Windows Analysis Report
http://888.mixly.us.kg/

```json{  "brand": "unknown",  "brand_classification": "unknown",  "legit_url": "unknown",  "similarity": 0,  "spoofed": 0,  "reasoning": "The URL 'http://888.mixly.us.kg' does not appear to be attempting to spoof any well-known brand. The domain 'mixly.us.kg' does not closely resemble any known brand or legitimate URL. The use of '888' as a subdomain does not suggest any specific brand association. The '.kg' country code top-level domain (ccTLD) is for Kyrgyzstan, which does not inherently suggest typosquatting. There are no visual character substitutions or structural changes that indicate an attempt to deceive users into thinking this is a different, legitimate site. The URL structure and domain do not imply any misleading intent or user confusion related to a known brand."}

URL: http://888.mixly.us.kg

```json{    "brand": "unknown",    "brand_classification": "unknown",    "legit_url": "unknown",    "similarity": 0,    "spoofed": 0,    "reasoning": "The URL 'https://mixly.us.kg' does not exhibit any clear signs of typosquatting. There are no obvious character substitutions or visual similarities to a well-known brand. The domain 'mixly.us.kg' does not closely resemble any globally recognized brand or legitimate URL. The use of the '.kg' country code top-level domain (ccTLD) suggests a possible connection to Kyrgyzstan, but without further context, it does not imply a deceptive intent. The subdomain 'us' could indicate a regional focus, but it is not misleading in this context. Overall, there is no evidence to suggest that this URL is attempting to spoof a known brand."}

URL: https://mixly.us.kg

```json{  "brand": "unknown",  "brand_classification": "unknown",  "legit_url": "unknown",  "similarity": 0,  "spoofed": 0,  "reasoning": "The URL 'https://cctv.com' does not appear to be a typosquatting attempt. 'CCTV' is a generic term that stands for 'Closed-Circuit Television' and is not exclusively associated with a specific brand. The domain 'cctv.com' could be legitimately used by any entity related to surveillance systems or broadcasting. There are no visual character substitutions or structural changes that suggest an attempt to mimic a well-known brand. Additionally, the domain extension '.com' is standard and does not imply any deceptive intent. Without a specific brand association, the URL is unlikely to confuse users into thinking it is related to a particular brand."}

URL: https://cctv.com

{
    "risk_score": 6,
    "reasoning": "The script demonstrates moderate-risk behaviors, including external data transmission and the use of fallback domains. While the script's intent is not entirely clear, the conditional logic and potential for redirecting to different domains based on the user's location raise some concerns that require further investigation."
}

window.addEventListener('load', function () {
	let scriptEl = document.createElement('script')
  let isCN = getArea() === 'CN';
  let guowai = findGetParameter("guowai");
  if (guowai === '1') {
    isCN = false
  }
  
  if ((isCN && "1" == "0") || (!isCN && "1" == "0")) {
    document.getElementById("TPMTzo7laOcaXUpvBX67KgjG211216_container").style.display = "none";
  }else{
    scriptEl.src = isCN ? "" : ""
    document.body.appendChild(scriptEl)
  }
})

{
    "risk_score": 5,
    "reasoning": "The script exhibits moderate-risk behaviors, including external data transmission and the use of fallback domains. However, the script's intent appears to be related to geolocation-based content delivery, which could be a legitimate use case. Further review may be necessary to determine the full context and potential risks."
}

window.addEventListener('load', function () {
	let scriptEl = document.createElement('script')
  let isCN = getArea() === 'CN';
  let guowai = findGetParameter("guowai");
  if (guowai === '1') {
    isCN = false
  }

  if ((isCN && "1" == "1") || (!isCN && "1" == "0")) {

    document.getElementById("TPMTGb0ECeaxfb2pTOI6i1qt211216_container").style.display = "none";
  }else{
  		scriptEl.src = isCN ? "" : ""
  		document.body.appendChild(scriptEl)
  }
})

{
    "risk_score": 5,
    "reasoning": "The script exhibits moderate-risk behaviors, including external data transmission and the use of fallback domains. However, the intent appears to be related to geolocation-based content delivery, which is a common practice. Further review may be needed to determine if there are any suspicious or inconsistent behaviors."
