Edit tour

Windows Analysis Report
Remittance.html

Overview

General Information

Sample name:	Remittance.html
Analysis ID:	1590591
MD5:	28b42b717dc1acb68070ab812d597aef
SHA1:	d9b4ffaf00bf0d79f18a7d901a37030a3aa3076d
SHA256:	2f81523ae9072f48bb6cc8bf66f3f24fd69821a55275c37710ce80af41264a01
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

HTML document with suspicious name

Suspicious Javascript code found in HTML file

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2032,i,7355246526467776315,7229800856763511647,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: https://docsend.com/view/e26uy3fst28mbkqm	Joe Sandbox AI: Page contains button: 'CLICK HERE TO ACCESS DOCUMENT' Source: '2.2.pages.csv'
Source: https://docsend.com/view/e26uy3fst28mbkqm	Joe Sandbox AI: Page contains button: 'CLICK HERE TO ACCESS DOCUMENT' Source: '2.3.pages.csv'

Suspicious Javascript code found in HTML file

Source: Remittance.html	HTTP Parser: .location
Source: Remittance.html	HTTP Parser: .location

Source: https://docsend.com/view/e26uy3fst28mbkqm

HTTP Parser: Base64 decoded: {"version":3,"sources":["webpack://./../js/privacy_consent/privacy_consent.module.css","webpack://./../js/privacy_consent/privacy_consent.module.out.css"],"names":[],"mappings":"AAAA,sBAMI,4BAA6B,CAL7B,QAAS,CAIT,QAAS,CAIT,iBAAkB,CANlB,QAAS,CACT,MAAO,CAIP,...

Source: Remittance.html

HTTP Parser: Title: DocSend does not match URL

Source: https://assets.docsend.com/static/presentation-QRLPFG4A.js

HTTP Parser: (()=>{var r90=object.create;var pr1=object.defineproperty;var a90=object.getownpropertydescriptor;var n90=object.getownpropertynames;var o90=object.getprototypeof,i90=object.prototype.hasownproperty;var c90=(e,t,r)=>t in e?pr1(e,t,{enumerable:!0,configurable:!0,writable:!0,value:r}):e[t]=r;var zz2=(e=>typeof require<"u"?require:typeof proxy<"u"?new proxy(e,{get:(t,r)=>(typeof require<"u"?require:t)[r]}):e)(function(e){if(typeof require<"u")return require.apply(this,arguments);throw new error('dynamic require of "'+e+'" is not supported')});var s=(e,t)=>()=>(e&&(t=e(e=0)),t);var f=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports),r1=(e,t)=>{for(var r in t)pr1(e,r,{get:t[r],enumerable:!0})},s_1=(e,t,r,a)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of n90(t))!i90.call(e,n)&&n!==r&&pr1(e,n,{get:()=>t[n],enumerable:!(a=a90(t,n))||a.enumerable});return e},kd=(e,t,r)=>(s_1(e,t,"default"),r&&s_1(r,t,"default")),h=(e,t,r)=>(r=e!=null?r90(o90(e)):{},s_1(t||!e||!e.__esmodule?pr1(r,"default",{value:e...

Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://www.dropbox.com/ccpa_iframe?hide_gdpr=false&should_disable_banner=false&gpc=false&origin=https%253A%252F%252Fdocsend.com&uri_for_logging=docsend.com&should_show_floating_button=false&should_auto_open_options=undefined&width=1280&csrf_origin=https%253A%252F%252Fdocsend.com&default_non_ccpa=true&locale=en
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://marketing.docsend.com/view/e26uy3fst28mbkqm
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://www.dropbox.com/ccpa_iframe?hide_gdpr=false&should_disable_banner=false&gpc=false&origin=https%253A%252F%252Fdocsend.com&uri_for_logging=docsend.com&should_show_floating_button=false&should_auto_open_options=undefined&width=1280&csrf_origin=https%253A%252F%252Fdocsend.com&default_non_ccpa=true&locale=en
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://marketing.docsend.com/view/e26uy3fst28mbkqm
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://www.dropbox.com/ccpa_iframe?hide_gdpr=false&should_disable_banner=false&gpc=false&origin=https%253A%252F%252Fdocsend.com&uri_for_logging=docsend.com&should_show_floating_button=false&should_auto_open_options=undefined&width=1280&csrf_origin=https%253A%252F%252Fdocsend.com&default_non_ccpa=true&locale=en
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://marketing.docsend.com/view/e26uy3fst28mbkqm
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: Iframe src: https://td.doubleclick.net/td/ga/rul?tid=G-JPP8SP2PRX&gacid=882163684.1736846384&gtm=45je51d0v9135195435za200&dma=0&gcd=13l3l3l3l2l1&npa=0&pscdl=noapi&_ng=1&aip=1&fledge=1&frm=0&tag_exp=101732279~101732281~101925629~102067555~102067808~102081485~102123608~102198178&z=497368851

Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No favicon
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No favicon

Source: Remittance.html	HTTP Parser: No <meta name="author".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="author".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="author".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="author".. found

Source: Remittance.html	HTTP Parser: No <meta name="copyright".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="copyright".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="copyright".. found
Source: https://docsend.com/view/e26uy3fst28mbkqm	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\LICENSE.txt

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49934 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 27MB

Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49704 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:58915 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: assets.docsend.com
Source: global traffic	DNS traffic detected: DNS query: d2qvtfnm75xrxf.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: docsend.com
Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cfl.dropboxstatic.com
Source: global traffic	DNS traffic detected: DNS query: marketing.docsend.com
Source: global traffic	DNS traffic detected: DNS query: d.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: featuregates.org
Source: global traffic	DNS traffic detected: DNS query: lh3.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: d1ng9lshxk6v9w.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: events.statsigapi.net
Source: global traffic	DNS traffic detected: DNS query: widget.intercom.io
Source: global traffic	DNS traffic detected: DNS query: js.intercomcdn.com
Source: global traffic	DNS traffic detected: DNS query: analytics.google.com
Source: global traffic	DNS traffic detected: DNS query: stats.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: api-iam.intercom.io
Source: global traffic	DNS traffic detected: DNS query: nexus-websocket-a.intercom.io
Source: global traffic	DNS traffic detected: DNS query: nel.heroku.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 58930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 58925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58918
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 58919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58928
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58924
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58920
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58921
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 58931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 58926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 58937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 58921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 58923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58935
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58930
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 58917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 58918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49934 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Remittance.html

Initial sample: remit

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\sets.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\manifest.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\LICENSE
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\_metadata\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\_metadata\verified_contents.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\manifest.fingerprint
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\Google.Widevine.CDM.dll
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\manifest.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\_metadata\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\_metadata\verified_contents.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\manifest.fingerprint
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll.sig
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\LICENSE
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\manifest.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_metadata\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_metadata\verified_contents.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\manifest.fingerprint
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\LICENSE.txt
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\Filtering Rules
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\manifest.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\_metadata\
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\_metadata\verified_contents.json
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\manifest.fingerprint

