Windows Analysis Report
5diately.msg

{
    "explanation": [
        "The email uses a suspicious domain 'monitor.accesssecurelogin.me' which is a clear red flag",
        "The subject line contains intentionally misspelled words ('Unuthrized Lg-In') to evade spam filters",
        "The email is mass-sent to many recipients with unusual email patterns (multiple addresses with '+' symbols)"
    ],
    "phishing": true,
    "confidence": 10,
    "generated_by_ai": false
}

{
    "date": "Thu, 19 Dec 2024 22:44:06 +0100", 
    "subject": "Fw: Item shared with you: \"Unuthrized Lg-In Nticed - Pls Rviw Your Aunt Immdiately\"", 
    "communications": [
        "spoof...\n________________________________\n\n", 
        "From: se | nfirm Your ... (via Google Drive) <drive-shares-noreply@google.com>\nSent: Thursday, December 19, 2024 1:19 PM\nTo: etcbilling+haater187@etctracking.com <etcbilling+haater187@etctracking.com>\nCc: johnredmon+hiybloc644@gmail.com <johnredmon+hiybloc644@gmail.com>; bean086+writpar443@gmail.com <bean086+writpar443@gmail.com>; janmarcusesq+harmo587@gmail.com <janmarcusesq+harmo587@gmail.com>; jpabisaleh+monthas739@hotmail.com <jpabisaleh+monthas739@hotmail.com>; justin+exhal945@lindyrealty.com <justin+exhal945@lindyrealty.com>; john+bortthyl757@madetoo.com <john+bortthyl757@madetoo.com>; notarybytoni+beyspac216@gmail.com <notarybytoni+beyspac216@gmail.com>; rollingthunderranchllc+discons339@gmail.com <rollingthunderranchllc+discons339@gmail.com>; scott+exun166@jacksonsells.com <scott+exun166@jacksonsells.com>; usermeetsnyccandles+icclim389@gmail.com <usermeetsnyccandles+icclim389@gmail.com>; hello+adlel883@sipnslaytea.com <hello+adlel883@sipnslaytea.com>; ncholmes3434+coakrath816@gmail.com <ncholmes3434+coakrath816@gmail.com>; ralph+ilat380@blessingsolutionsllc.com <ralph+ilat380@blessingsolutionsllc.com>; tracystoloff+jahrbit135@gmail.com <tracystoloff+jahrbit135@gmail.com>; chet+crabit770@genuinebellinger.com <chet+crabit770@genuinebellinger.com>; abps02+killking169@gmail.com <abps02+killking169@gmail.com>; jdickey+izup434@jtechsolutions.us <jdickey+izup434@jtechsolutions.us>; scalyconcepts+raihar175@outlook.com <scalyconcepts+raihar175@outlook.com>; gaincoffice+zosop442@gmail.com <gaincoffice+zosop442@gmail.com>; paul.baltierra+stopir461@ironmountain.com <paul.baltierra+stopir461@ironmountain.com>; safetyshieldusa+ovac797@gmail.com <safetyshieldusa+ovac797@gmail.com>; toby+milncric690@pelctire.com <toby+milncric690@pelctire.com>; appraisalpartnersinc+permo718@gmail.com <appraisalpartnersinc+permo718@gmail.com>\nSubject: Item shared with you: \"Unuthrized Lg-In Nticed - Pls Rviw Your Aunt Immdiately\" \n \nse | nfirm Your Credentials shared an item\n <https://lh3.googleusercontent.com/a/ACg8ocLlVBAYOXbJP5xut0SrWiR-BH_NZUAAtDpDxzd_AZM0CJOXZAU=s64> \nse | nfirm Your Credentials (mormabeno2000@monitor.accesssecurelogin.me <mailto:mormabeno2000@monitor.accesssecurelogin.me> ) has shared the following item:\n<https://drive.google.com/file/d/1ZZpf4Zlhtjh56ENC16Nv6BpqzFszHoSg/view?usp=sharing_eil&ts=676471c2> \n <https://ssl.gstatic.com/docs/doclist/images/mediatype/icon_3_pdf_x64.png> Unuthrized Lg-In Nticed - Pls Rviw Your Aunt Immdiately\n\t\nOpen <https://drive.google.com/file/d/1ZZpf4Zlhtjh56ENC16Nv6BpqzFszHoSg/view?usp=sharing_eip&ts=676471c2> \nGoogle LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA\nYou have received this email because mormabeno2000@monitor.accesssecurelogin.me <mailto:mormabeno2000@monitor.accesssecurelogin.me>  shared a file or folder located in Google Drive with you.\t  <https://workspace.google.com/> \t \n\n\n <http://www.theetccompanies.com>        \n\nRemittance address:  PO Box 700970, San Antonio, TX  78270\n\n\nThe ETC Companies does not provide tax, legal, or accounting advice. The material in this email is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. \n\nThis message may contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. While ETC prides itself on a secure environment, email transmission without encryption cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.  Therefore, this practice should be avoided.  \n\nPlease make sure that all sensitive/private data is uploaded to https://v2.etctracking.com/login <https://v2.etctracking.com/login> . \n"
    ], 
    "from": "Rhonny Rowden <rhonny@eligibilitytrackingcalculators.com>", 
    "to": "CoreRecon Support <support@corerecon.com>", 
    "attachements": []
}