}

  window.addEventListener('load', function () {
    let scriptEl = document.createElement('script')
    let isCN = getArea() === 'CN';
    let guowai = findGetParameter("guowai");
    if (guowai === '1') {
      isCN = false
    }

    if ((isCN && "1" == "0") || (!isCN && "1" == "0")) {
      document.getElementById("TPMThn9QwS7fnC9io7f7M3Ml230804_container").style.display = "none";
    }else{
      scriptEl.src = isCN ? "" : ""
      document.body.appendChild(scriptEl)
    }
  })

{
    "risk_score": 5,
    "reasoning": "The script demonstrates some moderate-risk behaviors, such as dynamic script loading and potential data exfiltration, but the intent is not entirely clear. Further investigation is needed to determine the legitimacy of the script's purpose."
}

window.addEventListener('load', function () {
	let scriptEl = document.createElement('script')
  let isCN = getArea() === 'CN';
  let guowai = findGetParameter("guowai");
  if (guowai === '1') {
    isCN = false
  }

  if ((isCN && "1" == "1") || (!isCN && "1" == "0")) {

    document.getElementById("TPMTwof4bkYbF8Og0IQ0pDLA211216_container").style.display = "none";
  }else{
  		scriptEl.src = isCN ? "" : ""
  		document.body.appendChild(scriptEl)
  }
})

{
    "risk_score": 4,
    "reasoning": "The script appears to be a legitimate content rendering function, but it exhibits some moderate-risk behaviors. It dynamically generates HTML content and modifies the DOM, which could be considered aggressive. Additionally, it uses fallback image URLs that are not directly provided in the data, which introduces some uncertainty. Overall, the script requires further review due to its complex behavior, but it does not demonstrate clear malicious intent."
}

  function PAGEnL0TSDsFQ26XkCx4G7Kl210126(res) {
    const datalist = res.data.list.slice(0, 8);
    var listEl = document.querySelector('#TPMTyC55g6ZBo3Whkz45Xo67211216_container').querySelector('.promptly-section-container-wrap');
    var liList = '';
    var back = 'PAGEnL0TSDsFQ26XkCx4G7Kl210126';
    for(var i = 0 ; i < datalist.length ; i++){
        var itemHtml = '';
      	  let item_title = datalist[i].title;
        item_title = item_title.replace(/\#[^\s]*\s/ig, '');
        item_title = item_title.replace(/\#.*/i, '');
        let item_subtitle = datalist[i].subtitle;
        item_subtitle = item_subtitle.replace(/\#[^\s]*\s/ig, '');
        item_subtitle = item_subtitle.replace(/\#.*/i, '');
      
      
        itemHtml +='<dl class="promptly-section-container-dlWrap">'
        itemHtml +='<dt>'
        itemHtml +='<a href="'
        itemHtml += datalist[i].url
        itemHtml +='" target="_blank" >'
        itemHtml +='<img src="'
        //itemHtml +=datalist[i].image
        if(datalist[i].image == '' || datalist[i].image == null || datalist[i].image == undefined){
                    if(datalist[i].s_page_name == '' || datalist[i].s_page_name == null || datalist[i].s_page_name == undefined ){
                        if(back == 'PAGEnL0TSDsFQ26XkCx4G7Kl210126'){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_jk.jpg'
                        }else if(back == 'PAGEZ8HZ8JSmzO1F6GiAYTi9211130'){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_hk.jpg'
                        }else if(back == 'PAGEMURMOWpDxCfQkQPW3nKA210126'){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_zgmk.jpg'
                        }
                    }else{

                        if(datalist[i].s_page_name == ''){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_jrsla.jpg'
                        }else if(datalist[i].s_page_name == ''){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_gtbfb.jpg'
                        }else if(datalist[i].s_page_name == ''){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_jkla.jpg'
                        }else if(datalist[i].s_page_name == ''){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_wtng.jpg'
                        }else if(datalist[i].s_page_name == ''){
                            itemHtml +='//p2.img.cctvpic.com/photoAlbum/templet/common/TPTERE93VfAfo34uSEe8veca211216/20220224_seat_jkdwq.jpg'
                        } 

                    }
                     
                }else{
                    itemHtml += datalist[i].image
                }
      
        itemHtml +='" >'
        if(datalist[i].duration){
            itemHtml +='<span class="promptly-section-container-vidTime">'
            itemHtml +=datalist[i].duration
            itemHtml +='</span>'
        }
        itemHtml +='</a></dt>'
        itemHtml +='<dd><a href="'
        itemHtml +=datalist[i].url
        itemHtml +='" target="_blank" ><span>'
      	  if(datalist[i].subtitle == ''){
            itemHtml +=item_title
          }else{
            itemHtml +=item_subtitle

          }
        itemHtml +='</span></a>'
        itemHtml +='</dd>'
        itemHtml +='</dl>'
        liList +=itemHtml;
    }

    listEl.innerHTML = liList;
  }
             

{
    "risk_score": 3,
    "reasoning": "The script appears to be primarily responsible for loading a video content from CCTV's global website based on the user's location (China or outside China). While it uses some dynamic behavior, such as creating a script element and appending it to the DOM, the overall intent seems to be legitimate content delivery. The script does not exhibit any high-risk indicators like data exfiltration or obfuscated code, and the use of the CCTV domain suggests a relatively trusted context. Therefore, the risk score is assessed as low."