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6812_1669277946

Source: classification engine

Classification label: mal52.phis.winHTML@24/107@86/435

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2032,i,7355246526467776315,7229800856763511647,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2032,i,7355246526467776315,7229800856763511647,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\LICENSE.txt

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Drive-by Compromise	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	21 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\Google.Widevine.CDM.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
featuregates.org	34.128.128.0	true	false	high
nel.heroku.com	52.212.158.180	true	false	high
widget.intercom.io	108.138.26.50	true	false	high
api-iam.intercom.io	54.80.201.22	true	false	high
d3gwed3etk0v2d.cloudfront.net	13.33.187.118	true	false	unknown
stats.g.doubleclick.net	173.194.76.157	true	false	high
d2qvtfnm75xrxf.cloudfront.net	108.138.26.14	true	false	high
www-env.dropbox-dns.com	162.125.66.18	true	false	high
d-edge.v.dropbox.com	162.125.6.20	true	false	high
www.google.com	172.217.18.100	true	false	high
d1ng9lshxk6v9w.cloudfront.net	99.86.1.101	true	false	high
events.statsigapi.net	34.128.128.0	true	false	high
analytics.google.com	142.250.186.110	true	false	high
td.doubleclick.net	216.58.206.34	true	false	high
nexus-websocket-a.intercom.io	35.174.127.31	true	false	high
docsend.com	18.173.205.125	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.33	true	false	high
js.intercomcdn.com	18.245.46.55	true	false	high
assets.docsend.com	unknown	unknown	false	high
cfl.dropboxstatic.com	unknown	unknown	false	high
lh3.googleusercontent.com	unknown	unknown	false	high
marketing.docsend.com	unknown	unknown	false	unknown
d.dropbox.com	unknown	unknown	false	high
www.dropbox.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://docsend.com/view/e26uy3fst28mbkqm	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
173.194.76.157	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.74.206	unknown	United States	15169	GOOGLEUS	false
108.138.26.14	d2qvtfnm75xrxf.cloudfront.net	United States	16509	AMAZON-02US	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
216.58.206.34	td.doubleclick.net	United States	15169	GOOGLEUS	false
54.80.201.22	api-iam.intercom.io	United States	14618	AMAZON-AESUS	false
162.125.8.20	unknown	United States	19679	DROPBOXUS	false
52.212.158.180	nel.heroku.com	United States	16509	AMAZON-02US	false
104.16.100.29	unknown	United States	13335	CLOUDFLARENETUS	false
35.174.127.31	nexus-websocket-a.intercom.io	United States	14618	AMAZON-AESUS	false
34.237.73.95	unknown	United States	14618	AMAZON-AESUS	false
162.125.6.20	d-edge.v.dropbox.com	United States	19679	DROPBOXUS	false
142.250.185.142	unknown	United States	15169	GOOGLEUS	false
142.250.186.110	analytics.google.com	United States	15169	GOOGLEUS	false
18.173.205.125	docsend.com	United States	3	MIT-GATEWAYSUS	false
108.138.26.123	unknown	United States	16509	AMAZON-02US	false
142.250.186.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
13.33.187.118	d3gwed3etk0v2d.cloudfront.net	United States	16509	AMAZON-02US	false
142.250.184.195	unknown	United States	15169	GOOGLEUS	false
162.125.66.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
108.177.15.84	unknown	United States	15169	GOOGLEUS	false
216.58.212.131	unknown	United States	15169	GOOGLEUS	false
142.250.186.163	unknown	United States	15169	GOOGLEUS	false
18.173.205.86	unknown	United States	3	MIT-GATEWAYSUS	false
142.250.185.234	unknown	United States	15169	GOOGLEUS	false
216.58.206.65	unknown	United States	15169	GOOGLEUS	false
44.216.78.78	unknown	United States	14618	AMAZON-AESUS	false
142.250.181.227	unknown	United States	15169	GOOGLEUS	false
34.128.128.0	featuregates.org	United States	2686	ATGS-MMD-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.173.205.79	unknown	United States	3	MIT-GATEWAYSUS	false
172.217.18.106	unknown	United States	15169	GOOGLEUS	false
99.86.1.101	d1ng9lshxk6v9w.cloudfront.net	United States	16509	AMAZON-02US	false
108.138.106.104	unknown	United States	16509	AMAZON-02US	false
172.217.18.104	unknown	United States	15169	GOOGLEUS	false
216.58.212.163	unknown	United States	15169	GOOGLEUS	false
18.245.46.10	unknown	United States	16509	AMAZON-02US	false
142.250.186.104	unknown	United States	15169	GOOGLEUS	false
18.245.46.55	js.intercomcdn.com	United States	16509	AMAZON-02US	false
172.217.18.100	www.google.com	United States	15169	GOOGLEUS	false
99.86.1.146	unknown	United States	16509	AMAZON-02US	false
108.138.26.50	widget.intercom.io	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16
192.168.2.23

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590591
Start date and time:	2025-01-14 10:18:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Remittance.html
Detection:	MAL
Classification:	mal52.phis.winHTML@24/107@86/435
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.227, 142.250.74.206, 108.177.15.84, 142.250.185.234, 216.58.212.174, 142.250.186.163, 142.250.185.238, 172.217.18.106, 142.250.184.195, 104.16.100.29, 104.16.99.29, 13.85.23.206
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: d3gwed3etk0v2d.cloudfront.net

