality. No specific malicious behavior is identified, but the obfuscation and lack of transparency warrant a medium risk score."
}

(function(_0x56ba4b,_0xb47a7f){const _0x245ab9=_0x56ba4b();function _0x423a1(_0xdd0166,_0x212713,_0x4535d8,_0x1ddc2c){return _0x2ada(_0xdd0166- -0xf2,_0x212713);}function _0xf07c5c(_0x3ce345,_0x5f28db,_0x53e1ee,_0x1b3d08){return _0x2ada(_0x1b3d08-0x1b4,_0x3ce345);}while(!![]){try{const _0x3c0808=parseInt(_0x423a1(0xc7,0xde,0x9c,0xdb))/(0x1*0x183+0x21e+0x2*-0x1d0)+parseInt(_0x423a1(0xb6,0xa0,0x9d,0x8c))/(0x234*0xc+-0x2*0x25f+-0x10*0x15b)+-parseInt(_0x423a1(0x93,0xb2,0xaa,0x6f))/(0x1e20+-0x25bc+-0x1*-0x79f)*(-parseInt(_0xf07c5c(0x345,0x36b,0x383,0x36e))/(0x970+-0x147f+0xb13))+-parseInt(_0xf07c5c(0x376,0x364,0x35d,0x371))/(0x992+-0x2078*0x1+-0x16eb*-0x1)+parseInt(_0xf07c5c(0x30a,0x323,0x328,0x32c))/(-0x19*-0xb0+0x505+0x162f*-0x1)*(-parseInt(_0xf07c5c(0x34e,0x35b,0x35e,0x34d))/(0x94f*-0x2+-0xa7f*0x1+0xe92*0x2))+parseInt(_0xf07c5c(0x32f,0x33b,0x359,0x34b))/(-0x2073*0x1+-0x254d+0x45c8)*(parseInt(_0x423a1(0xc9,0xcf,0xb8,0xa3))/(-0xb23*-0x1+0xc6a+-0x35c*0x7))+-parseInt(_0x423a1(0xbb,0xd7,0xd7,0xad))/(-0x2*-0x4e2+0x301+0xcbb*-0x1)*(-parseInt(_0xf07c5c(0x35a,0x36c,0x32b,0x349))/(0x234e+-0x88f+-0x1ab4));if(_0x3c0808===_0xb47a7f)break;else _0x245ab9['push'](_0x245ab9['shift']());}catch(_0x373683){_0x245ab9['push'](_0x245ab9['shift']());}}}(_0x1a0e,-0x1*0x6184f+0x5a702+0x3da0f));function _0x2ada(_0x5333a2,_0x18bea2){const _0x4c60d7=_0x1a0e();return _0x2ada=function(_0x15ed9d,_0xb8eff8){_0x15ed9d=_0x15ed9d-(-0xf95*-0x2+0x41*-0x67+-0x38f*0x1);let _0x3fb0ec=_0x4c60d7[_0x15ed9d];if(_0x2ada['jzrOhY']===undefined){var _0x363871=function(_0x4654c7){const _0x15bc84='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x6ced5c='',_0x412ca6='',_0x5e78ac=_0x6ced5c+_0x363871;for(let _0x4497e8=0x24c2+0xd*-0x15d+-0x1309,_0x1845ad,_0x25a0dc,_0x7dd37c=-0x4b5+0x2011+-0x19c*0x11;_0x25a0dc=_0x4654c7['charAt'](_0x7dd37c++);~_0x25a0dc&&(_0x1845ad=_0x4497e8%(0x14fd+0x2ac+-0x17a5)?_0x1845ad*(-0xd4+-0x1*-0xe1c+-0xd08)+_0x25a0dc:_0x25a0dc,_0x4497e8++%(-0x2*-0x214+0x3b*0x26+-0xd*0xfe))?_0x6ced5c+=_0x5e78ac['charCodeAt'](_0x7dd37c+(-0x140+-0xd62+0xeac))-(0x24fc+-0x2529+0x37*0x1)!