Edit tour

Windows Analysis Report
https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA

Overview

General Information

Sample URL:	https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA
Analysis ID:	1644040
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

Phishing site or detected (based on various text indicators)

Creates files inside the system directory

Deletes files inside the Windows folder

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4796 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6259043399304128305,15716538276182732247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2364 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Joe Sandbox Signatures

• Phishing
• Networking
• System Summary
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://sincere-squid.slides.website/documentation-project-202503

Joe Sandbox AI: Score: 9 Reasons: The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'., The URL 'sincere-squid.slides.website' does not match the legitimate domain for Adobe., The domain uses a generic and unrelated name 'sincere-squid' which is not associated with Adobe., The domain extension '.website' is unusual for a well-known brand like Adobe, which typically uses '.com'., The presence of an input field asking for an email on a non-legitimate domain is a common phishing tactic. DOM: 1.4.pages.csv

AI detected landing page (webpage, office document or email)

Source: https://scribehow.com/page/Adobe_PDF_Document___Heb44GIjSfq2CGzJcxhYmA

Joe Sandbox AI: Page contains button: 'PRINT | PREVIEW DOCUMENT HERE' Source: '0.0.pages.csv'

AI detected suspicious Javascript

Source: 1.67..script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://sincere-squid.slides.website/documentation... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated URLs. The script decodes a URL that appears to be sending user email data to an external domain, which is a strong indicator of malicious intent. Additionally, the use of the `window.location.href` redirect suggests the script may be attempting to redirect users to a malicious site. Overall, the combination of these behaviors indicates a high-risk script that should be further investigated.

Phishing site or detected (based on various text indicators)

Source: Chrome DOM: 0.3	OCR Text: Scribe Adobe PDF Document Adobe You've received a secure document file Kindly follow the link below to view large pdf file Scanned from MFP14017313 Date:03/20'2025 Pages: 10 Resolution:300x300 DPI PRINTIPREVIEWDOCUMENT HERE
Source: Chrome DOM: 0.0	OCR Text: Adobe PDF Document PRINT I PREVIEW DOCUMENT HERE
Source: Chrome DOM: 0.2	OCR Text: Scribe Adobe PDF Document Adobe You've received a secure document file Kindly follow the link below to view large pdf file Scanned from MFP14017313 Date :03/20'2025 Pages: 10 Resolution:300x300 DPI PRINTIPREVIEWDOCUMENT HERE

Source: https://sincere-squid.slides.website/documentation-project-202503

HTTP Parser: Number of links: 0

Source: https://scribehow.com/page/Adobe_PDF_Document___Heb44GIjSfq2CGzJcxhYmA

HTTP Parser: Base64 decoded: {"version":3,"sources":["webpack://./src/components/IframeWrapper.css"],"names":[],"mappings":"AAAA,uBAEE,YAAa,CACb,iBAAkB,CAClB,qBACF,CAEA,sCACE,oBACF,CAEA,qCACE,mCAAyC,CAEzC,QAAS,CADT,iBAAkB,CAElB,aAAc,CACd,cAAe,CACf,4BAA8B,CAC9B,cAAe,CACf,eAAmB,CACnB,W...