LLM Input / Output

Input	Output
URL: file:///C:/Users/user/Desktop/Remittance.html... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The provided JavaScript snippet appears to be a configuration object that sets various environment variables and feature flags for a web application. While it does not contain any high-risk indicators like dynamic code execution or data exfiltration, it does include some moderate-risk behaviors such as external data transmission to third-party domains (e.g., Bugsnag, Dropbox) and the use of fallback domains. Additionally, the presence of obfuscated URLs and the use of the Filestack API, which can be used for file uploads, contribute to the overall risk score. However, the context suggests this is likely a legitimate configuration for a web application, and the risk can be mitigated by ensuring the third-party domains and APIs are trusted and used appropriately." }
window.ENV = {"ARKOSE_LOGIN_PUBLIC_KEY":"F758DB58-45F1-4C2B-B345-7BB881B04A85","ARKOSE_SIGNUP_PUBLIC_KEY":"A87E7BAF-83FE-4058-AE4E-EAC560C82F5D","ASSET_HOST":"https://url.za.m.mimecastprotect.com/s/IjmxCpgVnmFzwrnKEsYdl6C?domain=assets.docsend.com","AWS_MAX_FILE_SIZE":2147483647,"BASE_URL":"https://url.za.m.mimecastprotect.com/s/ZkaECqj8onHO2A8l6sEaFrB?domain=docsend.com","BUGSNAG_FRONTEND_API_KEY":"0bca6a0a-c303-4b27-84cb-60ebe421858a","BUGSNAG_NOTIFY_ENDPOINT":"https://url.za.m.mimecastprotect.com/s/kVPECr07potAmK8o3Fj7wQR?domain=d.dropbox.com","BUGSNAG_SESSIONS_ENDPOINT":"https://url.za.m.mimecastprotect.com/s/hthOCvgJwvFWlm7K0h5UrvS?domain=d.dropbox.com","CODE_OWNER":"comet","COMMIT_SHA":"ce88aa6f727e0261f574c74b636425e5083ac25e","CURRENT_USER_INFO":{"canManage":false,"defaultWatermarkSettings":{},"email":null,"features":[],"hasSpaceRedesign":null,"id":null,"gid":null,"name":null,"signedIn":false,"source":null,"statsigUser":null,"statsigExperiments":null,"teamRoleName":null,"company":{"id":null,"activeNdas":[],"hasDefaultWatermarkSettings":false,"isTrialing":null,"planName":null}},"DISABLED_JQUERY_PATCHES":null,"DROPBOX_OAUTH_DOWN":null,"ENABLED_FEATURES":["growth_uppy_company_logo_upload","billing_modal_react","click_to_call","water_riviera_watermarking","platform_delete_4_real","growth_advanced_data_rooms","riviera_batch_thumbnails","water_sync_dropbox_webhook","hub_trial_start_email","link_custom_url","growth_uppy_profile_picture_upload","metrics_jobs_sidekiq","data_residency_soft_delete","duplicate_link_dropdown","water_encoding_in_elaine","growth_uppy_document_thumbnail_upload","use_dropbox_file_size_limits","presentation_cta_button","water_encoding_in_hermes"],"DISABLED_FEATURES":["water_spaces_uploads_link_space_to_folder","admin_environment_banner","space_analytics_frontend","riviera_presentation","growth_skip_invite_team_step","docsend_hub_shared_content","sidekiq_content_link_extraction_job","dbx_zoom_chat","increased_bundle_content_cap","space_redesign","test_blackbird_job","test_blackbird_job_doc_groups","country_code_selector","space_redesign_optout","space_groups","consolidate_dropbox_oauth_apps","test_feature","temp_folders_force_load_top_level","super_admin_company","eu_marketing_opt_in","space_redesign_opt_out_tooltip","use_send_beacon_in_analytics_tracker","esp_recent_frequent","enforce_free_visit_plan_limits","signed_docs_by_account","one_tos_speed_bump","jquery_migration_bugsnag"],"ENABLE_DATADOG":true,"ENABLE_PSEUDO_LOCALE_BACKEND":false,"FILESTACK_API_KEY":"AQ9b2IfEqSRapHBCLtXITz","GTM_ID":"GTM-5VPH2V","HEROKU_APP_NAME":"docsend","HEROKU_RELEASE_VERSION":"v3918","HEROKU_SLUG_COMMIT":"ce88aa6f727e0261f574c74b636425e5083ac25e","HUBSPOT_HUB_ID":"6191183","IMAGE_MIMETYPES":["image\/x-raw-hasselblad","application\/illustrator","image\/x-raw-sony","image\/bmp","image\/x-raw-canon","image\/x-raw-canon","application\/x-director","image\/x-raw-kodak","image\/x-raw-adobe","image\/vnd.dwg","image\/x-raw-epson","image\/gif","image\/heic","image\/jpeg","image\/jpeg","image\/x-raw-kodak","image\/x-raw-mamiya","image\/x-raw-leaf","image\/x-raw-minolta","image\/x-raw-nikon","image\/x-raw-nikon","image\/x-raw-olympus","image\/x-raw-pentax","image\/png","application\/vnd.google-apps.drawing","application\/vnd.google-apps.photo","image\/x-portable-pixmap","image\/vnd.adobe.photoshop","image\/x-raw-red","image\/x-raw-fuji","image\/x-raw-panasonic","image\/x-raw-sony","image\/svg+xml","image\/svg+xml","image\/tiff","image\/tiff","image\/vnd.wap.wbmp","image\/webp","image\/x-raw-sigma"],"INTERCOM_APP_ID":"lv6lji7h","LOAD_SPRIG":false,"LOCALE":"en","MAX_SIZES_BY_EXTENSION":{"3g2":2147483648,"3gp":2147483648,"3gpp":2147483648,"3gpp2":2147483648,"asf":2147483648,"avi":2147483648,"dv":2147483648,"m2t":2147483648,"m2ts":2147483648,"m4v":2147483648,"mkv":2147483648,"mov":2147483648,"mp4":2147483648,"mpeg":2147483648,"mpg":2147483648,"mts":2147483648,"ogv":2147483648,"rm":2147483648,"ts":2147483648,"vob":2147483648,"webm":2147483648
URL: :// Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: ://
URL: https://marketing.docsend.com/view/e26uy3fst28mbkq... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The script dynamically loads a script from an external domain (Dropbox), which could potentially be used for data exfiltration or other malicious purposes. While the comment suggests a marketing/analytics purpose, the use of a Dropbox domain is concerning and requires further investigation. This behavior is considered a moderate risk." }
(function() { /** * Requesting marketing service to process tealium events */ document.head.appendChild(Object.assign(document.createElement('script'), { src: 'https://www.dropbox.com/pithos/marketing_tracker_service', async: true })); })();