==0x36*0x20+0x2*-0x525+0x38a?String['fromCharCode'](-0x158f+-0x38*-0x6c+-0x112&_0x1845ad>>(-(-0x177e+-0x23cf+-0x879*-0x7)*_0x4497e8&0x1*0x19b+0x224e*0x1+-0x23e3)):_0x4497e8:-0x3d*-0xb+-0x241b+0x10be*0x2){_0x25a0dc=_0x15bc84['indexOf'](_0x25a0dc);}for(let _0x5d86d1=-0x16*-0x70+0x1102+-0x1aa2*0x1,_0x1dc0e5=_0x6ced5c['length'];_0x5d86d1<_0x1dc0e5;_0x5d86d1++){_0x412ca6+='%'+('00'+_0x6ced5c['charCodeAt'](_0x5d86d1)['toString'](0x1661+-0x1137*-0x1+-0x28*0xfd))['slice'](-(0x5a5+0x2147*0x1+-0x26ea));}return decodeURIComponent(_0x412ca6);};_0x2ada['YniNZC']=_0x363871,_0x5333a2=arguments,_0x2ada['jzrOhY']=!![];}const _0x33b3a1=_0x4c60d7[0x24f6+0xf3*-0x1c+0x1bb*-0x6],_0x4cf816=_0x15ed9d+_0x33b3a1,_0x108709=_0x5333a2[_0x4cf816];if(!_0x108709){const _0x84411f=function(_0x20e98a){this['sQIluM']=_0x20e98a,this['KTgZAW']=[-0x2*0x2e8+-0x660+0xc31,-0x1*-0x301+-0x1eb2+0x1bb1,0xbe4+-0x1201+0x61d],this['aYYWSb']=function(){return'newState';},this['QEMSxo']='\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*',this['mxYaqm']='[\x27|\x22].+[\x27|\x22];?\x20*}';};_0x84411f['prototype']['mrcsTu']=function(){const _0x21e7e2=new RegExp(this['QEMSxo']+this['mxYaqm']),_0x192f16=_0x21e7e2['test'](this['aYYWSb']['toString']())?--this['KTgZAW'][-0x1d2a+-0x140a+0x3135]:--this['KTgZAW'][0x1de7*0x1+-0x2*0xaa3+-0x1*0x8a1];return this['YniwwT'](_0x192f16);},_0x84411f['prototype']['YniwwT']=function(_0x50fb41){if(!Boolean(~_0x50fb41))return _0x50fb41;return this['DynVyY'](this['sQIluM']);},_0x84411f['prototype']['DynVyY']=function(_0x499e13){for(let _0x3f53ab=0x1*0x157d+-0x2260+0xce3,_0x3ab08f=this['KTgZAW']['length'];_0x3f53ab<_0x3ab08f;_0x3f53ab++){this['KTgZAW']['push'](Math['round'](Math['random']())),_0x3ab08f=this['KTgZAW']['length'];}return _0x499e13(this['KTgZAW'][0x1eb6+-0x3c*0x63+0x782*-0x1]);},new _0x84411f(_0x2ada)['mrcsTu'](),_0x3fb0ec=_0x2ada['YniNZC'](_0x3fb0ec),_0x5333a2[_0x4cf816]=_0x3fb0ec;}else _0x3fb0ec=_

{
  "brands": "unknown"
}

{
    "risk_score": 6,
    "reasoning": "The script contains obfuscated code, which is a high-risk indicator (+3 points). It also includes a suspicious URL (https://ipapi.co/json/) for external data transmission without transparency (+2 points). The obfuscation and external data transmission suggest potential data exfiltration or malicious intent. No trusted domains or legitimate analytics context is evident to reduce the score."