Source: https://sincere-squid.slides.website/documentation-project-202503

HTTP Parser: Title: Adone Document does not match URL

Source: https://scribehow.com/page/Adobe_PDF_Document___Heb44GIjSfq2CGzJcxhYmA

HTTP Parser: No favicon

Source: https://sincere-squid.slides.website/documentation-project-202503

HTTP Parser: No <meta name="author".. found

Source: https://sincere-squid.slides.website/documentation-project-202503

HTTP Parser: No <meta name="copyright".. found

Source: chromecache_220.2.dr	String found in binary or memory: Math.round(q);u["gtm.videoElapsedTime"]=Math.round(f);u["gtm.videoPercent"]=r;u["gtm.videoVisible"]=t;return u},Sk:function(){e=sb()},Md:function(){d()}}};var bc=wa(["data-gtm-yt-inspected-"]),LG=["www.youtube.com","www.youtube-nocookie.com"],MG,NG=!1; equals www.youtube.com (Youtube)
Source: chromecache_220.2.dr	String found in binary or memory: if(!(f\|\|g\|\|k\|\|m.length\|\|n.length))return;var q={Wh:f,Uh:g,Vh:k,Di:m,Ei:n,qf:p,Rb:e},r=z.YT;if(r)return r.ready&&r.ready(d),e;var t=z.onYouTubeIframeAPIReady;z.onYouTubeIframeAPIReady=function(){t&&t();d()};E(function(){for(var v=A.getElementsByTagName("script"),u=v.length,w=0;w<u;w++){var x=v[w].getAttribute("src");if(WG(x,"iframe_api")\|\|WG(x,"player_api"))return e}for(var y=A.getElementsByTagName("iframe"),B=y.length,C=0;C<B;C++)if(!NG&&UG(y[C],q.qf))return tc("https://www.youtube.com/iframe_api"), equals www.youtube.com (Youtube)
Source: chromecache_238.2.dr	String found in binary or memory: inline:{css:1},disableRealtimeCallback:!1,drive_share:{skipInitCommand:!0},csi:{rate:.01},client:{cors:!1},signInDeprecation:{rate:0},include_granted_scopes:!0,llang:"en",iframes:{youtube:{params:{location:["search","hash"]},url:":socialhost:/:session_prefix:_/widget/render/youtube?usegapi=1",methods:["scroll","openwindow"]},ytsubscribe:{url:"https://www.youtube.com/subscribe_embed?usegapi=1"},plus_circle:{params:{url:""},url:":socialhost:/:session_prefix::se:_/widget/plus/circle?usegapi=1"}, equals www.youtube.com (Youtube)
Source: chromecache_162.2.dr	String found in binary or memory: return function(a,b,c,d){var e={exports:{}};e.exports;(function(){"use strict";var b=f.getFbeventsModules("signalsFBEventsGetTier"),c=d();function d(){try{if(a.trustedTypes&&a.trustedTypes.createPolicy){var b=a.trustedTypes;return b.createPolicy("facebook.com/signals/iwl",{createScriptURL:function(b){var c=typeof a.URL==="function"?a.URL:a.webkitURL;c=new c(b);c=c.hostname.endsWith(".facebook.com")&&c.pathname=="/signals/iwl.js";if(!c)throw new Error("Disallowed script URL");return b}})}}catch(a){}return null}e.exports=function(a,d){d=b(d);d=d==null?"www.facebook.com":"www."+d+".facebook.com";d="https://"+d+"/signals/iwl.js?pixel_id="+a;if(c!=null)return c.createScriptURL(d);else return d}})();return e.exports}(a,b,c,d)}); equals www.facebook.com (Facebook)
Source: chromecache_162.2.dr	String found in binary or memory: return function(f,b,c,d){var e={exports:{}};e.exports;(function(){"use strict";var a=/^https:\/\/www\.([A-Za-z0-9\.]+)\.facebook\.com\/tr\/?$/,b=["https://www.facebook.com/tr","https://www.facebook.com/tr/"];e.exports=function(c){if(b.indexOf(c)!==-1)return null;var d=a.exec(c);if(d==null)throw new Error("Malformed tier: "+c);return d[1]}})();return e.exports}(a,b,c,d)}); equals www.facebook.com (Facebook)
Source: chromecache_162.2.dr	String found in binary or memory: return function(f,g,h,i){var j={exports:{}};j.exports;(function(){"use strict";var a={ENDPOINT:"https://www.facebook.com/tr/",INSTAGRAM_TRIGGER_ATTRIBUTION:"https://www.instagram.com/tr/",AEM_ENDPOINT:"https://www.facebook.com/.well-known/aggregated-event-measurement/",GPS_ENDPOINT:"https://www.facebook.com/privacy_sandbox/pixel/register/trigger/",TOPICS_API_ENDPOINT:"https://www.facebook.com/privacy_sandbox/topics/registration/"};j.exports=a})();return j.exports}(a,b,c,d)}); equals www.facebook.com (Facebook)
Source: chromecache_185.2.dr, chromecache_217.2.dr	String found in binary or memory: return f}JG.K="internal.enableAutoEventOnTimer";var bc=wa(["data-gtm-yt-inspected-"]),LG=["www.youtube.com","www.youtube-nocookie.com"],MG,NG=!1; equals www.youtube.com (Youtube)
Source: chromecache_185.2.dr	String found in binary or memory: var YF=function(a,b,c,d,e){var f=UC("fsl",c?"nv.mwt":"mwt",0),g;g=c?UC("fsl","nv.ids",[]):UC("fsl","ids",[]);if(!g.length)return!0;var k=ZC(a,"gtm.formSubmit",g),m=a.action;m&&m.tagName&&(m=a.cloneNode(!1).action);Q(121);if(m==="https://www.facebook.com/tr/")return Q(122),!0;k["gtm.elementUrl"]=m;k["gtm.formCanceled"]=c;a.getAttribute("name")!=null&&(k["gtm.interactedFormName"]=a.getAttribute("name"));e&&(k["gtm.formSubmitElement"]=e,k["gtm.formSubmitElementText"]=e.value);if(d&&f){if(!HB(k,JB(b, equals www.facebook.com (Facebook)