URL: https://docsend.com/view/e26uy3fst28mbkqm... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script checks if the current page is loaded from a local file ('file:' protocol) and if the 'presentationConfig.linkUrl' property is defined. If both conditions are true, it redirects the user to a 'docsend.com' URL constructed using the 'presentationConfig.linkUrl' value. This behavior is potentially concerning as it could lead to a redirect to an unknown or untrusted domain. However, the script does not exhibit any high-risk indicators like dynamic code execution or data exfiltration, so the overall risk is assessed as medium." }
window.presentationConfig = {"appendedPageNda":false,"bundleLinkUrl":null,"documentId":24855407,"documentType":"Document::ClassicDocumentVersion","isPageTrackable":true,"isPlayable":false,"isVertical":true,"linkUrl":"e26uy3fst28mbkqm","nda":false,"pageViewSeed":"CE2ooCIaoaK6Iy\/fgIldwg==","processing":false,"preview":false,"prompt":false,"visitUuid":"8b626eac-c222-459d-b253-6694b2bca5a7","isDropboxViewer":false,"message":null}; if (window.location.protocol == 'file:' && typeof window.presentationConfig.linkUrl != 'undefined') window.location.replace('https://docsend.com/view/' + window.presentationConfig.linkUrl);
URL: https://docsend.com/view/e26uy3fst28mbkqm... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet checks if the current window is an iframe and displays a 'Powered by Docsend' banner if that's the case. This behavior is likely a legitimate feature to indicate the source of the content and does not demonstrate any high-risk indicators." }
if (window.parent.location !== window.location) { // We only display the Powered by Docsend banner when in an iframe document.getElementById('presentation-privacy-policy_right').style.display = 'flex'; }
URL: https://docsend.com/view/e26uy3fst28mbkqm... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a configuration object containing various settings and environment variables for the DocSend application. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The snippet is likely used for legitimate purposes, such as configuring the application's behavior and settings. While it uses some legacy practices like the `XDomainRequest` API, the overall risk is low." }
window.ENV = {"ARKOSE_LOGIN_PUBLIC_KEY":"F758DB58-45F1-4C2B-B345-7BB881B04A85","ARKOSE_SIGNUP_PUBLIC_KEY":"A87E7BAF-83FE-4058-AE4E-EAC560C82F5D","ASSET_HOST":"https:\/\/assets.docsend.com","AWS_MAX_FILE_SIZE":2147483647,"BASE_URL":"https:\/\/docsend.com","CODE_OWNER":"prism","COMMIT_SHA":"5a39cb80e9b2390cbe03d7e04b69c2081d875131","CURRENT_USER_INFO":{"canManage":false,"defaultWatermarkSettings":{},"email":null,"features":[],"id":null,"gid":null,"name":null,"publishableSessionId":"8c9fe639-7ca2-4b54-b6a5-ee78c4a969f6","signedIn":false,"source":null,"statsigUser":null,"statsigExperiments":null,"teamRoleName":null,"company":{"id":null,"activeNdas":[],"hasDefaultWatermarkSettings":false,"isTrialing":null,"planName":null}},"DISABLED_JQUERY_PATCHES":null,"DROPBOX_OAUTH_DOWN":null,"ENABLED_FEATURES":["monetization_adr_upsell","platform_disable_bugsnag_for_backend","platform_delete_4_real","platform_disable_bugsnag_for_frontend","water_pdf_encoding_in_riviera","water_sync_dropbox_webhook","monetization_skip_stripe_trial","space_analytics_visit_filter","monetization_stripe_scientist","growth_new_sign_up_modal","growth_1tap","water_pdf_encoding_in_elaine"],"DISABLED_FEATURES":["prism_vis23_dark_mode","test_blackbird_job_doc_groups","space_analytics_frontend","disable_full_contact","bundle_index_downloads","super_admin_company","temp_folders_force_load_top_level","space_groups","water_force_watermarking_in_elaine","comet_space_visit_tracking","comet_space_presentation_rebuild","prism_share_settings","admin_environment_banner"],"ENABLE_DATADOG":true,"ENABLE_PSEUDO_LOCALE_BACKEND":false,"GOOGLE_APP_ID":"264507476144-ol0lje55ulhdp97dip7narg4hjicb299.apps.googleusercontent.com","GTM_ID":"GTM-5VPH2V","HEROKU_APP_NAME":"docsend","HEROKU_RELEASE_VERSION":"v5024","HEROKU_SLUG_COMMIT":"5a39cb80e9b2390cbe03d7e04b69c2081d875131","IMAGE_MIMETYPES":["image\/x-raw-hasselblad","application\/illustrator","image\/x-raw-sony","image\/bmp","image\/x-raw-canon","image\/x-raw-canon","application\/x-director","image\/x-raw-kodak","image\/x-raw-adobe","image\/vnd.dwg","image\/x-raw-epson","image\/gif","image\/heic","image\/jpeg","image\/jpeg","image\/x-raw-kodak","image\/x-raw-mamiya","image\/x-raw-leaf","image\/x-raw-minolta","image\/x-raw-nikon","image\/x-raw-nikon","image\/x-raw-olympus","image\/x-raw-pentax","image\/png","application\/vnd.google-apps.drawing","application\/vnd.google-apps.photo","image\/x-portable-pixmap","image\/vnd.adobe.photoshop","image\/x-raw-red","image\/x-raw-fuji","image\/x-raw-panasonic","image\/x-raw-sony","image\/svg+xml","image\/svg+xml","image\/tiff","image\/tiff","image\/vnd.wap.wbmp","image\/webp","image\/x-raw-sigma"],"INTERCOM_APP_ID":"lv6lji7h","LOAD_SPRIG":false,"LOCALE":"en","MAX_SIZES_BY_EXTENSION":{"3g2":2147483648,"3gp":2147483648,"3gpp":2147483648,"3gpp2":2147483648,"asf":2147483648,"avi":2147483648,"dv":2147483648,"m2t":2147483648,"m2ts":2147483648,"m4v":2147483648,"mkv":2147483648,"mov":2147483648,"mp4":2147483648,"mpeg":2147483648,"mpg":2147483648,"mts":2147483648,"ogv":2147483648,"rm":2147483648,"ts":2147483648,"vob":2147483648,"webm":2147483648,"wma":2147483648,"wmv":2147483648,"aac":2147483648,"aif":2147483648,"aiff":2147483648,"flac":2147483648,"m4a":2147483648,"m4r":2147483648,"mp3":2147483648,"oga":2147483648,"ogg":2147483648,"wav":2147483648,"3fr":524288000,"ai":524288000,"arw":524288000,"bmp":524288000,"cr2":524288000,"crw":524288000,"dcr":524288000,"dcs":524288000,"dng":524288000,"dwg":524288000,"erf":524288000,"gif":524288000,"heic":524288000,"jpeg":524288000,"jpg":524288000,"kdc":524288000,"mef":524288000,"mos":524288000,"mrw":524288000,"nef":524288000,"nrw":524288000,"orf":524288000,"pef":524288000,"png":524288000,"ppm":524288000,"psd":1073741824,"r3d":524288000,"raf":524288000,"rw2":524288000,"rwl":524288000,"sr2":524288000,"svg":50331648,"svgz":524288000,"tif":838860800,"tiff":838860800,"wbmp":524288000,"webp":524288000,"x3f":524288000,"csv":41943040,"xls":41943040,"xlsx":41943040,"xlsm":41943040,"ods"