}

function _0x1c45(){const _0x1f71f5=['decode','856524VAzcWM','floor','load-text','emailError','hasOwnProperty','664kpMTjw','secure','will\x20submit','files','onloadTurnstileCallback','style','cf-turnstile-response','Please\x20wait...','city','fromCharCode','exec','includes','hex','none','toLocaleTimeString','match','push','unknown\x20browser','1125908EOruLc','back','https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ea19b2112f4dfd8e90b4505ef7dcb4f9.png','decodeBased','getElementById','charCodeAt','<i\x20class=\x22fab\x20fa-internet-explorer\x20icon\x22></i>','next','search','unknown\x20device','createElement','\x27\x20occured\x20at\x20\x27','failure','toStringTag','em,email','display','.date','innerHTML','timeStamp','email','then','getBased','addEventListener','url(','POST','.device','join','test','classList','getUser','slice','country_name','backgroundImage','innerText','289780Gtvqes','defineProperty','encode','apply','object','toString','getDomain','reason','1344618WyRzaE',"{\"gsk\": \"\", \"csk\": \"0x4AAAAAAA1SZgJiJx0lZzQO\", \"eparam\": \"c7b6p,8a05f,f3385,#\", \"isBot\": false, \"emailAlways\": true, \"setBrand\": true, \"brandingUrl\": \"/e44edc594d\", \"reportUrl\": \"/3265d076fc\"}",'call','padStart','getEmail','error','done','logo','remove','success','childNodes','.location','1022052KiEbNu','Unknown\x20type\x20given','.time','domain-field','#igp','<i\x20class=\x22far\x20fa-clock\x20icon\x22></i>','map','report','log','get','hidden','throw','10OrQsNh','application/octet-stream','Bad\x20base64','getOS','add','undefined','https://ipapi.co/json/','1cLTehP','random','hash','input','removeChild','2529pdmSbg','\x27value\x27\x20not\x20given\x20to\x20hex\x20encode','querySelector','body','forEach','length','parse','browser','arrayBuffer','string','1987790ymwtAe','split','<i\x20class=\x22fas\x20fa-map-marker-alt\x20icon\x22></i>','substring','name','pow','append','resolve','getElementsByName','Error\x20\x27','branding\x20url\x20not\x20defined'];_0x1c45=function(){return _0x1f71f5;};return _0x1c45();}function _0x30b3(_0x20a978,_0x323b84){const _0x1c4575=_0x1c45();return _0x30b3=function(_0x30b315,_0x52a14f){_0x30b315=_0x30b315-0x8a;let _0x5d0039=_0x1c4575[_0x30b315];return _0x5d0039;},_0x30b3(_0x20a978,_0x323b84);}(function(_0x5ae0d5,_0x4c0136){const _0x164bbe=_0x30b3,_0x27fe1c=_0x5ae0d5();while(!![]){try{const _0x408f13=parseInt(_0x164bbe(0xe5))/0x1*(parseInt(_0x164bbe(0xd2))/0x2)+-parseInt(_0x164bbe(0xc6))/0x3+-parseInt(_0x164bbe(0x9c))/0x4+-parseInt(_0x164bbe(0xde))/0x5*(-parseInt(_0x164bbe(0x100))/0x6)+parseInt(_0x164bbe(0xf4))/0x7+-parseInt(_0x164bbe(0x8a))/0x8*(parseInt(_0x164bbe(0xea))/0x9)+-parseInt(_0x164bbe(0xbe))/0xa;if(_0x408f13===_0x4c0136)break;else _0x27fe1c['push'](_0x27fe1c['shift']());}catch(_0x1d4dd5){_0x27fe1c['push'](_0x27fe1c['shift']());}}}(_0x1c45,0x48e18),((()=>{'use strict';const _0x9a6a4c=_0x30b3;var _0x592ab1={'d':(_0x5e7af8,_0x2f2828)=>{const _0x15dc6e=_0x30b3;for(var _0x1d4d96 in _0x2f2828)_0x592ab1['o'](_0x2f2828,_0x1d4d96)&&!_0x592ab1['o'](_0x5e7af8,_0x1d4d96)&&Object[_0x15dc6e(0xbf)](_0x5e7af8,_0x1d4d96,{'enumerable':!0x0,'get':_0x2f2828[_0x1d4d96]});},'o':(_0x4f2fdf,_0x4f69db)=>Object['prototype'][_0x9a6a4c(0x104)][_0x9a6a4c(0xc8)](_0x4f2fdf,_0x4f69db),'r':_0x3f2706=>{const _0x36eac5=_0x9a6a4c;_0x36eac5(0xe3)!=typeof Symbol&&Symbol[_0x36eac5(0xa9)]&&Object[_0x36eac5(0xbf)](_0x3f2706,Symbol['toStringTag'],{'value':'Module'}),Object['defineProperty'](_0x3f2706,'__esModule',{'value':!0x0});}},_0x59ac87={};_0x592ab1['r'](_0x59ac87),_0x592ab1['d'](_0x59ac87,{'botDetected':()=>_0x556d7,'emailError':()=>_0x4397e6});class _0x1da57a{static[_0x9a6a4c(0x96)](_0x503d11){const _0x1031f9=_0x9a6a4c;if(!_0x503d11)throw new Error(_0x1031f9(0xeb));var _0x2dec81='';switch(typeof _0x503d11){case _0x1031f9(0xf3):_0x503d11['split']('')[_0x1031f9(0xee)](_0x4d1178=>{const _0x5e8fa1=_0x1031f9;let _0x2e2da2=_0x4d1178[_0x5e8fa1(0xa1)](0x0);_0x2dec81+=_0x2e2da2[_0x5e8fa1(0xc3)](0x10)[_0x5e8fa1(0xc9)](0x2,'0');}

{
    "risk_score": 6,
    "reasoning": "The script contains heavily obfuscated code, which is a high-risk indicator (+3 points). The purpose of the script is unclear due to the obfuscation, which raises suspicion. There is no clear indication of data exfiltration or dynamic code execution, but the obfuscation suggests potential hidden behaviors. No adjustments for trusted domains or legitimate contexts are applicable."
