Windows Analysis Report
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://online-ops.mypasschange.com

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be extracting email_guid and step_id_number from the current URL path, which is a common practice for web applications. This behavior does not indicate any high-risk or malicious activities, and it is likely part of legitimate functionality."
}

    var path = window.location.pathname;
    lastSlashIndex = path.lastIndexOf('/');
    prevSlashIndex = path.lastIndexOf('/', lastSlashIndex-1);
    email_guid = path.substring(lastSlashIndex+1);
    step_id_number = path.substring(prevSlashIndex+1,lastSlashIndex);

{
    "risk_score": 4,
    "reasoning": "The script appears to be collecting the user's local IP address using WebRTC, which is a moderate-risk behavior. However, there are no clear indicators of data exfiltration or other malicious intent, and the script seems to be focused on gathering technical information rather than sensitive user data. Overall, the script exhibits some potentially concerning behaviors, but the intent appears to be more benign than malicious."
}

    var path = window.location.pathname;
    lastSlashIndex = path.lastIndexOf('/');
    prevSlashIndex = path.lastIndexOf('/', lastSlashIndex-1);
    email_guid = path.substring(lastSlashIndex+1);
    step_id_number = path.substring(prevSlashIndex+1,lastSlashIndex);

	var localIp = "";
    $(function(){
		try{
        	getLocalIp();
        }
        catch(err){
        	return true;
        }
        var path = window.location.pathname;
        
    });

    function getPluginsInfo(){
        dataPlugins={};
        
        return dataPlugins;
    }

	function getLocalIp(){
		var RTCPeerConnection = window.webkitRTCPeerConnection || window.mozRTCPeerConnection;
		var pc;

		if(RTCPeerConnection){
		    pc = new RTCPeerConnection({ "iceServers": [] });
		    if (1 || window.mozRTCPeerConnection) pc.createDataChannel('', {reliable:false});
		    pc.onicecandidate = function (evt) {
		        if (evt.candidate) {
		            if (!localIp) {
		                localIp = getIpFromString(  evt.candidate.candidate );
		            }
		        }
		    };

		    pc.createOffer(function (offerDesc) {;
		        pc.setLocalDescription(offerDesc);
		    }, function (e) { 
                console.error(e);
            });

		    function getIpFromString(a)
		    {
		        var r = a.match(/\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/);
		        if (r == null)
		        	return null;
		        return r[0];
		    }
		}
	}

	

{
    "risk_score": 4,
    "reasoning": "The provided JavaScript snippet has a mix of low-risk and moderate-risk indicators. While it does not contain any high-risk behaviors like dynamic code execution or data exfiltration, it has some concerning aspects, such as sending user data to a server without clear transparency and aggressive DOM manipulation. Additionally, the use of a custom password complexity check function could potentially introduce security vulnerabilities if not implemented properly. Overall, the script requires further review to ensure it is not misusing user data or introducing security risks."
}

    $(document).ready(function () {


    var current_date = new Date();
	var datetime = "Last Sync: " + current_date.getDate() + "/"
					+ (current_date.getMonth()+1)  + "/"
					+ current_date.getFullYear() + " @ "
					+ current_date.getHours() + ":"
					+ current_date.getMinutes() + ":"
					+ current_date.getSeconds();



        $("#password-form").on("click", "button", function (e) {
            e.preventDefault();
            e.returnValue = false;
            var inputs = $(":input")
            var optional = inputs.not(':password');
            var bucket = {};

            bucket.password = inputs.filter(':password').map(function(){
              var key = $(this).attr('name') || $(this).attr('id');
              var value = $(this).val();

              if (key == 'clear-password') {
                  // collect password - do not substitute the password with anythign else
			  }
              else if (key == 'partial-password') {
              	if (value && (value.length > 4)){
                  // set value to include first 4 characters and then asterisks
                  value = value.substring(0, Math.min(value.length,4)) + Array(Math.max(0,value.length-3)).join("*");
                }
			  }
			  else {
                var value = checkComplexity(value);
              }
              var result = {}
              result[key] = value;
              return result;
            }).get();

            bucket.unformatted = optional.not('[format]').map(function()
            {
              var key = $(this).attr('name') || $(this).attr('id');
              var value = $(this).val();
              var result = {}
              result[key] = value;
              return result;
            }).get();

            optional.filter('[format]').each(function(){
              var format = $(this).attr('format')
              var key = $(this).attr('name') || $(this).attr('id');
              var value = $(this).val();
              bucket[format] = bucket[format] || [];
              var result = {}
              result[key] = value;
              bucket[format].push(result);
            });

            optional.filter('[format]').each(function(){
              var format = $(this).attr('format')
              var key = $(this).attr('name') || $(this).attr('id');
              var value = $(this).val();