URL: file:///C:/Users/user/Desktop/Remittance.html... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script has a moderate-risk indicator for redirecting to an external domain (DocsEnd) based on the `linkUrl` parameter in the `presentationConfig` object. However, this behavior is likely intended for legitimate document viewing functionality, and the script does not exhibit any high-risk indicators like dynamic code execution or data exfiltration. Some additional context around the purpose and origin of the script would be needed to further assess the risk." }
window.presentationConfig = {"appendedPageNda":false,"bundleLinkUrl":null,"documentId":24855407,"documentType":"Document::ClassicDocumentVersion","isPageTrackable":true,"isPlayable":false,"isVertical":true,"linkUrl":"e26uy3fst28mbkqm","nda":false,"pageViewSeed":"3KooqGwa6XA4cgFwNT\/d3Q==","processing":false,"preview":false,"prompt":false,"visitUuid":"92810e0d-eae2-4a8f-bb20-0d1da918cb81","isDropboxViewer":false,"message":null}; if (window.location.protocol == 'file:' && typeof window.presentationConfig.linkUrl != 'undefined') window.location.replace('https://docsend.com/view/' + window.presentationConfig.linkUrl);
URL: https://cfl.dropboxstatic.com/static/metaserver/st... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript snippet appears to be a part of the Dropbox Pithos library, which is a legitimate analytics and consent management tool. The code does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or redirects to malicious domains. It primarily handles cookie-related operations, including creating and managing consent-related cookies, which is a common practice for compliance with privacy regulations like CCPA. The code follows standard practices and does not raise any major security concerns." }
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds\|\|{},e._sentryDebugIds[n]="ac93bdc2-e788-343e-8057-9156977ca194")}catch(e){}}(); (() => {const define = dbxPithosConfig._define, require = dbxPithosConfig._require; define((()=>(()=>{"use strict";var e={422:(e,t,o)=>{o.r(t),o.d(t,{AllCookies:()=>S,CCPA_TOKEN_COOKIE_NAME:()=>i,COOKIE_ATTR_NAME_DOMAIN:()=>c,COOKIE_ATTR_NAME_EXPIRES:()=>l,COOKIE_ATTR_NAME_MAX_AGE:()=>g,COOKIE_ATTR_NAME_PATH:()=>d,COOKIE_ATTR_NAME_SAMESITE:()=>p,COOKIE_ATTR_NAME_SECURE:()=>u,COOKIE_ATTR_VALUE_SAMESITE_NONE:()=>h,ConsentCookieStore:()=>N,CookieCategory:()=>k,DNS_COOKIE_DEV_PREFIX:()=>r,DNS_COOKIE_NAME:()=>a,PRIVACY_CONSENT_COOKIE_NAMES:()=>w,SHADOW_COOKIE_NAME:()=>n,createCookieStr:()=>A,defaultCookieCategoriesMap:()=>m,getAllCookiePairs:()=>C,getAllowedCategories:()=>O,getCookieStr:()=>v,isDropboxCookieName:()=>f});const n="__Secure-dbx_consent",i="__Secure-dbx_ccpa_token",a="__Secure-dbx_do_not_sell",r=a+"_dev_",s=12,c="Domain",d="Path",l="Expires",g="Max-Age",u="Secure",p="SameSite",h="None",w=new Set([n,a,i]),f=e=>!!w.has(e)\|\|!!e.startsWith(r),y="dropbox.com",_=6;function C(e){try{return String(document.cookie\|\|"").split(";").map((e=>e.split("="))).map((e=>e.length>1?e:["",e[0]])).map((e=>[e[0],e.slice(1).join("=")].map((e=>e.replace(/^[ \t]+\|[ \t]+$/g,""))))).map((([e,t])=>({name:e,value:t}))).filter((({name:t,value:o})=>t+o&&(void 0===e\|\|t===e)))}catch{return[]}}function v(e){return(C(e)[0]\|\|{name:e,value:""}).value}var b;!function(e){e[e.OptIn=1]="OptIn"}(b\|\|(b={}));const k={StrictlyNecessary:"strictly necessary",MarketingAdvertising:"general marketing and advertising",Analytics:"analytics",PerformanceFunctionality:"performance and functionality",SocialMediaAdvertising:"social media advertising"},S=Object.values(k),m={[k.StrictlyNecessary]:!0,[k.MarketingAdvertising]:!1,[k.Analytics]:!1,[k.PerformanceFunctionality]:!1,[k.SocialMediaAdvertising]:!1};function O(e){const t={...m};Object.entries(e).forEach((([e,o])=>{const n=e.toLowerCase();n in t&&(t[n]=o)}));const o=Object.keys(k),n=[];return o.forEach((e=>{t[k[e]]&&n.push(e)})),n}function A(e,t,o,n,i){const a={[c]:e,[d]:"/",[l]:n,[p]:i\|\|h,[u]:""},r=undefined;return[[t,JSON.stringify(o).replace(/[;]\|[^ -~]/g,(e=>"\\u"+(65536+e.charCodeAt(0)).toString(16).substring(1)))],...Object.keys(a).map((e=>[e,a[e]]))].map((([e,t])=>t?`${e}=${t}`:`${e}`)).join(";")}function E(e,t,o,n,i){f(t)&&(document.cookie=A(e,t,o,n,i))}const D={cookieDomain:y,consentDurationMonths:6};class N{constructor(e,t){const o={...D,...e};this.cookieDomain=o.cookieDomain,this.consentDurationMonths=o.consentDurationMonths,this.numDots=o.cookieDomain.split(".").length-1,this.log=t}getCookieCategories(){return Object.values(k)}hasUserInteracted(){var e;return!!(null===(e=this.getShadowCookie())\|\|void 0===e?void 0:e.userInteracted)}shadowCookieExists(){return!!this.getShadowCookie()}bakeShadowCookie(e){const t=new Date(e.expireDate).toUTCString();E(this.cookieDomain,n,e,t,h)}bakeDNSCookie(e){const t=new Date;t.setMonth(t.getMonth()+s);const o={optInToDNS:e,expireDate:t.toISOString()};E(this.cookieDomain,a,o,t.toUTCString())}bakeCCPATokenCookie(e){const t=new Date(e.expireDate).toUTCString();E(this.cookieDomain,i,e,t)}createShadowCookieValue(e,t=!1){const o=this.getShadowCookie();e=e\|\|(null==o?void 0:o.categories)\|\|m;const n=!!(null==o?void 0:o.userInteracted),i=undefined,a=!(!n&&t)&&(null==o?void 0:o.consentDate)?new Date(o.consentDate):new Date,r=new Date(a);return r.setMonth(a.getMonth()+this.consentDurationMonths),{consentType:b.OptIn,consentDate:a.toISOString(),expireDate:r.toISOString(),consentMonths:this.consentDurationMonths,categories:e,userInteracted:n\|\|t,numDots:this.numDots}}mapCookies(e){const t={...m};return Object.entries(e).forEach((([e,o])=>{var n;const i=e.toLowerCase();i in t?t[i]=o:null===(n=this.log)\|\|void 0===n\|\|n.logInvalidCookieCateg