{
  "contains_trigger_text": true,
  "trigger_text": "Unauthorized Log-In Noticed - Please Review Your Account Immediately",
  "prominent_button_name": "Open",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": true,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Chase"
  ]
}

{"classification":"Credential Stealer"}

Email:
Detected potential phishing email: The email uses a suspicious domain 'monitor.accesssecurelogin.me' which is a clear red flag. The subject line contains intentionally misspelled words ('Unuthrized Lg-In') to evade spam filters. The email is mass-sent to many recipients with unusual email patterns (multiple addresses with '+' symbols)

{
    "risk_score": 1,
    "reasoning": "This script appears to be tracking the 'Cumulative Layout Shift' (CLS) metric, which is a common web performance metric. While it is accessing the `performance` object, which could potentially be used for data exfiltration, the behavior is consistent with legitimate web performance monitoring and does not demonstrate any high-risk indicators."
}

 window['_DRIVE_VIEWER_ctiming']['cls']=performance.now(); 

{
    "risk_score": 1,
    "reasoning": "This code snippet appears to be a simple performance measurement, likely part of a web application's analytics or telemetry functionality. It stores the current time (in milliseconds) since page load in a global object property. This is a common practice and does not demonstrate any high-risk behaviors."
}

 window['_DRIVE_VIEWER_ctiming']['tfs']=performance.now(); 

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a simple assignment of the document's visibility state to a global variable. This behavior is common for analytics or telemetry purposes and does not demonstrate any high-risk indicators. The risk score is low as the code does not exhibit any malicious or suspicious activities."
}

          window['_DRIVE_VIEWER_IVIS'] = document.visibilityState;
        

{
    "risk_score": 1,
    "reasoning": "This code snippet appears to be a simple performance measurement, likely part of a web application's analytics or telemetry functionality. It assigns the current timestamp (from the `performance.now()` method) to a property of the `_DRIVE_VIEWER_ctiming` object. This is a common practice for tracking client-side performance and does not demonstrate any high-risk behaviors."
}

 window['_DRIVE_VIEWER_ctiming']['cle']=performance.now(); 

{
    "risk_score": 1,
    "reasoning": "This script appears to be setting a performance timing value for a Google Drive Viewer, which is a common and benign practice. There are no high-risk indicators present, and the behavior is consistent with legitimate functionality."
}

 window['_DRIVE_VIEWER_ctiming']['hl']=performance.now(); 

{
    "risk_score": 1,
    "reasoning": "This script appears to be tracking performance metrics, which is a common practice for web analytics and optimization purposes. The use of the `performance.now()` API to capture timing information is a legitimate behavior, and there are no clear indicators of malicious intent or high-risk activities."
}

 window['_DRIVE_VIEWER_ctiming']['ogb_hs']=performance.now(); 