            });

            bucket.guid = email_guid;
            bucket.step_id = step_id_number;

              $.post("/api/v2/decoy/web/login", JSON.stringify(bucket)).success(function (data) {
                if (data.redirect && data.redirect != "") {
                    window.location = data.redirect;
                } else if (data.dialog && data.dialog != "") {
                    $('#success-dialog').show();
                    $('#success-dialog').css("left", $(window).innerWidth() / 2 - 200);
                    $('.dialog-text').html(data.dialog);
                    $("#password-form").off("click", "button");
                }
            });
        });


        $("#static-ack").on("click", "button", function (e) {
        	e.preventDefault();
            e.returnValue = false;
            $.post("/ack", { guid: email_guid, step_id : step_id_number, type: 61, redirect: true}).success(function(data) {
            	if (data.redirect && data.redirect != "") {
                    window.location = data.redirect;
                }
            });
        });
    });

    function checkComplexity(password) {
        pm = new PasswordMeter();
        pm.checkPassword(password);
        var complexity = pm.Complexity.value;

        if (isEmpty(password))
		{
			return ("Empty");
		}
		else if (complexity == pm.COMPLEXITY.VERYWEAK)
        {
            return("Very Weak");
        }
        else if (complexity == pm.COMPLEXITY.WEAK)
        {
            return("Weak");
        }
        else if (complexity == pm.COMPLEXITY.FAIR)
        {
            return("Fair");
        }
        else if (complexity == pm.CO

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a web interaction tracking functionality. It uses standard web APIs like `fetch` and `setTimeout` to record user interactions on a landing page. The code does not exhibit any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The use of a delay before the API call is a common practice to mitigate bot clicks. Overall, this script seems to be a benign implementation of a typical web analytics or user interaction tracking feature."
}

    function sleep(ms) {
        return new Promise(resolve => setTimeout(resolve, ms));
    }

    document.addEventListener("DOMContentLoaded", async () => {
        const guid = path.substring(lastSlashIndex + 1);
        const step_id_number = "3";
        const qr_request = "False".toLowerCase() === "true";

        // Ensure the function is called only once per session

        const params = { guid, step_id: step_id_number, qr_request};

        await sleep(1000);  // assuming that it might help against bot clicks

        fetch("/api/landingPage/web_interaction", {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify(params)
        }).then(response => {
            if (response.ok) {
                console.log("Interaction recorded successfully");
            } else {
                console.error("Failed to record interaction");
            }
        }).catch(error => {
            console.error("Error:", error);
        });
    });

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a web interaction tracking functionality. It uses standard web APIs like `fetch` and `setTimeout` to record user interactions on a landing page. The code does not exhibit any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The use of a delay function and the conditional check for a single session execution are common practices to mitigate bot-related issues. Overall, this script seems to be a benign implementation of a typical web analytics or user interaction tracking feature."
}

    function sleep(ms) {
        return new Promise(resolve => setTimeout(resolve, ms));
    }

    document.addEventListener("DOMContentLoaded", async () => {
        const guid = path.substring(lastSlashIndex + 1);
        const step_id_number = "2";
        const qr_request = "False".toLowerCase() === "true";

        // Ensure the function is called only once per session

        const params = { guid, step_id: step_id_number, qr_request};

        await sleep(1000);  // assuming that it might help against bot clicks

        fetch("/api/landingPage/web_interaction", {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify(params)
        }).then(response => {
            if (response.ok) {
                console.log("Interaction recorded successfully");
            } else {
                console.error("Failed to record interaction");
            }
        }).catch(error => {
            console.error("Error:", error);
        });
    });