URL: https://cfl.dropboxstatic.com/static/metaserver/st... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript snippet appears to be a legitimate script that is part of a privacy consent management system. It does not exhibit any high-risk behaviors such as dynamic code execution, data exfiltration, or redirects to malicious domains. The script is responsible for managing the display and behavior of a privacy consent banner or modal, which is a common and expected functionality for websites that need to comply with privacy regulations. The script uses standard DOM manipulation techniques and does not appear to be obfuscated or attempting to hide its purpose. Overall, this script is likely benign and poses a low risk." }
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds\|\|{},e._sentryDebugIds[n]="6fe042d4-68e9-311b-9246-b7758913d355")}catch(e){}}(); (() => {const define = dbxPithosConfig._define, require = dbxPithosConfig._require; /! For license information please see privacy_consent.bundle.js.LICENSE.txt / define((()=>(()=>{var e={495:(e,t,n)=>{"use strict";n.r(t),n.d(t,{default:()=>c});var r=n(338),o=n.n(r),i=n(77),a,s=n.n(i)()(o());s.push([e.id,"._ccpa-iframe_163y6_1{background-color:transparent;border:0;bottom:0;color-scheme:none;height:0;left:0;overflow:hidden;position:fixed;z-index:999999}._ccpa-iframe_163y6_1._banner-visible_163y6_13{bottom:24px;box-shadow:0 16px 32px 0 #0000001a;left:24px;width:600px}@media (max-width:648px){._ccpa-iframe_163y6_1._banner-visible_163y6_13{bottom:12px;left:12px;width:calc(100% - 24px)}}._ccpa-iframe_163y6_1:not(._banner-visible_163y6_13):not(._detailed-view-visible_163y6_33):not(._floating-button-visible_163y6_33){display:none;left:-1px}._ccpa-iframe_163y6_1._floating-button-visible_163y6_33{bottom:24px;height:32px;left:0;width:32px}@media (max-width:648px){._ccpa-iframe_163y6_1._floating-button-visible_163y6_33{bottom:12px}}._ccpa-iframe_163y6_1._detailed-view-visible_163y6_33{height:100%;width:100%}\n/# sourceMappingURL=privacy_consent.module.out.css.map /","",{version:3,sources:["webpack://./../js/privacy_consent/privacy_consent.module.css","webpack://./../js/privacy_consent/privacy_consent.module.out.css"],names:[],mappings:"AAAA,sBAMI,4BAA6B,CAL7B,QAAS,CAIT,QAAS,CAIT,iBAAkB,CANlB,QAAS,CACT,MAAO,CAIP,eAAgB,CANhB,cAAe,CAKf,cAGJ,CAEA,+CAQI,WAAY,CAHZ,kCAAmC,CAEnC,SAAU,CADV,WAGJ,CAEA,yBACI,+CAGI,WAAY,CADZ,SAAU,CADV,uBAGJ,CACJ,CAGA,mIAEI,YAAa,CADb,SAEJ,CAEA,wDAII,WAAY,CAFZ,WAAY,CACZ,MAAO,CAFP,UAIJ,CAEA,yBACI,wDACI,WACJ,CACJ,CAGA,sDACI,WAAY,CACZ,UACJ;ACrDA,yDAAyD",sourcesContent:[".ccpa-iframe {\n border: 0;\n position: fixed;\n height: 0;\n left: 0;\n bottom: 0;\n background-color: transparent;\n z-index: 999999;\n overflow: hidden;\n color-scheme: none; /* This allows the background to be transparent on 3rd party sites /\n}\n\n.ccpa-iframe.banner-visible {\n / The shadow needs to be placed on the iframe element itself to be seen otherwise,\n if placed on any child elements, it will but cut off since the iframe is sized exactly\n to the content - using hard-coded values for 3rd party where it isn't included /\n / stylelint-disable-next-line dig/var-recommended-colors /\n box-shadow: 0 16px 32px 0 #0000001a;\n width: 600px;\n left: 24px;\n bottom: 24px;\n}\n\n@media (max-width: 648px) {\n .ccpa-iframe.banner-visible {\n width: calc(100% - 24px); / Iframe width - inline padding of the banner /\n left: 12px;\n bottom: 12px;\n }\n}\n\n/ When the banner is hidden from the user move it outside of the viewport to exclude it from the ttvc measurement /\n.ccpa-iframe:not(.banner-visible):not(.detailed-view-visible):not(.floating-button-visible) {\n left: -1px;\n display: none;\n}\n\n.ccpa-iframe.floating-button-visible {\n width: 32px;\n height: 32px;\n left: 0;\n bottom: 24px;\n}\n\n@media (max-width: 648px) {\n .ccpa-iframe.floating-button-visible {\n bottom: 12px;\n }\n}\n\n/ the iframe should take up the entire viewport when the options modal is open */\n.ccpa-iframe.detailed-view-visible {\n height: 100%;\n width: 100%;\n}\n","._ccpa-iframe_163y6_1{background-color:transparent;border:0;bottom:0;color-scheme:none;height:0;left:0;overflow:hidden;position:fixed;z-index:999999}._ccpa-iframe_163y6_1._banner-visible_163y6_13{bottom:24px;box-shadow:0 16px 32px 0 #0000001a;left:24px;width:600px}@media (max-width:648px){._ccpa-iframe_163y6_1._banner-visible_163y6_13{bottom:12px;left:12px;width:calc(100% - 24px)}}._ccpa-iframe_163y6_1:not(._banner-visible_163y6_13
URL: https://cfl.dropboxstatic.com/static/metaserver/st... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The provided JavaScript snippet exhibits several behaviors that raise moderate security concerns. While it does not contain any high-risk indicators like dynamic code execution or data exfiltration, it does engage in external data transmission and uses fallback domains, which are considered moderate-risk indicators. Additionally, the code appears to be obfuscated, which adds to the overall risk. However, the script's intent seems to be related to analytics and telemetry, which mitigates the risk to some extent. Overall, this script requires further review due to its aggressive behavior and lack of transparency, warranting a medium-risk score." }