}

  window.addEventListener('load', function () {
    let scriptEl = document.createElement('script')
    let isCN = getArea() === 'CN';
    let guowai = findGetParameter("guowai");
    if (guowai === '1') {
      isCN = false
    }
    
    if ((isCN && "1" == "0") || (!isCN && "1" == "0")) {
        document.getElementById("TPMTyC55g6ZBo3Whkz45Xo67211216_container").style.display = "none";
    }else{
      let urlBeing = "https://global.cctv.com/cmsdatainterface/guonei/new/video/PAGEnL0TSDsFQ26XkCx4G7Kl210126_1.jsonp"?true:false;
      if(urlBeing){
        scriptEl.src = isCN ? "https://global.cctv.com/cmsdatainterface/guonei/new/video/PAGEnL0TSDsFQ26XkCx4G7Kl210126_1.jsonp" : "https://global.cctv.com/cmsdatainterface/guowai/new/video/PAGEnL0TSDsFQ26XkCx4G7Kl210126_1.jsonp"
        document.body.appendChild(scriptEl)
      }
    }
  })

{
    "risk_score": 4,
    "reasoning": "The script appears to be a legitimate content rendering function, but it exhibits some moderate-risk behaviors that warrant further review. The script dynamically generates HTML elements and modifies the DOM, which could potentially be used for aggressive or malicious purposes. Additionally, it processes data from an external source, which could lead to potential data exfiltration if not properly sanitized. However, the script's purpose seems to be displaying a list of content items, which is a common and expected behavior. Overall, the script requires closer inspection to ensure there are no hidden or unintended behaviors."
}

  function PAGEMURMOWpDxCfQkQPW3nKA210126(res) {
    const datalist = res.data.list.slice(0, 7);
    var listEl = document.querySelector('#TPMTnR0hMwqDy6QtRYmjQJ0q211216_container').querySelector('.hot-section-list');
    var liList = '';

    for(var i = 0 ; i< datalist.length ; i++){
      let item = '';
      let item_title = datalist[i].title;
      item_title = item_title.replace(/\#[^\s]*\s/ig, '');
      item_title = item_title.replace(/\#.*/i, '');
      let item_subtitle = datalist[i].subtitle;
      item_subtitle = item_subtitle.replace(/\#[^\s]*\s/ig, '');
      item_subtitle = item_subtitle.replace(/\#.*/i, '');
      item +='<li class="hot-section-item">'
      item +='<a href="'
      item += datalist[i].url
      item +='" class="hot-section-item-box" target="_blank">'
      item +='<div class="hot-section-item-img" style="background-image: url('
      item +=datalist[i].image
      item +=');"></div>'
      item +='<p class="hot-section-item-title">'
      if(datalist[i].subtitle !=''){
        item +=item_subtitle

      	}else{
        item +=item_title
      }
      item +='</p>'
      item +='</a>'
      if(datalist[i].duration){
        item +='<p class="hot-section-item-date">'
        item +=datalist[i].duration
        item +='</p>'
      }
      item +='</li>'
      liList += item

    }
    listEl.innerHTML = liList;
  }
             

{
    "risk_score": 3,
    "reasoning": "The script appears to be primarily responsible for loading content from different URLs based on the user's location (China vs. outside of China). While it uses some dynamic behavior, such as creating a script element and appending it to the DOM, the overall intent seems to be legitimate content delivery rather than malicious activity. The script does not exhibit any high-risk indicators like dynamic code execution or data exfiltration, and the use of the `getArea()` and `findGetParameter()` functions is relatively benign. Therefore, the risk score is assessed as low, with a score of 3."
