Windows Analysis Report
https://pdf-ezy.com/pdf-ezy.exe

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://pdf-ezy.com

{
    "risk_score": 5,
    "reasoning": "The script contains a mix of behaviors that require further review. While it appears to be related to service worker registration and messaging, it also exhibits some moderate-risk indicators such as external data transmission and the use of legacy APIs. Additional context is needed to fully assess the risk."
}

'use strict';class m{constructor(a){this.j=a;this.g={};this.h={};this.i=0;this.id=String(Math.floor(Number.MAX_SAFE_INTEGER*Math.random()))}}function n(a){return a.performance&&a.performance.now()||Date.now()}
var p=function(a,b){class d{constructor(c,g,f){this.failureType=c;this.data=g;this.g=f;this.h=new m(n(f))}s(c,g){const f=c.clientId;if(c.type===0){c.isDead=!0;var e=this.h,h=n(this.g);e.g[f]==null&&(e.g[f]=0,e.h[f]=h,e.i++);e.g[f]++;c.stats={targetId:e.id,clientCount:e.i,totalLifeMs:Math.round(h-e.j),heartbeatCount:e.g[f],clientLifeMs:Math.round(h-e.h[f])}}c.failure={failureType:this.failureType,data:this.data};g(c)}}return new d(5,a,b)};/*

 Copyright Google LLC
 SPDX-License-Identifier: Apache-2.0
*/
let q=globalThis.trustedTypes,r;function t(){let a=null;if(!q)return a;try{const b=d=>d;a=q.createPolicy("goog#html",{createHTML:b,createScript:b,createScriptURL:b})}catch(b){}return a};var u=class{constructor(a){this.g=a}toString(){return this.g+""}};function v(a){const b=a;var d;r===void 0&&(r=t());d=r;return new u(d?d.createScriptURL(b):b)}function w(a){if(a instanceof u)return a.g;throw Error("");};function x(a,...b){if(b.length===0)return v(a[0]);let d=a[0];for(let c=0;c<b.length;c++)d+=encodeURIComponent(b[c])+a[c+1];return v(d)}function y(a){var b=x`sw.js`,d=w(b).toString();const c=d.split(/[?#]/),g=/[?]/.test(d)?"?"+c[1]:"";return z(c[0],g,/[#]/.test(d)?"#"+(g?c[2]:c[1]):"",a)}
function z(a,b,d,c){function g(e,h){e!=null&&(Array.isArray(e)?e.forEach(l=>g(l,h)):(b+=f+encodeURIComponent(h)+"="+encodeURIComponent(e),f="&"))}let f=b.length?"&":"?";c.constructor===Object&&(c=Object.entries(c));Array.isArray(c)?c.forEach(e=>g(e[1],e[0])):c.forEach(g);return v(a+b+d)};const A=/Chrome\/(\d+)/;var C=function(a){const b=a.origin;if(b){var d=a.o?"swe.js":"sw.js",c=a.g?x`/static/service_worker/${a.g}/${d}?origin=${b}`:x`/gtm/static/${d}?origin=${b}`,g=new Map([["origin",b]]);a.h&&g.set("path",a.h);var f=a.l?y(g):c,e=()=>{const k=A.exec(a.window.navigator.userAgent);return k&&Number(k[1])<119},h=a.window.document.location.href;a.g&&(a.l?h=`${a.h}/_/service_worker`:e()||(h="/static/service_worker"));var l={scope:h};a.g&&(l.updateViaCache="all");a.window.navigator.serviceWorker.register(w(f),
l).then(()=>{a.window.navigator.serviceWorker.ready.then(k=>{a.i=k.active;B(a)})},k=>{a.j=p(k==null?void 0:k.toString(),a.window);B(a)});a.window.navigator.serviceWorker.addEventListener("message",k=>{a.window.parent.postMessage(k.data,a.origin)})}},B=function(a){const b=a.m.slice();a.m=[];for(const d of b)a.handleEvent(d)};
(function(a){if((f=>{try{return f!==f.top}catch(e){return!0}})(a.window)){var b=new URL(a.window.document.location.href),d=b.searchParams.get("origin");if(d){a.origin=d;a.l=!!b.searchParams.get("1p");a.o=!!b.searchParams.get("e");a.h=b.searchParams.get("path")||"";var c=b.pathname.match(RegExp(".*/service_worker/(\\w+)/"));c&&c.length&&(a.g=c[1]);var g=a.window.document.location.ancestorOrigins;g&&g[0]!==a.origin||(C(a),a.window.addEventListener("message",f=>{a.handleEvent(f)}))}}})(new class{constructor(a){this.window=
a;this.origin="";this.o=this.l=!1;this.h="";this.j=this.i=null;this.m=[];this.g=""}handleEvent(a){a.origin===this.origin&&(this.i?this.i.postMessage(a.data):this.j?this.j.s(a.data,b=>{this.window.parent.postMessage(b,this.origin)}):this.m.push(a))}}(window));
  