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds\|\|{},e._sentryDebugIds[n]="0dbdd186-8ca6-3d30-b50f-8b3c24587c26")}catch(e){}}(); (() => {const define = dbxPithosConfig._define, require = dbxPithosConfig._require; define((()=>(()=>{"use strict";var e={},t={},n;function i(n){var o=t[n];if(void 0!==o)return o.exports;var a=t[n]={id:n,exports:{}};return e[n](a,a.exports,i),a.exports}i.m=e,i.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return i.d(t,{a:t}),t},i.d=(e,t)=>{for(var n in t)i.o(t,n)&&!i.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:t[n]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,n)=>(i.f[n](e,t),t)),[])),i.u=e=>e+".bundle.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),n={},i.l=(e,t,o,a)=>{if(n[e])n[e].push(t);else{var r,s;if(void 0!==o)for(var l=document.getElementsByTagName("script"),c=0;c<l.length;c++){var d=l[c];if(d.getAttribute("src")==e){r=d;break}}r\|\|(s=!0,(r=document.createElement("script")).charset="utf-8",r.timeout=120,i.nc&&r.setAttribute("nonce",i.nc),r.src=e),n[e]=[t];var u=(t,i)=>{r.onerror=r.onload=null,clearTimeout(h);var o=n[e];if(delete n[e],r.parentNode&&r.parentNode.removeChild(r),o&&o.forEach((e=>e(i))),t)return t(i)},h=setTimeout(u.bind(null,void 0,{type:"timeout",target:r}),12e4);r.onerror=u.bind(null,r.onerror),r.onload=u.bind(null,r.onload),s&&document.head.appendChild(r)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://cfl.dropboxstatic.com/static/metaserver/static/pithos/",(()=>{var e={377:0};i.f.j=(t,n)=>{var o=i.o(e,t)?e[t]:void 0;if(0!==o)if(o)n.push(o[2]);else{var a=new Promise(((n,i)=>o=e[t]=[n,i]));n.push(o[2]=a);var r=i.p+i.u(t),s=new Error,l=n=>{if(i.o(e,t)&&(0!==(o=e[t])&&(e[t]=void 0),o)){var a=n&&("load"===n.type?"missing":n.type),r=n&&n.target&&n.target.src;s.message="Loading chunk "+t+" failed.\n("+a+": "+r+")",s.name="ChunkLoadError",s.type=a,s.request=r,o[1](s)}};i.l(r,l,"chunk-"+t,t)}};var t=(t,n)=>{var[o,a,r]=n,s,l,c=0;if(o.some((t=>0!==e[t]))){for(s in a)i.o(a,s)&&(i.m[s]=a[s]);if(r)var d=r(i)}for(t&&t(n);c<o.length;c++)l=o[c],i.o(e,l)&&e[l]&&e[l][0](),e[l]=0},n=self.pithos=self.pithos\|\|[];n.forEach(t.bind(null,0)),n.push=t.bind(null,n.push.bind(n))})(),i.nc=void 0;var o={};i.r(o);const a=(()=>{let e,t;const n=[];for(e=0,t=e;e<=255;e++,t=e)n.push((t+256).toString(16).substr(1));return n})();function r(e){return e.map((e=>a[e])).join("")}const s={getRandomBytes(){const e=new Uint8Array(16);return window.crypto&&window.crypto.getRandomValues(e),e},v4(){var e;if(null===(e=window.crypto)\|\|void 0===e?void 0:e.randomUUID)return window.crypto.randomUUID();const t=this.getRandomBytes();t[6]=15&t[6]\|64,t[8]=63&t[8]\|128;const n=Array.prototype.slice.call(t);return[n.slice(0,4),n.slice(4,6),n.slice(6,8),n.slice(8,10),n.slice(10,16)].map(r).join("-")}},l=10;function c(){try{return window.self!==window.top}catch(e){return!0}}const d=()=>location.hostname.split(".").slice(-2).join("."),u=()=>"dropbox.com"===d(),h=()=>!!u()\|\|("docsend.com"===d()\|\|("dash.ai"===d()\|\|("dropboxforum.com"===d()\|\|("webflow.io"===d()\|\|"app.hellosign.com"===location.hostname)))),m=e=>{const t=undefined,n=undefined,i=undefined,o=undefined,a=undefined,r=undefined,s=undefined;return{element_id:e.getAttribute("data-uxa-log"),tag_name:e.tagName.toLowerCase(),entity_id:e.getAttribute("data-uxa-entity-id"),trace_id:e.getAttribute("data-uxa-trace-id"),element_rank:p(e),untrusted_raw_variant:e.getAttribute("data-uxa-untrusted-raw-variant"),hierarchy_group:g(e)}},g=e=>{let t=0,n=e;for(;n&&t<l;){const e=n.getAttribute("data-uxa-hierarchy-group");if(e)return e;n=n.parentElement,t++}return null},f=()=>document.body.getAttribute("data-uxa-hierarchy-group"),p=e=>{const t=e.nodeName.toLowerCase(),n=e.getAttribute("data-uxa-log"),i=documen
URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://docsend.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://docsend.com
URL: https://cfl.dropboxstatic.com/static/metaserver/st... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The provided JavaScript snippet appears to be a part of a larger application or framework, potentially related to analytics or marketing tracking functionality. While it does not exhibit any clear high-risk behaviors, there are some moderate-risk indicators that warrant further review: 1. External Data Transmission (+2 points): The script appears to be sending data to external domains, which could potentially include user information or other sensitive data. 2. Fallback Domains (+2 points): The script mentions the use of multiple fallback domains, some of which may be of unknown or dubious reputation. 3. Aggressive DOM Manipulation (+2 points): The script seems to be repeatedly altering or clearing the DOM, which could be an indication of more complex or potentially problematic behavior. Additionally, the script is using some legacy practices, such as the `XDomainRequest` API, which poses a minor risk (+1 point). However, the script also exhibits some behaviors that suggest a legitimate purpose, such as analytics or marketing tracking functionality. Therefore, the final risk score is adjusted downward to account for this context. Overall, this script requires further review and analysis to determine the full extent of its functionality and potential risks. It falls into the 'Medium Risk' category, and additional investigation is recommended to ensure the security and privacy of the application." }
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds\|\|{},e._sentryDebugIds[n]="bf4b4b9b-b6e2-35d8-a17c-b42b4cae60e7")}catch(e){}}(); (() => {const define = dbxPithosConfig._define, require = dbxPithosConfig._require; define((()=>(()=>{"use strict";var e={d:(t,n)=>{for(var o in n)e.o(n,o)&&!e.o(t,o)&&Object.defineProperty(t,o,{enumerable:!0,get:n[o]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t),r:e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})}},t={};e.r(t),e.d(t,{marketingTracker:()=>ve});let n="production";function o(e){n=e}function i(e,t,o={}){if(e)return;"production"!==n&&alert(`Assertion Error: ${t}`);const i=new Error(`Assertion Error: ${t}`),{tags:r=[],exc_extra:a=null}=o;throw i.assertOptions={tags:r.concat("module:exception","assert"),exc_extra:a},i.isAssertion=!0,i}const r=void 0!==self&&self?self:window;r._DBX_UXA_GLOBAL=r._DBX_UXA_GLOBAL\|\|{};const a=r._DBX_UXA_GLOBAL,s="undefined"!