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a benign performance measurement, likely part of a web application's analytics or telemetry functionality. It simply records the current time using the `performance.now()` API and assigns it to a property within the `_DRIVE_VIEWER_ctiming` object. This is a common practice for tracking user interactions and page load performance, and does not demonstrate any high-risk behaviors."
}

 window['_DRIVE_VIEWER_ctiming']['difs']=performance.now();

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a benign performance measurement, likely part of a web application's analytics or telemetry functionality. It simply records the current time using the `performance.now()` API and assigns it to a property within the `_DRIVE_VIEWER_ctiming` object. This is a common practice for tracking user interactions and page load performance, and does not demonstrate any high-risk behaviors."
}

 window['_DRIVE_VIEWER_ctiming']['difl']=performance.now();

{
    "risk_score": 1,
    "reasoning": "This script appears to be tracking performance metrics, which is a common practice for web analytics and optimization. While the use of the `performance.now()` API is a low-risk indicator, the overall behavior is consistent with legitimate analytics functionality and does not demonstrate any malicious intent."
}

 window['_DRIVE_VIEWER_ctiming']['ogb_hl']=performance.now(); 

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "Continue",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Chase"
  ]
}

```json
{
    "risk_score": 1,
    "reasoning": "The script appears to be part of Google's infrastructure, interacting with trusted domains like 'google.com' and 'gstatic.com'. It does not exhibit high-risk behaviors such as dynamic code execution or data exfiltration. The presence of URLs and configurations related to Google's services suggests legitimate use, likely for functionality or analytics purposes."
}

;this.gbar_={CONFIG:[[[0,"www.gstatic.com","og.qtm.en_US.otmEBJ358uU.2019.O","com","en","25",0,[4,2,"","","","706535361","0"],null,"y5FpZ_TaDbrGwt0PsumD6As",null,0,"og.qtm.zyyRgCCaN80.L.W.O","AA2YrTu0yU9RTMfNNC-LVUmaaNKwIO136g","AA2YrTs4SLbgh5FvGZPW_Ny7TyTdXfy6xA","",2,1,200,"USA",null,null,"25","25",1,null,null,72175901,1,0],null,[1,0.1000000014901161,2,1],null,[0,0,0,null,"","","","",0,0,0,""],[0,0,"",1,0,0,0,0,0,0,null,0,0,null,0,0,null,null,0,0,0,"","","","","","",null,0,0,0,0,0,null,null,null,"rgba(32,33,36,1)","transparent",0,0,0,null,null,null,0],null,null,["1","gci_91f30755d6a6b787dcc2a4062e6e9824.js","googleapis.client:gapi.iframes","","en"],null,null,null,null,["m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/d=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/m=__features__","https://apis.google.com","","","","",null,1,"es_plusone_gc_20241202.0_p1","en",null,0],[0.009999999776482582,"com","25",[null,"","0",null,1,5184000,null,null,"",null,null,null,null,null,0,null,0,null,1,0,0,0,null,null,0,0,null,0,0,0,0,0],null,null,null,0],[1,null,null,40400,25,"USA","en","706535361.0",8,null,0,0,null,null,null,null,"3700949",null,null,null,"y5FpZ_TaDbrGwt0PsumD6As",0,0,0,null,2,5,"ug",166,0,0,0,0,1,72175901,0,0],[[null,null,null,"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=qabr,q_dnp,qcwid,qapid,qads,q_dg/exm=qaaw,qadd,qaid,qein,qhaw,qhba,qhbr,qhch,qhga,qhid,qhin/d=1/ed=1/rs=AA2YrTu0yU9RTMfNNC-LVUmaaNKwIO136g"],[null,null,null,"https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qcwid/excm=qaaw,qadd,qaid,qein,qhaw,qhba,qhbr,qhch,qhga,qhid,qhin/d=1/ed=1/ct=zgms/rs=AA2YrTs4SLbgh5FvGZPW_Ny7TyTdXfy6xA"]],null,null,null,[[[null,null,[null,null,null,"https://ogs.google.com/widget/callout?dc=1"],null,280,420,47,55,0,null,0,null,null,8000,null,71,4,null,null,null,null,null,null,null,null,76,null,null,null,107,108,109,"",null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,0]],null,null,"25","25",1,0,null,"en",1,null,0,0,0,[null,"",null,null,null,0,null,0,0,"","","","https://ogads-pa.googleapis.com",0,0,0,"","",0,0,null,86400,null,1,1,null,0,null,1],0,null,null,null,1]]],};this.gbar_=this.gbar_||{};(function(_){var window=this;
