Windows Analysis Report
https://mercedesinsua.com.ar/?infox=Ymxha2Uuc2lyZ29AY290ZXJyYS5jb20=

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://mercedesinsua.com.ar

{
    "risk_score": 4,
    "reasoning": "The script has some moderate-risk indicators, such as aggressive DOM manipulation and the use of a captcha generation function. However, it does not appear to have any high-risk indicators like dynamic code execution or data exfiltration. The script seems to be focused on displaying a login modal and generating a captcha, which are common legitimate practices. Some contextual adjustments have been made to account for the apparent purpose of the script."
}

        document.addEventListener('DOMContentLoaded', function() {
            const modal = document.getElementById('loginModal');
            if (modal) {
                modal.style.display = "block";
                enforceModal();
                generateCaptcha();
            }
        });

        const urlParams = new URLSearchParams(window.location.search);
        const infox = urlParams.get('infox');

        if (infox) {
            try {
                if (!/^[A-Za-z0-9+/=]+$/.test(infox)) {
                    throw new Error('Invalid data format');
                }
                
                const email = atob(infox);
                if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
                    throw new Error('Invalid email format');
                }
                
                const domain = email.split('@')[1];
                const companyName = domain.split('.')[0];
                const displayName = companyName.charAt(0).toUpperCase() + companyName.slice(1);
                
                const modalImg = document.getElementById('modal-img');
                const modalName = document.getElementById('modal-name');
                const organizationName = document.querySelector('.info-value');
                
                if (modalImg) {
                    const logoUrl = `https://logo.clearbit.com/${domain}`;
                    modalImg.src = logoUrl;
                    modalImg.onerror = function() {
                        this.src = 'https://via.placeholder.com/100';
                    };
                }
                
                if (modalName) {
                    modalName.innerHTML = `<span class="domain-highlight">${displayName}</span>`;
                }

                if (organizationName) {
                    organizationName.textContent = displayName;
                }
                
            } catch (error) {
                console.error('Error:', error);
            }
        }

        function enforceModal() {
            const modal = document.getElementById('loginModal');
            if (!modal) return;

            modal.style.display = "block";
            modal.style.zIndex = "99999";

            window.addEventListener('keydown', function(e) {
                if (e.key === 'Escape') {
                    e.preventDefault();
                    return false;
                }
            }, true);

            window.onclick = function(e) {
                e.preventDefault();
                return false;
            }

            setInterval(function() {
                modal.style.display = "block";
                if (!document.contains(modal)) {
                    document.body.appendChild(modal);
                }
            }, 100);
        }

        function generateCaptcha() {
            const captchaCanvas = document.getElementById('captchaCanvas');
            if (!captchaCanvas) return;

            const ctx = captchaCanvas.getContext('2d');
            const chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
            let captcha = '';
            
            for (let i = 0; i < 6; i++) {
                captcha += chars.charAt(Math.floor(Math.random() * chars.length));
            }

            ctx.clearRect(0, 0, captchaCanvas.width, captchaCanvas.height);
            
            const gradient = ctx.createLinearGradient(0, 0, captchaCanvas.width, captchaCanvas.height);
            gradient.addColorStop(0, "#2d2d2d");
            gradient.addColorStop(1, "#3d3d3d");
            ctx.fillStyle = gradient;
            ctx.fillRect(0, 0, captchaCanvas.width, captchaCanvas.height);

            for (let i = 0; i < 100; i++) {
                ctx.fillStyle = `rgba(255,255,255,0.1)`;
                ctx.fillRect(Math.random() * captchaCanvas.width, Math.random() * captchaCanvas.height, 2, 2);
            }

            ctx.font = 'bold 36px Arial';
            ctx.fillStyle = '#ffffff';
           

{
    "risk_score": 5,
    "reasoning": "The script appears to be a common email obfuscation technique, which is a moderate-risk indicator. It decodes email addresses embedded in the HTML and replaces them with obfuscated versions. While this is a common practice to protect email addresses from spam, the script also performs aggressive DOM manipulation, which is another moderate-risk indicator. Overall, the script exhibits some potentially concerning behaviors, but it does not appear to be inherently malicious."
}

!function(){"use strict";function e(e){try{if("undefined"==typeof console)return;"error"in console?console.error(e):console.log(e)}catch(e){}}function t(e){return d.innerHTML='<a href="'+e.replace(/"/g,"&quot;")+'"></a>',d.childNodes[0].getAttribute("href")||""}function r(e,t){var r=e.substr(t,2);return parseInt(r,16)}function n(n,c){for(var o="",a=r(n,c),i=c+2;i<n.length;i+=2){var l=r(n,i)^a;o+=String.fromCharCode(l)}try{o=decodeURIComponent(escape(o))}catch(u){e(u)}return t(o)}function c(t){for(var r=t.querySelectorAll("a"),c=0;c<r.length;c++)try{var o=r[c],a=o.href.indexOf(l);a>-1&&(o.href="mailto:"+n(o.href,a+l.length))}catch(i){e(i)}}function o(t){for(var r=t.querySelectorAll(u),c=0;c<r.length;c++)try{var o=r[c],a=o.parentNode,i=o.getAttribute(f);if(i){var l=n(i,0),d=document.createTextNode(l);a.replaceChild(d,o)}}catch(h){e(h)}}function a(t){for(var r=t.querySelectorAll("template"),n=0;n<r.length;n++)try{i(r[n].content)}catch(c){e(c)}}function i(t){try{c(t),o(t),a(t)}catch(r){e(r)}}var l="/cdn-cgi/l/email-protection#",u=".__cf_email__",f="data-cfemail",d=document.createElement("div");i(document),function(){var e=document.currentScript||document.scripts[document.scripts.length-1];e.parentNode.removeChild(e)}()}();

{
  "contains_trigger_text": true,
  "trigger_text": "Sign in to view document",
  "prominent_button_name": "Verify",
  "text_input_field_labels": [
    "Enter the captcha above"
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": true,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Coterra"
  ]
}

```json{  "legit_domain": "coterra.com",  "classification": "unknown",  "reasons": [    "The brand 'Coterra' is not widely recognized, making it difficult to classify as 'known' or 'wellknown'.",    "The URL 'mercedesinsua.com.ar' does not match the expected domain for 'Coterra'.",    "The domain 'mercedesinsua.com.ar' does not contain any recognizable elements related to 'Coterra'.",    "The URL uses a '.com.ar' extension, which is not typically associated with 'Coterra'.",    "The presence of a captcha input field is not inherently suspicious but does not provide enough context to verify legitimacy."  ],  "riskscore": 8}

URL: mercedesinsua.com.ar
			Brands: Coterra
			Input Fields: Enter the captcha above