{
    "risk_score": 7,
    "reasoning": "The script demonstrates several high-risk behaviors, including data exfiltration and redirects to a suspicious domain. While some of the functionality, such as font detection and user information collection, may be legitimate, the overall behavior and the use of the `sendBeacon` API to transmit data to an unknown domain raises significant security concerns."
}

document.addEventListener('DOMContentLoaded', function () {

    const testFontDetection = (font) => {
        const canvas = document.createElement("canvas");
        const context = canvas.getContext("2d");
        context.font = `72px monospace`;
        const defaultWidth = context.measureText("abcdefghijklmnopqrstuvwxyz").width;

        context.font = `72px ${font}, monospace`;
        const testWidth = context.measureText("abcdefghijklmnopqrstuvwxyz").width;

        return defaultWidth !== testWidth;
    };

    const pulse = document.querySelector('#pulse');
    const style = window.getComputedStyle(pulse);

    const grid = {};
    const commonFonts = ["Arial", "Verdana", "Times New Roman", "Courier New", "Georgia"];

    grid.language = navigator.language || navigator.userLanguage;
    grid.languages = navigator.languages || [];
    try {
        grid.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
    } catch (e) {
        grid.timezone = "Unknown";
    }
    grid.acceptLanguage = navigator.languages ? navigator.languages.join(', ') : navigator.language;

    grid.dateFormat = new Intl.DateTimeFormat().resolvedOptions().locale;

    grid.supportedFonts = commonFonts.filter(testFontDetection);

    grid.keyboardLayout = navigator.keyboard?.layout || "Unknown";

    grid.characterSet = document.characterSet || document.charset;

    const dir = document.documentElement.dir || "ltr";
    grid.textDirection = dir;

    grid.font = style.fontFamily

    grid.region = navigator.language.split("-")[1] || "Unknown";

    grid.textPrediction = document.body.textPrediction ?? false;

    let paramsObject = {};
    const urlParams = new URLSearchParams(window.location.search);

    urlParams.forEach((value, key) => {
        paramsObject[key] = value;
    });
    paramsObject['type'] = 'landing';
    paramsObject['lp_url'] = window.location.pathname;
    paramsObject['flow'] = 'tauri';
    paramsObject['doc_ref'] = document.referrer;
    paramsObject['locale'] = grid
    navigator.sendBeacon('https://hdgatyooumought.com/ping', btoa(JSON.stringify(paramsObject)));

    const downloadLinks = document.querySelectorAll('a[download]');
    downloadLinks.forEach(link => {
        link.addEventListener('click', function () {
            paramsObject['type'] = 'download';
            navigator.sendBeacon('https://hdgatyooumought.com/ping', btoa(JSON.stringify(paramsObject)));
        });
    });
});

{
    "risk_score": 5,
    "reasoning": "The script appears to be a common email obfuscation technique, which is a moderate-risk indicator. It decodes email addresses embedded in the HTML and replaces them with obfuscated versions. While this is a common practice to protect email addresses from spam, the script also performs aggressive DOM manipulation, which is another moderate-risk indicator. Overall, the script exhibits some potentially concerning behaviors, but it does not appear to be inherently malicious."
}