}

  window.addEventListener('load', function () {
    let scriptEl = document.createElement('script')
    let isCN = getArea() === 'CN';
    let guowai = findGetParameter("guowai");
    if (guowai === '1') {
      isCN = false
    }
    
    if ((isCN && "1" == "1") || (!isCN && "1" == "0")) {
        document.getElementById("TPMTnR0hMwqDy6QtRYmjQJ0q211216_container").style.display = "none";
    }else{
      let urlBeing = "https://global.cctv.com/cmsdatainterface/guonei/new/page/PAGEMURMOWpDxCfQkQPW3nKA210126_1.jsonp"?true:false;
      if(urlBeing){
        scriptEl.src = isCN ? "https://global.cctv.com/cmsdatainterface/guonei/new/page/PAGEMURMOWpDxCfQkQPW3nKA210126_1.jsonp" : "https://global.cctv.com/cmsdatainterface/guowai/new/page/PAGEMURMOWpDxCfQkQPW3nKA210126_1.jsonp"
        document.body.appendChild(scriptEl)
      }
    }
  })

{
    "risk_score": 2,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate script for managing the active state of menu items based on the current URL path. It does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or obfuscation. The script primarily focuses on manipulating the DOM to highlight the active menu item and updating the text content of sub-menu items based on the URL path. This behavior is consistent with typical navigation and UI functionality, and there are no clear indications of malicious intent."
}

var pathName;

if (window.location.pathname.indexOf("big5") != "-1") {
pathName = window.location.pathname.replace("/gate/big5/", "");
pathName = pathName.split("/")[1];
} else {
pathName = window.location.pathname.split("/")[1];
}

var activeEl = document
.querySelector(".header-container")
.querySelector(".menu-list")
.querySelectorAll(".menu-item");

activeEl.forEach((item) => {
if (pathName != "" && pathName != "index.shtml") {
if (
item.querySelector("a").getAttribute("href").indexOf(pathName) != -1
) {
item.querySelector("a").style.color = "#ff6c00";
}
}
});
  
  if (window.location.pathname.indexOf("big5") != "-1") {
    $(".menu-item-10-sub1 a").html(
      '<span class="menu-item-sub-tips"></span></a>'
    );
    $(".menu-item-10-sub2 a").html(
      '<span class="menu-item-sub-tips"></span></a>'
    );
  } else {
    $(".menu-item-10-sub1 a").html(
      '<span class="menu-item-sub-tips"></span></a>'
    );
    $(".menu-item-10-sub2 a").html(
      '<span class="menu-item-sub-tips"></span></a>'
    );
  }  
  

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a legitimate news article content, with no indicators of malicious behavior. It contains typical news article elements like titles, subtitles, images, and video links. There are no signs of dynamic code execution, data exfiltration, or other high-risk behaviors. The script seems to be focused on displaying news content, which is a common and expected use case."
}

PAGEnL0TSDsFQ26XkCx4G7Kl210126({"data":{"total":174,"pagenum":9,"list":[{"id":"VIDEMUqmqt1U3q19yeOMQpXp250206","title":"#   ","subtitle":"#   #","focus_date":"2025-02-06","url":"https://global.cctv.com/2025/02/06/VIDEMUqmqt1U3q19yeOMQpXp250206.shtml","image":"https://p2.img.cctvpic.com/fmspic/2025/02/06/54e50efbfd3941c997327042b2a326c0-1.jpg","image2":"https://p2.img.cctvpic.com/fmspic/2025/02/06/54e50efbfd3941c997327042b2a326c0-1.jpg","image3":"https://p4.img.cctvpic.com/photoworkspace/2025/02/06/2025020617085244836.jpg","brief":"#   ","ext_field":"","keywords":"#  ","type":"vide","old_id":"","s_page_id":"","s_page_name":"","duration":"00:21","ext":{"facebook":"1652617692341780"}},{"id":"VIDESocifs5BGaEld0Ns0T65250127","title":"# ","subtitle":"# ","focus_date":"2025-01-27","url":"https://global.cctv.com/2025/01/27/VIDESocifs5BGaEld0Ns0T65250127.shtml","image":"https://p2.img.cctvpic.com/fmspic/2025/01/27/f2e56408ec324fec8e760d5b4e86de32-1.jpg","image2":"https://p2.img.cctvpic.com/fmspic/2025/01/27/f2e56408ec324fec8e760d5b4e86de32-1.jpg","image3":"https://p4.img.cctvpic.com/fmspic/2025/01/27/f2e56408ec324fec8e760d5b4e86de32-300.jpg","brief":"# ","ext_field":"","keywords":"# ","type":"vide","old_id":"","s_page_id":"","s_page_name":"","duration":"00:37","ext":{"facebook":"3939716926348231"}},{"id":"VIDETaz8pHjMo4ElMiRLIpBW250127","title":"# 2025 127","subtitle":"# 2025 127","focus_date":"2025-01-27","url":"https://global.cctv.com/2025/01/27/VIDETaz8pHjMo4ElMiRLIpBW250127.shtml","image":"https://p4.img.cctvpic.com/fmspic/2025/01/27/44d682753d8c41e8b92be983afc03d53-1.jpg","image2":"https://p4.img.cctvpic.com/fmspic/2025/01/27/44d682753d8c41e8b92be983afc03d53-1.jpg","image3":"https://p4.img.cctvpic.com/fmspic/2025/01/27/44d682753d8c41e8b92be983afc03d53-300.jpg","brief":"# 2025 127","ext_field":"","keywords":"# 2025 127","type":"vide","old_id":"","s_page_id":"","s_page_name":"","duration":"01:42","ext":{"facebook":"984276773551412"}},{"id":"VIDEiZGO8GnR4wDbFPUGlN9F250127","title":"# ","subtitle":"# ","focus_date":"2025-01-27","url":"https://global.cctv.com/2025/01/27/VIDEiZGO8GnR4wDbFPUGlN9F250127.shtml","image":"https://p1.img.cctvpic.com/fmspic/2025/01/27/b9c4c8cfa4204c0f982d5501f539597b-1.jpg","image2":"https://p1.img.cctvpic.com/fmspic/2025/01/27/b9c4c8cfa4204c0f982d5501f539597b-1.jpg","image3":"https://p4.img.cctvpic.com/fmspic/2025/01/27/b9c4c8cfa4204c0f982d5501f539597b-300.jpg","brief":"# ","ext_field":"","keywords":"# ","type":"vide","old_id":"","s_page_id":"","s_page_name":"","duration":"01:09","ext":{"facebook":"1215300990309902"}},{"id":"VIDE8GvaLjGHWYbGuOib9sub250126","title":"#   ","subtitle":"#   ","focus_date":"2025-01-26","url":"https://global.cctv.com/2025/01/26/VIDE8GvaLjGHWYbGuOib9sub250126.shtml","image":"https://p5.img.cctvpic.com/fmspic/2025/01/26/dd09b5cec91244c7bfb607e026188eea-1.jpg","image2":"https://p5.img.cctvpic.com/fmspic/2025/01/26/dd09b5cec91244c7bfb607e026188eea-1.jpg","image3":"https://p3.img.cctvpic.com/fmspic/2025/01/26/dd09b5cec91244c7bfb607e026188eea-300.jpg","brief":"#   ","ext_field":"","keywords":"#   ","type":"vide","old_id":"","s_page_id":"","s_page_name":"","duration":"01:13","ext":{"facebook":"1321427672327356"}},{"id":"VIDEOoEDQU1FeUtg2fWxCRrR250126","title":"# ","subtitle":"# ","focus_date":"2025-01-26","url":"https://global.cctv.com/2025/01/26/VIDEOoEDQU1FeUtg2fWxCRrR250126.shtml","image":"https://p4.img.cctvpic.com/fmspic/2025/01/26/9917e7a134cf442cbc948f9448de0eeb-1.jpg","image2":"ht

```json{  "brand": "unknown",  "brand_classification": "unknown",  "legit_url": "unknown",  "similarity": 1,  "spoofed": 1,  "reasoning": "The URL 'https://888.mixly.us.kg' does not closely resemble any known brand or legitimate URL. The use of '888' and 'mixly' does not suggest a strong connection to a well-known brand. The domain extension '.us.kg' is unusual but does not inherently indicate typosquatting. There are no obvious character substitutions or structural changes that mimic a known brand. The URL could be related to a specific service or campaign unrelated to typosquatting."}

URL: https://888.mixly.us.kg

{
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": true,
"contains_fake_security_alerts": false,
"page_classification": "unknown"
}

{
  "contains_trigger_text": true,
  "trigger_text": "",
  "prominent_button_name": "",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": true,
  "contains_fake_security_alerts": false,
  "page_classification": "unknown"
}