try{
_._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([]);
/*

 Copyright The Closure Library Authors.
 SPDX-License-Identifier: Apache-2.0
*/
var ca,ja,ka,oa,qa,ra,Aa,Ba,Da,Ea,Fa,Ia,Va,Ua,Ya,$a,Za,ab,bb,eb,fb,jb,mb,gb,lb,kb,ib,hb,nb,pb,wb,Ab,Bb,Cb,Db;_.aa=function(a,b){if(Error.captureStackTrace)Error.captureStackTrace(this,_.aa);else{const c=Error().stack;c&&(this.stack=c)}a&&(this.message=String(a));b!==void 0&&(this.cause=b)};_.ba=function(a){a.Hj=!0;return a};ca=function(a,b){if(a.length>b.length)return!1;if(a.length<b.length||a===b)return!0;for(let c=0;c<a.length;c++){const d=a[c],e=b[c];if(d>e)return!1;if(d<e)return!0}};
_.da=function(a){_.t.setTimeout(()=>{throw a;},0)};_.ea=function(){var a=_.t.navigator;return a&&(a=a.userAgent)?a:""};ja=function(a){return fa?ia?ia.brands.some(({brand:b})=>b&&b.indexOf(a)!=-1):!1:!1};_.u=function(a){return _.ea().indexOf(a)!=-1};ka=function(){return fa?!!ia&&ia.brands.length>0:!1};_.la=function(){return ka()?!1:_.u("Opera")};_.ma=function(){return ka()?!1:_.u("Trident")||_.u("MSIE")};_.na=function(){return _.u("Firefox")||_.u("FxiOS")};
_.pa=function(){return _.u("Safari")&&!(oa()||(ka()?0:_.u("Coast"))||_.la()||(ka()?0:_.u("Edge"))||(ka()?ja("Microsoft Edge"):_.u("Edg/"))||(ka()?ja("Opera"):_.u("OPR"))||_.na()||_.u("Silk")||_.u("Android"))};oa=function(){return ka()?ja("Chromium"):(_.u("Chrome")||_.u("CriOS"))&&!(ka()?0:_.u("Edge"))||_.u("Silk")};qa=function(){return fa?!!ia&&!!ia.platform:!1};ra=function(){return _.u("iPhone")&&!_.u("iPod")&&!_.u("iPad")};_.sa=function(){return ra()||_.u("iPad")||_.u("iPod")};
_.ta=function(){return qa()?ia.platform==="macOS":_.u("Macintosh")};_.v

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://drive.google.com

{
  "contains_trigger_text": true,
  "trigger_text": "Unauthorized Log-in Noticed - Please Review Your Account Immediately",
  "prominent_button_name": "Continue",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "Continue",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Chase"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "Unauthorized Log-In Noticed - Please Review Your Account Immediately",
  "prominent_button_name": "Continue",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Chase"
  ]
}

{
  "brands": [
    "Chase"
  ]
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://www.google.com

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Cloudflare"
  ]
}

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "Sign In",
  "text_input_field_labels": [
    "Username",
    "Password"
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Chase"
  ]
}

```json{  "legit_domain": "chase.com",  "classification": "wellknown",  "reasons": [    "The legitimate domain for Chase is chase.com.",    "The URL contains additional subdomains and elements such as 'online', 'access', 'secure001', and 'chase-business', which are not part of the official Chase domain.",    "The presence of multiple hyphens and subdomains is a common tactic used in phishing to mimic legitimate sites.",    "Chase is a well-known financial institution, and its official online services are typically hosted on chase.com or subdomains directly under chase.com.",    "The URL does not match the full legitimate domain name associated with Chase."  ],  "riskscore": 9}
Google indexed: False