Edit tour
Windows
Analysis Report
Doc-317715824.eml
Overview
General Information
| Sample name: | Doc-317715824.eml |
| Analysis ID: | 1453333 |
| MD5: | 66fd5e10682437cf76a8d27380312028 |
| SHA1: | 2de2c2f454945ae86abd2808b0a17b5a626cd5d4 |
| SHA256: | 16431a4c1faeea41488cdc99b7a4734875f93465ddc62067384ca0241391e3f3 |
| Infos: |  |
 | |
Detection
HTMLPhisher
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
AI detected phishing page
Antivirus detection for URL or domain
Yara detected HtmlPhish10
HTML page contains suspicious base64 encoded javascript
Phishing site detected (based on image similarity)
Phishing site detected (based on logo match)
Phishing site or detected (based on various text indicators)
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)
Detected suspicious crossdomain redirect
HTML body contains low number of good links
HTML body contains password input but no form action
HTML page contains hidden URLs or javascript code
HTML title does not match URL
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores files to the Windows start menu directory
Classification
- System is w10x64_ra
OUTLOOK.EXE (PID: 7120 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\Doc- 317715824. eml" MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 5856 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "82B 93F61-3840 -4B36-A3A1 -6BE25C128 8BE" "BF0D 3FDC-34DA- 4F9C-BE5D- C4CEC37566 8C" "7120" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD) 
chrome.exe (PID: 5884 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// protectlin k.security -mail.net/ ?url=https %3A%2F%2Fw ww.atjehup date.com/y z56h0%23eg uitierrez% 2Bcorgrate .com&token =pRZ8OsFqa JAmm%2FHiZ O0RH7B95Ht iQiGKdCPYB RKNnFR8ja5 vM9eMfVTsB wToC8wndTi HWIVNG0%2F uawLa4thhC 3j%2B29YSE LhtYddpgvx MiDBD1sYgP yw5K4zKSUk %3D MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1996 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2156 --fi eld-trial- handle=189 2,i,439564 2204238307 529,387192 3715118201 898,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 4828 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// protectlin k.security -mail.net/ ?url=https %3A%2F%2Fw ww.atjehup date.com/y z56h0%23eg uitierrez% 2Bcorgrate .com&token =pRZ8OsFqa JAmm%2FHiZ O0RH7B95Ht iQiGKdCPYB RKNnFR8ja5 vM9eMfVTsB wToC8wndTi HWIVNG0%2F uawLa4thhC 3j%2B29YSE LhtYddpgvx MiDBD1sYgP yw5K4zKSUk %3D MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7788 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2172 --fi eld-trial- handle=204 0,i,110992 7230804065 5710,94367 2602657518 0383,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
| JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
| JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security |
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
Phishing | |
|---|
| Source: | LLM: | ||
| Source: | LLM: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | Matcher: | ||
| Source: | Matcher: | ||
| Source: | Matcher: | ||
| Source: | Matcher: | ||
| Source: | OCR Text: | ||
| Source: | HTTP Parser: | ||