Source: chromecache_227.2.dr	String found in binary or memory: http://greensock.com
Source: chromecache_227.2.dr	String found in binary or memory: http://greensock.com/standard-license
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/button
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/fedcm.json
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/fedcmcsp?client_id=
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/iframe/select
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/log
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/revoke
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/select
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/status
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/gsi/style
Source: chromecache_238.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_159.2.dr, chromecache_238.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/iframe
Source: chromecache_238.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_159.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth
Source: chromecache_220.2.dr	String found in binary or memory: https://adservice.google.com/pagead/regclk?
Source: chromecache_156.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js
Source: chromecache_219.2.dr	String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: chromecache_238.2.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_238.2.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_153.2.dr	String found in binary or memory: https://assets.ubembed.com/universalscript/releases/v0.183.0/bundle.js
Source: chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: chromecache_238.2.dr	String found in binary or memory: https://classroom.google.com/sharewidget?usegapi=1
Source: chromecache_238.2.dr	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/widget/backdrop?usegapi=1
Source: chromecache_238.2.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_212.2.dr, chromecache_205.2.dr	String found in binary or memory: https://colony-recorder.s3.amazonaws.com/files/2025-03-20/36e713c9-47ba-42d0-b210-6d01fc55ba35/media
Source: chromecache_162.2.dr	String found in binary or memory: https://connect.facebook.net/
Source: chromecache_185.2.dr	String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: chromecache_162.2.dr	String found in binary or memory: https://connect.facebook.net/log/fbevents_telemetry/
Source: chromecache_238.2.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_238.2.dr	String found in binary or memory: https://dataconnector.corp.google.com/:session_prefix:ui/widgetview?usegapi=1
Source: chromecache_156.2.dr	String found in binary or memory: https://designmodo.com/slides/app/integrations/
Source: chromecache_159.2.dr	String found in binary or memory: https://developers.google.com/identity/gsi/web/guides/fedcm-migration
Source: chromecache_159.2.dr	String found in binary or memory: https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#cross_origin)
Source: chromecache_159.2.dr	String found in binary or memory: https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#display_moment
Source: chromecache_159.2.dr	String found in binary or memory: https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#skipped_moment
Source: chromecache_238.2.dr	String found in binary or memory: https://drive.google.com/savetodrivebutton?usegapi=1
Source: chromecache_238.2.dr	String found in binary or memory: https://families.google.com/webcreation?usegapi=1&usegapi=1
Source: chromecache_156.2.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Material
Source: chromecache_156.2.dr	String found in binary or memory: https://fonts.gstatic.com/
Source: chromecache_207.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialicons/v143/flUhRq6tzZclQEJ-Vdg-IuiaDsNc.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwRs572Xtc6ZYQws9YVwnNGfJ4.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwRs572Xtc6ZYQws9YVwnNIfJ7Cww.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwRs572Xtc6ZYQws9YVwnNJfJ7Cww.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwTs572Xtc6ZYQws9YVwnNDTJLax9k0.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwTs572Xtc6ZYQws9YVwnNDTJPax9k0.woff2)
Source: chromecache_171.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/publicsans/v18/ijwTs572Xtc6ZYQws9YVwnNDTJzaxw.woff2)