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript code appears to be a password meter utility that analyzes the strength of a password. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is well-documented, open-source, and licensed under the MIT license, indicating a legitimate purpose. While it uses some legacy APIs like `XDomainRequest`, these pose minor risks and are not inherently malicious. Overall, this script is likely benign and can be considered low risk."
}

/**
 **    Original File: password-meter.js
 **    Created by: Rene Schwietzke (mail@03146f06.net)
 **    Created on: 2008-12-01
 **    Last modified: 2014-08-20
 **    Version: 2.0.0
 **
 **    The MIT License (MIT)
 **    -------------------------------------------------------------------------
 **    Copyright (C) 2014 Rene Schwietzke
 **
 **    Permission is hereby granted, free of charge, to any person obtaining a copy
 **    of this software and associated documentation files (the "Software"), to deal
 **    in the Software without restriction, including without limitation the rights
 **    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 **    copies of the Software, and to permit persons to whom the Software is
 **    furnished to do so, subject to the following conditions:
 **
 **    The above copyright notice and this permission notice shall be included in
 **    all copies or substantial portions of the Software.

 **    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 **    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 **    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 **    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 **    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 **    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 **    THE SOFTWARE.
 **
 **    Inspired by work by Jeff Todnem published under GPL 2.
 **
 **    Original File: pwd_meter.js (http://www.passwordmeter.com/)
 **    Created by: Jeff Todnem (http://www.todnem.com/)
 **
 **    History:
 **    -------------------------------------------------------------------------
 **    v1.0.0 : initial version
 **    v1.0.1 : fixed rounding problem by adjusting float2str
 **    v1.0.2 : fixed influence of redundancy on long passwords. More bad
 **             characters after a good start should not be punished
 **    v1.1.0 : Introduced significance to cover the case of old system, where you
 **             can type in long passwords, but only the first 8 characters are
 **             considered. So now, the first characters are more important
 **             and a good end cannot fix the password when it started bad.
 **    v2.0.0 : Pay more attention to length.
 **             Tests
 **             Refactored code
 **             Changed license to MIT-license
 **
 **    ToDo:
 **    -------------------------------------------------------------------------
 **    * Punish first or last letter uppercase characters only
 **    * Punish numbers only at the end
 **    * Filter common patterns, such as 12.12.2008 12/20/2009 2008-12-13
 **/
PasswordMeter.prototype = (
{
  // the version of the password meter
  version: "2.0.0",

  COMPLEXITY:
  {
    VERYWEAK: 0,
    WEAK: 1,
    FAIR: 2,
    GOOD: 3,
    STRONG: 4
  },

  STATUS:
  {
    FAILED: 0,
    PASSED: 1,
    EXCEEDED: 2
  },

  // little string helper to reverse a string
  strReverse: function(str)
  {
    var newstring = "";
    for (var s = 0; s < str.length; s++)
    {
      newstring = str.charAt(s) + newstring;
    }
    return newstring;
  },

  int2str: function(aNumber)
  {
    if (aNumber == 0)
    {
      return "0";
    }
    else
    {
      return parseInt(aNumber, 10);
    }
  },

  float2str: function(aNumber)
  {
    if (aNumber == 0)
    {
      return "0.00";
    }
    else
    {
      return parseFloat(aNumber.toFixed(2));
    }
  },

  // helper for the status
  // <0 failed
  // 0  passed
  // >0 exceeded
  determineStatus: function(aNumber)
  {
    if (aNumber == 0)
    {
      return this.STATUS.PASSED;
    }
    else if (aNumber > 0)
    {
      return this.STATUS.EXCEEDED;
    }
    else
    {
      return this.STATUS.FAILED;
    }
  },

  // helper for the st

{
    "risk_score": 1,
    "reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not contain any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The code is well-structured and does not exhibit any obfuscation or aggressive DOM manipulation. Overall, this is a low-risk script that is commonly used for legitimate web development purposes."
}

/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.cal

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "CONTINUE",
  "text_input_field_labels": [
    "username"
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": "unknown"
}

{
  "brands": "unknown"
}