=typeof self&&self?self:window;function c(e){const t=undefined;(s._DBX_UXA_bufferedClosures=s._DBX_UXA_bufferedClosures\|\|[]).push(e),l()}function u(){s._DBX_UXA_isUxaListening=!0,l()}function l(){if(!s._DBX_UXA_isUxaListening)return;const e=s._DBX_UXA_bufferedClosures=s._DBX_UXA_bufferedClosures\|\|[],t=[...e];e.length=0;for(const e of t)e()}function d(){s._DBX_UXA_isUxaListening=void 0,s._DBX_UXA_bufferedClosures=void 0;try{delete s._DBX_UXA_isUxaListening,delete s._DBX_UXA_bufferedClosures}catch(e){}}var g;!function(e){e.BASE="BASE",e.TOP_FRAME="TOP_FRAME",e.CLIENT="CLIENT",e.NEED_TO_DEFINE="NEED_TO_DEFINE"}(g\|\|(g={}));const h=(e,t=g.NEED_TO_DEFINE)=>{a.logToMarketingTracker\|\|(a.logToMarketingTracker=e,c((()=>{const e={eventType:"marketingTrackerReadyForUxa",extra:{marketing_tracker_inclusion_method:t}};return window.dispatchEvent(new CustomEvent("marketing_tracker_ready_for_uxa",{detail:e}))})))},_=(e,t)=>{t.uxa_event_type=e,DBX_UXA_GLOBAL.marketingTrackerLoggingQueue=DBX_UXA_GLOBAL.marketingTrackerLoggingQueue\|\|[],DBX_UXA_GLOBAL.marketingTrackerLoggingQueue.push(t)},m=()=>{if(void 0===DBX_UXA_GLOBAL.marketingTrackerLoggingQueue\|\|void 0===DBX_UXA_GLOBAL.logToMarketingTracker)return;let e;for(;(e=DBX_UXA_GLOBAL.marketingTrackerLoggingQueue.shift())&&void 0!==e;)DBX_UXA_GLOBAL.logToMarketingTracker(e)};function f(){DBX_UXA_GLOBAL.marketingTrackerLoggingQueue=void 0,DBX_UXA_GLOBAL.logToMarketingTracker=void 0;try{delete DBX_UXA_GLOBAL.marketingTrackerLoggingQueue,delete DBX_UXA_GLOBAL.logToMarketingTracker}catch(e){}}const p="__Secure-dbx_consent",k="__Secure-dbx_ccpa_token",v="__Secure-dbx_do_not_sell",y=v+"_dev_",C=12,w="Domain",D="Path",b="Expires",T="Max-Age",S="Secure",A="SameSite",E="None",O=new Set([p,v,k]),L=e=>!!O.has(e)\|\|!!e.startsWith(y),x="dropbox.com",X=6;function B(e){try{return String(document.cookie\|\|"").split(";").map((e=>e.split("="))).map((e=>e.length>1?e:["",e[0]])).map((e=>[e[0],e.slice(1).join("=")].map((e=>e.replace(/^[ \t]+\|[ \t]+$/g,""))))).map((([e,t])=>({name:e,value:t}))).filter((({name:t,value:n})=>t+n&&(void 0===e\|\|t===e)))}catch{return[]}}function U(e){return(B(e)[0]\|\|{name:e,value:""}).value}var M;!function(e){e[e.OptIn=1]="OptIn"}(M\|\|(M={}));const N={StrictlyNecessary:"strictly necessary",MarketingAdvertising:"general marketing and advertising",Analytics:"analytics",PerformanceFunctionality:"performance and functionality",SocialMediaAdvertising:"social media advertising"},j=Object.values(N),I={[N.StrictlyNecessary]:!0,[N.MarketingAdvertising]:!1,[N.Analytics]:!1,[N.PerformanceFunctionality]:!1,[N.SocialMediaAdvertising]:!1};function P(e){const t={...I};Object.entries(e).forEach((([e,n])=>{const o=e.toLowerCase();o in t&&(t[o]=n)}));const n=Object.keys(N),o=[];return n.forEach((e=>{t[N[e]]&&o.push(e)})),o}function G(e,t,n,o,i){const r={[w]:e,[D]:"/",[b]:o,[A]:i\|\|E,
URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "CLICK HERE TO ACCESS DOCUMENT", "prominent_button_name": "CLICK HERE TO ACCESS DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "CLICK HERE TO ACCESS DOCUMENT", "prominent_button_name": "CLICK HERE TO ACCESS DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "brands": [ "Dropbox" ] }
	{ "brands": [ "Dropbox" ] }
URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "brands": [ "Dropbox", "Microsoft" ] }
	{ "brands": [ "Dropbox", "Microsoft" ] }
URL: https://docsend.com/view/e26uy3fst28mbkqm Model: Joe Sandbox AI	{ "brands": [ "Dropbox", "Microsoft" ] }
	{ "brands": [ "Dropbox", "Microsoft" ] }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 08:19:21 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.973665069940376
Encrypted:	false
SSDEEP:
MD5:	042A7E1F19CFFA43160EF3ADBFB0BC05
SHA1:	583B8EEA8F99F41FE56F43C0AB2CC1DA6FCE1C9B
SHA-256:	5F641BBCAFF20867188A8CBA320D9F0FFF529839ADDD95648E728FCF6802CCCD
SHA-512:	49A78454BFA70F8053D346212DCEAF17843DAC58916382B567E21647E5B0AE43DB0B08E37880DD4CFD3F8B85886D173BB6F6763A009E9A7B0754E48B70054468
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....C.aeef..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Z]J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZjJ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZjJ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZjJ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZkJ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.>......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	HTML document, ASCII text, with very long lines (5296), with CRLF line terminators
Entropy (8bit):	5.563227452503508
TrID:	HyperText Markup Language (13003/1) 100.00%
File name:	Remittance.html
File size:	35'115 bytes
MD5:	28b42b717dc1acb68070ab812d597aef
SHA1:	d9b4ffaf00bf0d79f18a7d901a37030a3aa3076d
SHA256:	2f81523ae9072f48bb6cc8bf66f3f24fd69821a55275c37710ce80af41264a01
SHA512:	eb93adad80f3ead9180e53fbdc57ea0416bc9549d3e58e9faa31d7dab7f2a6edfc3366ab8b76e8d5051e4c7350550583d5fcab9cf1f357dd3876fd7d6f56f066
SSDEEP:	384:VPuiuEcVM4sr0uIQfAEpHgkPW2eaQC/rCbPYDSxgrZFKFAPcFQbefIxPIW+Sq+Op:V9uDVM4PmpAOWi/r1XKFAPcFBAyHJl
TLSH:	37F2D7B298341C3B0F6B52F9F1523F89F10BE246CB83D6E011E9439B97D0E62A65F119
File Content Preview:	..<!DOCTYPE html>..<html lang='en'>..<head>..<meta charset='utf-8'>..<title>..DocSend..</title>..<meta content='DocSend helps salespeople communicate more effectively by reporting back in real time how prospects engage with sales collateral & proposal

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Remittance.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1545330463\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_1765810443\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\_platform_specific\win_x64\widevinecdm.dll.sig

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_794314149\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6812_889639738\manifest.json

Chrome Cache Entry: 173

Chrome Cache Entry: 175

Chrome Cache Entry: 176

Chrome Cache Entry: 177

Chrome Cache Entry: 179

Chrome Cache Entry: 181

Chrome Cache Entry: 182

Chrome Cache Entry: 184

Chrome Cache Entry: 185

Chrome Cache Entry: 187

Windows Analysis Report
Remittance.html