Source: chromecache_194.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sora/v12/xMQbuFFYT72XzQUpDg.woff2)
Source: chromecache_194.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sora/v12/xMQbuFFYT72XzQspDre2.woff2)
Source: chromecache_185.2.dr	String found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: chromecache_220.2.dr	String found in binary or memory: https://google.com
Source: chromecache_220.2.dr	String found in binary or memory: https://googleads.g.doubleclick.net
Source: chromecache_162.2.dr	String found in binary or memory: https://gw.conversionsapigateway.com
Source: chromecache_159.2.dr	String found in binary or memory: https://meet.google.com
Source: chromecache_159.2.dr	String found in binary or memory: https://oauth2.googleapis.com/revoke
Source: chromecache_220.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_238.2.dr	String found in binary or memory: https://pay.google.com/gp/v/widget/save
Source: chromecache_238.2.dr	String found in binary or memory: https://play.google.com/work/embedded/search?usegapi=1&usegapi=1
Source: chromecache_238.2.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_238.2.dr	String found in binary or memory: https://plus.googleapis.com
Source: chromecache_155.2.dr	String found in binary or memory: https://pqina.nl/pintura/license/
Source: chromecache_185.2.dr	String found in binary or memory: https://px.ads.linkedin.com/collect?
Source: chromecache_185.2.dr	String found in binary or memory: https://snap.licdn.com/li.lms-analytics/insight.min.js
Source: chromecache_238.2.dr	String found in binary or memory: https://ssl.gstatic.com/microscope/embed/
Source: chromecache_193.2.dr	String found in binary or memory: https://static.app/api/forms/store
Source: chromecache_156.2.dr	String found in binary or memory: https://static.app/js/static-forms.js
Source: chromecache_185.2.dr	String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: chromecache_220.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect
Source: chromecache_220.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect?v=2&
Source: chromecache_219.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: chromecache_219.2.dr	String found in binary or memory: https://tagassistant.google.com/
Source: chromecache_238.2.dr	String found in binary or memory: https://talkgadget.google.com/:session_prefix:talkgadget/_/widget
Source: chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	String found in binary or memory: https://td.doubleclick.net
Source: chromecache_238.2.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_185.2.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: chromecache_219.2.dr	String found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
Source: chromecache_219.2.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: chromecache_219.2.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: chromecache_220.2.dr	String found in binary or memory: https://www.google.com
Source: chromecache_219.2.dr	String found in binary or memory: https://www.google.com/ads/ga-audiences
Source: chromecache_238.2.dr	String found in binary or memory: https://www.google.com/shopping/customerreviews/badge?usegapi=1
Source: chromecache_238.2.dr	String found in binary or memory: https://www.google.com/shopping/customerreviews/optin?usegapi=1
Source: chromecache_220.2.dr	String found in binary or memory: https://www.googleadservices.com
Source: chromecache_220.2.dr	String found in binary or memory: https://www.googletagmanager.com
Source: chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	String found in binary or memory: https://www.googletagmanager.com/a?
Source: chromecache_219.2.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	String found in binary or memory: https://www.googletagmanager.com/static/service_worker/
Source: chromecache_238.2.dr	String found in binary or memory: https://www.gstatic.com/partners/badge/templates/badge.html?usegapi=1
Source: chromecache_220.2.dr	String found in binary or memory: https://www.merchant-center-analytics.goog
Source: chromecache_220.2.dr	String found in binary or memory: https://www.youtube.com/iframe_api
Source: chromecache_238.2.dr	String found in binary or memory: https://www.youtube.com/subscribe_embed?usegapi=1