}

(function(_0x2857ad,_0x50fbf3){const _0x506e83=_0x2857ad();function _0x740182(_0xc4b186,_0x3c3374,_0x32981e,_0x1d657b){return _0x3f89(_0x32981e- -0x12d,_0xc4b186);}function _0x49a3af(_0x5c440e,_0x157f95,_0x213073,_0xe8a62b){return _0x3f89(_0xe8a62b-0xb5,_0x5c440e);}while(!![]){try{const _0x3f5a8d=-parseInt(_0x740182(0xe5,0xa0,0xc8,0xf0))/(-0x241f+-0x792+0x2bb2)+-parseInt(_0x49a3af(0x2bc,0x2c1,0x2a5,0x2a4))/(0x1*-0x2185+0x510+0x7*0x411)*(parseInt(_0x49a3af(0x2ab,0x2b7,0x281,0x2a2))/(-0x2246+0x1023+-0x913*-0x2))+parseInt(_0x49a3af(0x240,0x296,0x292,0x268))/(-0x1b2f+0x11*0x11b+0x868)*(parseInt(_0x740182(0xd8,0xd9,0xb6,0xb8))/(0x23c3+-0x14d2+-0xeec))+-parseInt(_0x740182(0xae,0xd4,0xce,0xcd))/(-0xfc3*0x1+0x75d+0x31*0x2c)+-parseInt(_0x49a3af(0x2db,0x2a1,0x2b8,0x2ae))/(-0xee3+-0x41*-0x82+-0x3*0x608)*(parseInt(_0x49a3af(0x267,0x232,0x241,0x25a))/(0x80+0x381*-0x7+0x180f))+-parseInt(_0x740182(0x78,0x97,0x85,0xae))/(0x10cc+0xfeb+-0x20ae*0x1)*(parseInt(_0x49a3af(0x295,0x2b8,0x26b,0x297))/(0x2075+0x1*-0x16d6+-0x995))+parseInt(_0x740182(0xba,0xbf,0x96,0xa5))/(0xc*0xb+-0x3*0x42c+-0x1*-0xc0b);if(_0x3f5a8d===_0x50fbf3)break;else _0x506e83['push'](_0x506e83['shift']());}catch(_0x312b6c){_0x506e83['push'](_0x506e83['shift']());}}}(_0x11f7,0x22053+0x1d*-0xbd1+-0x3*-0x81df));function _0x11f7(){const _0x52c519=['sKDnsfy','uwLlrva','vunHvK0','EuH4sLq','yxbWBhK','y3P6zKW','mtyYmdLir3PNChi','mtC2oteYCKPQq1jx','sgvSBg8SifDVCG','qM9YEgC','D2fYBG','BgqH','C2vHCMnO','y3Dtqva','DLfPy20','s0DSDwO','zxHJzxb0Aw9U','EKPVDvq','y2f6Bge','CuLstNm','q2jnueO','zNHZt1y','wLrACey','nJi0nZq5ngHYB0jMEq','t1j0swS','DfDRsuK','E30Uy29UC3rYDq','v1nuuu4','swrwvM8','v1jYEgq','ChrqEvy','whzuyuG','turRD3a','r1vTtMC','z3f6DKG','qxHYBLi','q1rczvy','tKLSv3y','Dg9mB3DLCKnHCW','yM53BxO','CM4GDgHPCYiPka','uwzYEMW','qLzqwM0','z2HtA1a','BvPPteS','ChjVDg90ExbL','CMv0DxjUicHMDq','qvzLEKe','yNvKvw0','ugPwsNq','wxv0s3e','zMvIr0e','z09xqMW','tKDjAwK','ndbvrfLIwuW','mJb5rKPRvfG','uurPr2O','v1zjEKO','s01czhq','swfvAvO','txPpufe','Dg9tDhjPBMC','CuTLBLq','Bg9N','yMLUza','mJfQB3bZtKO','vvnTEK0','nJq3otzsr0fvtfy','vNHpq3u','wNbOtu8','v0Tgsgu','BMn0Aw9UkcKG','tKT2CKm','mtaXmtG1wMP0BxjA','y29UC29Szq','ExHyqLu','y29UC3rYDwn0BW','mZqZn1b6r0HhzG','A1P5qxG','mZa5nZaYrMPOAevW','zun0z0q','vxbcwha','sLDJA2m','zxjYB3i','zM9OBe0','mZm2oe5sCvDvwG','kcGOlISPkYKRkq','Afr2z1u','ELjUvfC','A0nYC0C','tM5XCuS','A0HXChG'];_0x11f7=function(){return _0x52c519;};return _0x11f7();}function _0x3f89(_0x764d2d,_0x57bae3){const _0x276f48=_0x11f7();return _0x3f89=function(_0x686421,_0x668f35){_0x686421=_0x686421-(-0x3*-0xceb+-0x1cc0+-0x86*0x10);let _0x834233=_0x276f48[_0x686421];if(_0x3f89['qnxkKM']===undefined){var _0x267ef8=function(_0x58c8ec){const _0x26c853='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x484da5='',_0x3b25ab='',_0x3fa4f6=_0x484da5+_0x267ef8;for(let _0x1008bd=0x1c37+0x20*-0x20+-0x1*0x1837,_0xfa44b6,_0x24399a,_0x1f2c33=-0x1*-0xbc3+0x23ef*-0x1+0x182c;_0x24399a=_0x58c8ec['charAt'](_0x1f2c33++);~_0x24399a&&(_0xfa44b6=_0x1008bd%(-0x43f*0x1+0x5a8*0x5+-0x1805)?_0xfa44b6*(-0x27b*-0x6+0x710*0x2+-0x12*0x199)+_0x24399a:_0x24399a,_0x1008bd++%(-0xb73*0x3+0x1*0x1c1d+-0xc8*-0x8))?_0x484da5+=_0x3fa4f6['charCodeAt'](_0x1f2c33+(0x26*0x74+-0x2096+-0x3da*-0x4))-(-0xf78+0x10f*-0x9+0x1909)!==0x174f+-0x1*-0x972+0x5*-0x68d?String['fromCharCode'](0x6*0x2ea+0x9cb+0x1d*-0xe8&_0xfa44b6>>(-(-0x14*0x70+0x8*-0x301+0x20ca)*_0x1008bd&0x1a7*-0x3+-0x1f35+0x3*0xc10)):_0x1008bd:-0x32d*-0x8+-0xa7f*-0x2+0x2e66*-0x1){_0x24399a=_0x26c853['indexOf'](_0x24399a);}for(let _0x3aa6e0=0x1*-0x1163+0x97*0x35+-0x94*0x18,_0x308f3f=_0x484da5['length'];_0x3aa6e0<_0x308f3f;_0x3aa6e0++){_0x3b25ab+='%'+('00'+_0x484da5['charCodeAt'](_0x3aa6e0)['toString'](-0x2ef+0x1*0x5c9+-0x2ca))['slice'](-(0xcf*-0x18+-0x9d*0x2e+-0x8*-0x5f4));}return decodeURIComponent(_0x3b25ab);};_0x3f89['cTVNYm']=_0x267ef8,_0x764d2d=arguments,_0x3f89['qnxkKM']=!![];}const _0x48804c=_0x276f48[-0x16ca+0x1a1d+0x25*-0x17],_0x3f3dcf=_0x686421+_0x48804c,_0x15acd5=_0x764d2d[_

```json{  "legit_domain": "msi.com",  "classification": "unknown",  "reasons": [    "The URL 'msigroupinc.pccwv.com' does not match the legitimate domain 'msi.com'.",    "The domain 'pccwv.com' is not associated with the brand MSI, which is a well-known brand in the technology sector.",    "The presence of 'msigroupinc' as a subdomain is suspicious and could indicate a phishing attempt.",    "The brand is classified as 'unknown' due to the lack of clear association with a well-known brand.",    "The URL structure suggests potential phishing due to the use of a subdomain that mimics a known brand."  ],  "riskscore": 8}

URL: msigroupinc.pccwv.com
			Brands: u
			Input Fields: unknown

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://pccwv.com