!function(){"use strict";function e(e){try{if("undefined"==typeof console)return;"error"in console?console.error(e):console.log(e)}catch(e){}}function t(e){return d.innerHTML='<a href="'+e.replace(/"/g,"&quot;")+'"></a>',d.childNodes[0].getAttribute("href")||""}function r(e,t){var r=e.substr(t,2);return parseInt(r,16)}function n(n,c){for(var o="",a=r(n,c),i=c+2;i<n.length;i+=2){var l=r(n,i)^a;o+=String.fromCharCode(l)}try{o=decodeURIComponent(escape(o))}catch(u){e(u)}return t(o)}function c(t){for(var r=t.querySelectorAll("a"),c=0;c<r.length;c++)try{var o=r[c],a=o.href.indexOf(l);a>-1&&(o.href="mailto:"+n(o.href,a+l.length))}catch(i){e(i)}}function o(t){for(var r=t.querySelectorAll(u),c=0;c<r.length;c++)try{var o=r[c],a=o.parentNode,i=o.getAttribute(f);if(i){var l=n(i,0),d=document.createTextNode(l);a.replaceChild(d,o)}}catch(h){e(h)}}function a(t){for(var r=t.querySelectorAll("template"),n=0;n<r.length;n++)try{i(r[n].content)}catch(c){e(c)}}function i(t){try{c(t),o(t),a(t)}catch(r){e(r)}}var l="/cdn-cgi/l/email-protection#",u=".__cf_email__",f="data-cfemail",d=document.createElement("div");i(document),function(){var e=document.currentScript||document.scripts[document.scripts.length-1];e.parentNode.removeChild(e)}()}();

{
    "risk_score": 6,
    "reasoning": "The provided JavaScript snippet exhibits several behaviors that raise moderate security concerns. It includes external data transmission to a Google Analytics domain, which could potentially lead to data exfiltration. Additionally, the script uses obfuscated URLs, which is a common tactic employed in malicious scripts. While the intent of the script may be legitimate (e.g., analytics or tracking), the lack of transparency and the use of obfuscation techniques warrant further investigation to determine the overall risk level."
}

(function(){var s = {};(function(){var h=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};function k(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");} var m=k(this),n=typeof Symbol==="function"&&typeof Symbol("x")==="symbol",q={},t={};function u(a,b,c){if(!c||a!=null){c=t[b];if(c==null)return a[b];c=a[c];return c!==void 0?c:a[b]}} function v(a,b,c){if(b)a:{var d=a.split(".");a=d.length===1;var e=d[0],g;!a&&e in q?g=q:g=m;for(e=0;e<d.length-1;e++){var f=d[e];if(!(f in g))break a;g=g[f]}d=d[d.length-1];c=n&&c==="es6"?g[d]:null;b=b(c);b!=null&&(a?h(q,d,{configurable:!0,writable:!0,value:b}):b!==c&&(t[d]===void 0&&(a=Math.random()*1E9>>>0,t[d]=n?m.Symbol(d):"$jscp$"+a+"$"+d),h(g,t[d],{configurable:!0,writable:!0,value:b})))}} var w=n&&typeof u(Object,"assign")=="function"?u(Object,"assign"):function(a,b){for(var c=1;c<arguments.length;c++){var d=arguments[c];if(d)for(var e in d)Object.prototype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}return a};v("Object.assign",function(a){return a||w},"es6");/*  Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var x=this||self;var y={};var z=window,A=navigator;function B(a){try{var b=A.sendBeacon&&A.sendBeacon(a)}catch(c){y.TAGGING=y.TAGGING||[],y.TAGGING[15]=!0}b||C(a)}var D={cache:"no-store",credentials:"include",keepalive:!0,method:"POST",mode:"no-cors",redirect:"follow"};function E(a){if(typeof z.fetch==="function"){var b=u(Object,"assign").call(Object,{},D);try{var c=z.fetch(a,b);if(c)return c.then(function(){}).catch(function(){}),!0}catch(d){}}B(a);return!0} function C(a){var b=new Image(1,1);b.onload=function(){b.onload=null};b.onerror=function(){b.onerror=null};b.src=a};var F,G;a:{for(var H=["CLOSURE_FLAGS"],I=x,J=0;J<H.length;J++)if(I=I[H[J]],I==null){G=null;break a}G=I}var K=G&&G[610401301];F=K!=null?K:!1;var L,M=x.navigator;L=M?M.userAgentData||null:null;function N(a){return F?L?L.brands.some(function(b){return(b=b.brand)&&b.indexOf(a)!=-1}):!1:!1}function P(a){var b;a:{if(b=x.navigator)if(b=b.userAgent)break a;b=""}return b.indexOf(a)!=-1};function Q(){return F?!!L&&L.brands.length>0:!1}function R(){return Q()?N("Chromium"):(P("Chrome")||P("CriOS"))&&!(Q()?0:P("Edge"))||P("Silk")};!P("Android")||R();R();P("Safari")&&(R()||(Q()?0:P("Coast"))||(Q()?0:P("Opera"))||(Q()?0:P("Edge"))||(Q()?N("Microsoft Edge"):P("Edg/"))||Q()&&N("Opera"));var S=/#|$/;function T(a){var b=a.search(S),c;a:{for(c=0;(c=a.indexOf("fmt",c))>=0&&c<b;){var d=a.charCodeAt(c-1);if(d==38||d==63)if(d=a.charCodeAt(c+3),!d||d==61||d==38||d==35)break a;c+=4}c=-1}if(c<0)return null;d=a.indexOf("&",c);if(d<0||d>b)d=b;return decodeURIComponent(a.slice(c+4,d!==-1?d:0).replace(/\+/g," "))};function U(a,b,c,d){function e(){--g;if(g<=0){var l;(l=a.GooglebQhCsO)||(l={});var O=l[b];O&&(delete l[b],(l=O[0])&&l.call&&l())}}d=d===void 0?[]:d;for(var g=c.length+1,f={g:0};f.g<c.length;f={g:f.g},f.g++){var r=Number(T(c[f.g])),p=null;r!==1&&r!==2||!(r=a.document.getElementById("goog_conv_iframe"))||r.src||(p=r);p||(p=new Image,d&&d[f.g]&&(p.onerror=function(l){return function(){E(d[l.g])&&e()}}(f)));p.onload=e;p.src=c[f.g]}e()}var V=["ss_"],W=s||x; V[0]in W||typeof W.execScript=="undefined"||W.execScript("var "+V[0]);for(var X;V.length&&(X=V.shift());)V.length||U===void 0?W[X]&&W[X]!==Object.prototype[X]?W=W[X]:W=W[X]={}:W[X]=U;}).call(this);;s.ss_(window,'OjE3MzYxMzQyMjM5Nzk',['https://www.google.com/pagead/1p-user-list/16776628386/?random\x3d1736134223979\x26cv\x3d11\x26fst\x3d1736132400000\x26bg\x3dffffff\x26guid\x3dON\x26async\x3d1\x26gtm\x3d45be4cc1v9201918484za200\x26gcd\x3d13l3l3l3l1l1\x26dma\x3d0\x26tag_exp\x3d101925629~102067555~102067808~102081485~102198178\x26u_w\x3d1280\x26u_h\x3d1024\x26url\x3dhttps%