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir4500_1789444140

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir4500_1789444140

Jump to behavior

Source: classification engine

Classification label: mal60.phis.win@24/176@0/28

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6259043399304128305,15716538276182732247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2364 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6259043399304128305,15716538276182732247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2364 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://static.app/api/forms/store	0%	Avira URL Cloud	safe
http://greensock.com/standard-license	0%	Avira URL Cloud	safe
https://static.app/js/static-forms.js	0%	Avira URL Cloud	safe
https://pqina.nl/pintura/license/	0%	Avira URL Cloud	safe
http://greensock.com	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://scribehow.com/page/Adobe_PDF_Document___Heb44GIjSfq2CGzJcxhYmA	false		high
https://sincere-squid.slides.website/documentation-project-202503	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stats.g.doubleclick.net/g/collect	chromecache_220.2.dr	false		high
http://greensock.com/standard-license	chromecache_227.2.dr	false	Avira URL Cloud: safe	unknown
https://dataconnector.corp.google.com/:session_prefix:ui/widgetview?usegapi=1	chromecache_238.2.dr	false		high
https://ampcid.google.com/v1/publisher:getClientId	chromecache_219.2.dr	false		high
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1	chromecache_238.2.dr	false		high
https://px.ads.linkedin.com/collect?	chromecache_185.2.dr	false		high
https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#skipped_moment	chromecache_159.2.dr	false		high
https://assets.ubembed.com/universalscript/releases/v0.183.0/bundle.js	chromecache_153.2.dr	false		high
https://www.google.com	chromecache_220.2.dr	false		high
https://www.youtube.com/iframe_api	chromecache_220.2.dr	false		high
https://www.google.com/shopping/customerreviews/badge?usegapi=1	chromecache_238.2.dr	false		high
https://developers.google.com/identity/gsi/web/guides/fedcm-migration	chromecache_159.2.dr	false		high
https://pay.google.com/gp/v/widget/save	chromecache_238.2.dr	false		high
https://meet.google.com	chromecache_159.2.dr	false		high
https://drive.google.com/savetodrivebutton?usegapi=1	chromecache_238.2.dr	false		high
https://connect.facebook.net/en_US/fbevents.js	chromecache_185.2.dr	false		high
https://github.com/krux/postscribe/blob/master/LICENSE.	chromecache_185.2.dr	false		high
https://www.google.com/shopping/customerreviews/optin?usegapi=1	chromecache_238.2.dr	false		high
https://stats.g.doubleclick.net/j/collect	chromecache_219.2.dr	false		high
https://apis.google.com	chromecache_238.2.dr	false		high
http://greensock.com	chromecache_227.2.dr	false	Avira URL Cloud: safe	unknown
https://classroom.google.com/sharewidget?usegapi=1	chromecache_238.2.dr	false		high
https://apis.google.com/js/api.js	chromecache_238.2.dr	false		high
https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#cross_origin)	chromecache_159.2.dr	false		high
https://googleads.g.doubleclick.net	chromecache_220.2.dr	false		high
https://tagassistant.google.com/	chromecache_219.2.dr	false		high
https://www.youtube.com/subscribe_embed?usegapi=1	chromecache_238.2.dr	false		high
https://colony-recorder.s3.amazonaws.com/files/2025-03-20/36e713c9-47ba-42d0-b210-6d01fc55ba35/media	chromecache_212.2.dr, chromecache_205.2.dr	false		high
https://static.hotjar.com/c/hotjar-	chromecache_185.2.dr	false		high
https://gw.conversionsapigateway.com	chromecache_162.2.dr	false		high
