How to reverse engineer and analyse a SHTML file in phishing mails

The first things first:
You got an email with some social engineering text etc blabla and a .shtml file

In this case the mail sender seems to be hacked, so no spam filter was catched the file at the moment.
What is shtml?
The ".shtml" file extension stands for "Server Side Include HTML" and is commonly used for web pages. It is a special file extension that indicates that the corresponding file is dynamically generated on the server and contains server-side scripts or inclusions.
The term "server side include" refers to a technology where content or script fragments are inserted into the HTML file while the web page is running on the server. This allows for code reuse or inclusion of dynamic content such as headers, footers, navigation bars, or other recurring elements.
The use of the ".shtml" suffix indicates that the web server processes the file before delivering it to the web browser and resolves the server-side inclusions. The result is a standard HTML file that can be displayed by the user's web browser.
Now analysing the conent of the shtml file:
open the file and see some javacsript with some very long string (you can use line-word-wrap to see the full lines), seems like base64 ?
so I will output it with console.log()

Now i get.. more encoded code

so lets see some useful data... and yes there it is:
The values give us some info about the phishing form Post URL where the phished data is send to the attacker and the wished email:

Now decrypt the rest of the code:

The last code to encode
The last code is the some stylesheet and design of the fake form, yes it seems to be from a phishing toolkit or soething similar:

the last base64 code give us this function:

You can see the only function here is to build a token and some special infos to the POST url which is created by the snippet:

The Login page and the check for real password:
The special sauce here is there is a checkup with the original servers, while all other buttons doesent't work so only the correct password will be shipped to the attackers:

After all steps I can analyse the pcap files and network stuff