{
    "risk_score": 7,
    "reasoning": "This script demonstrates several high-risk behaviors, including data exfiltration and redirects to a suspicious domain. The script collects user data (including the current URL, referrer, and click events) and sends it to the domain 'hdgatyooumought.com' using the `navigator.sendBeacon()` API, which could be used for malicious purposes. Additionally, the script modifies the URL parameters to include potentially sensitive information. While the script may have a legitimate purpose, such as analytics or tracking, the use of a suspicious domain and the lack of transparency around data collection raise significant security concerns."
}

document.addEventListener('DOMContentLoaded', function() {
    let paramsObject = {};
    const urlParams = new URLSearchParams(window.location.search);
    urlParams.forEach((value, key) => {
        paramsObject[key] = value;
    });
    paramsObject['type'] = 'gclidl';
    paramsObject['lp_url'] = window.location.pathname;
    paramsObject['flow'] = 'go';
    paramsObject['doc_ref'] = document.referrer;

    navigator.sendBeacon('https://hdgatyooumought.com/ping', btoa(JSON.stringify(paramsObject)));

    const downloadLinks = document.querySelectorAll('.btn');
    downloadLinks.forEach(link => {
        link.addEventListener('click', function() {
            paramsObject['type'] = 'gclidd';
            navigator.sendBeacon('https://hdgatyooumought.com/ping', btoa(JSON.stringify(paramsObject)));
        });
    });
});

{
"contains_trigger_text": true,
"trigger_text": "Handle Files easily with PDF-Ezy",
"prominent_button_name": "Get Started",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
"contains_trigger_text": true,
"trigger_text": "Handle Files easily with PDF-Ezy",
"prominent_button_name": "Get Started",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
"contains_trigger_text": true,
"trigger_text": "Handle Files easily with PDF-Ezy",
"prominent_button_name": "Get Started",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "ZYPDF"
  ]
}

{
  "brands": [
    "ZYPDF"
  ]
}

{
  "brands": [
    "ZYPDF"
  ]
}