https://pqina.nl/pintura/license/	chromecache_155.2.dr	false	Avira URL Cloud: safe	unknown
https://cct.google/taggy/agent.js	chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	false		high
https://static.app/js/static-forms.js	chromecache_156.2.dr	false	Avira URL Cloud: safe	unknown
https://static.app/api/forms/store	chromecache_193.2.dr	false	Avira URL Cloud: safe	unknown
https://plus.google.com	chromecache_238.2.dr	false		high
https://clients3.google.com/cast/chromecast/home/widget/backdrop?usegapi=1	chromecache_238.2.dr	false		high
https://connect.facebook.net/	chromecache_162.2.dr	false		high
https://snap.licdn.com/li.lms-analytics/insight.min.js	chromecache_185.2.dr	false		high
https://designmodo.com/slides/app/integrations/	chromecache_156.2.dr	false		high
https://www.google.com/ads/ga-audiences	chromecache_219.2.dr	false		high
https://www.google.%/ads/ga-audiences	chromecache_219.2.dr	false		high
https://td.doubleclick.net	chromecache_185.2.dr, chromecache_217.2.dr, chromecache_220.2.dr	false		high
https://connect.facebook.net/log/fbevents_telemetry/	chromecache_162.2.dr	false		high
https://www.merchant-center-analytics.goog	chromecache_220.2.dr	false		high
https://stats.g.doubleclick.net/g/collect?v=2&	chromecache_220.2.dr	false		high
https://talkgadget.google.com/:session_prefix:talkgadget/_/widget	chromecache_238.2.dr	false		high
https://play.google.com/work/embedded/search?usegapi=1&usegapi=1	chromecache_238.2.dr	false		high
https://google.com	chromecache_220.2.dr	false		high
https://developers.google.com/identity/gsi/web/guides/fedcm-migration?s=dc#display_moment	chromecache_159.2.dr	false		high
https://families.google.com/webcreation?usegapi=1&usegapi=1	chromecache_238.2.dr	false		high
https://adservice.google.com/pagead/regclk?	chromecache_220.2.dr	false		high
https://clients6.google.com	chromecache_238.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.19.104	unknown	United States	13335	CLOUDFLARENETUS	false
31.13.71.36	unknown	Ireland	32934	FACEBOOKUS	false
157.240.241.35	unknown	United States	32934	FACEBOOKUS	false
104.21.80.1	unknown	United States	13335	CLOUDFLARENETUS	false
52.223.19.107	unknown	United States	8987	AMAZONEXPANSIONGB	false
3.171.139.119	unknown	United States	16509	AMAZON-02US	false
23.48.224.232	unknown	United States	20940	AKAMAI-ASN1EU	false
104.18.39.181	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.96.1	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.18.104	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.174	unknown	United States	15169	GOOGLEUS	false
23.210.92.108	unknown	United States	20940	AKAMAI-ASN1EU	false
157.240.241.1	unknown	United States	32934	FACEBOOKUS	false
52.219.216.17	unknown	United States	16509	AMAZON-02US	false
150.171.22.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
3.168.122.81	unknown	United States	16509	AMAZON-02US	false
3.168.122.82	unknown	United States	16509	AMAZON-02US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
57.144.180.1	unknown	Belgium	2686	ATGS-MMD-ASUS	false
142.250.176.196	unknown	United States	15169	GOOGLEUS	false
104.26.5.231	unknown	United States	13335	CLOUDFLARENETUS	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.117.182.74	unknown	United States	20940	AKAMAI-ASN1EU	false
172.253.63.154	unknown	United States	15169	GOOGLEUS	false
142.250.72.98	unknown	United States	15169	GOOGLEUS	false
52.219.120.122	unknown	United States	16509	AMAZON-02US	false
142.250.65.164	unknown	United States	15169	GOOGLEUS	false
34.120.195.249	unknown	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1644040
Start date and time:	2025-03-20 10:12:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.phis.win@24/176@0/28

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.32.99, 142.250.80.46, 142.250.176.206, 172.253.122.84, 142.250.72.110, 142.251.35.174, 142.250.65.238, 172.253.63.84, 142.250.80.72, 142.250.80.106, 142.250.65.200, 142.251.35.163, 23.203.176.221, 199.232.210.172, 142.250.80.78, 142.251.41.14, 142.251.40.99, 23.55.235.211, 23.55.235.201, 142.250.80.10, 192.168.2.4, 142.250.80.42, 142.250.176.202, 142.250.80.74, 142.250.65.234, 172.217.165.138, 142.250.65.202, 142.251.35.170, 142.250.72.106, 142.251.41.10, 142.250.65.170, 142.251.32.106, 142.250.81.234, 142.251.40.106, 142.251.40.234, 142.251.40.110, 142.251.40.142, 142.250.64.110, 142.251.40.131, 34.104.35.123, 142.250.65.195, 23.204.23.20, 150.171.27.10, 4.245.163.56
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, accounts.google.com, stls.adobe.com-cn.edgesuite.net.globalredir.akadns.net, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ajax.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, stls.adobe.com-cn.edgesuite.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, edgedl.me.gvt1.com, www.googletagmanager.com, bat.bing.com, a1815.dscr.akamai.net, update.googleapis.com, clients.l.google.com, c.pki.goog, www.adobe.com, www.google-analytics.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	111177
Entropy (8bit):	5.366826626043903
Encrypted:	false
SSDEEP:	1536:yt0tQDlfXm4dVuy1IuAQ/olo3dX4NQpsBrylVdBZin2+/1nc:+V24DNBQidINiqylFZinv/1nc
MD5:	64C8EA000CEE30881074EACED46A6B76
SHA1:	266D135CFADB50D28DD8E607F8464110C07B523B
SHA-256:	9E33F42EDFAE72EDA64700CCBF80519FBD1476A9DBF3839070F4D1F9EED23EB9
SHA-512:	8FC48F9D8ADE84F7071C0F4399069A15335C194D90490F61BCDD7D193D60C03AA3E9CB513A94B2284B70273B51C7453E01F08E980698C3ADB922FCA86F010BAE
Malicious:	false
Reputation:	low
URL:	https://scribehow.com/_next/static/chunks/main-1bfbc11da351a2a7.js
Preview:	(self.webpackChunk_N_E=self.webpackChunk_N_E\|\|[]).push([[179],{4875:function(e,t){"use strict";function r(){return""}Object.defineProperty(t,"__esModule",{value:!0}),Object.defineProperty(t,"getDeploymentIdQueryOrEmptyString",{enumerable:!0,get:function(){return r}})},88223:function(){"trimStart"in String.prototype\|\|(String.prototype.trimStart=String.prototype.trimLeft),"trimEnd"in String.prototype\|\|(String.prototype.trimEnd=String.prototype.trimRight),"description"in Symbol.prototype\|\|Object.defineProperty(Symbol.prototype,"description",{configurable:!0,get:function(){var e=/$(.*)$/.exec(this.toString());return e?e[1]:void 0}}),Array.prototype.flat\|\|(Array.prototype.flat=function(e,t){return t=this.concat.apply([],this),e>1&&t.some(Array.isArray)?t.flat(e-1):t},Array.prototype.flatMap=function(e,t){return this.map(e,t).flat()}),Promise.prototype.finally\|\|(Promise.prototype.finally=function(e){if("function"!=typeof e)return this.then(e,e);var t=this.constructor\|\|Promise;return this.t

Target ID:	1
Start time:	05:13:37
Start date:	20/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	05:13:41
Start date:	20/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6259043399304128305,15716538276182732247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2364 /prefetch:3
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	05:13:47
Start date:	20/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 146

Chrome Cache Entry: 147

Chrome Cache Entry: 148

Chrome Cache Entry: 149

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Chrome Cache Entry: 159

Chrome Cache Entry: 160

Chrome Cache Entry: 161

Chrome Cache Entry: 162

Chrome Cache Entry: 163

Chrome Cache Entry: 164

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 169

Chrome Cache Entry: 170

Chrome Cache Entry: 171

Chrome Cache Entry: 172

Chrome Cache Entry: 173

Chrome Cache Entry: 174

Windows Analysis Report
https://scribehow.com/page/Adobe_PDF_Document__Heb44GIjSfq2CGzJcxhYmA