Edit tour

Windows Analysis Report
Voicemail_vRecording_Ardian.htm

Overview

General Information

Sample name:Voicemail_vRecording_Ardian.htm
Analysis ID:1648887
MD5:3614c4cf8b6b83bc62f323ddec4d04f3
SHA1:ca79fc3143088b2ae3f577c59b76422dd8c9e5f0
SHA256:cf501cf74780c66e4c43118def0428a9d96fcbaa510570da3ee233e6865741f7
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious Javascript
HTML document with suspicious name
HTML document with suspicious title
Suspicious Javascript code found in HTML file
Yara detected JavaScript embedded in SVG
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 2192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Voicemail_vRecording_Ardian.htm MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 1808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,4219147839140760578,4597248012323198973,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
Voicemail_vRecording_Ardian.htmJoeSecurity_JavaScriptembeddedinSVGYara detected JavaScript embedded in SVGJoe Security
    SourceRuleDescriptionAuthorStrings
    0.1.pages.csvJoeSecurity_JavaScriptembeddedinSVGYara detected JavaScript embedded in SVGJoe Security
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: https://lovemi.centralizedstorage.de/G6YRK?e=YW5uZS5yb3NlbmJlcmdAYXJkaWFuLmNvbQ==Avira URL Cloud: Label: malware

      Phishing

      barindex
      Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/Voicemail_vRecording... This script exhibits several high-risk behaviors, including dynamic code execution through the use of `atob()` to decode a URL, and the potential for data exfiltration by sending data to an external domain. The obfuscated code and URL also raise concerns about the script's true intent. While the context is unclear, the overall behavior of this script is highly suspicious and poses a significant security risk.
      Source: file:///C:/Users/user/Desktop/Voicemail_vRecording_Ardian.htmTab title: Voicemail_vRecording_Ardian.htm
      Source: Voicemail_vRecording_Ardian.htmHTTP Parser: .src = atob(
      Source: Yara matchFile source: Voicemail_vRecording_Ardian.htm, type: SAMPLE
      Source: Yara matchFile source: 0.1.pages.csv, type: HTML
      Source: Voicemail_vRecording_Ardian.htmHTTP Parser: Base64 decoded: T-bone qui sint, culpa venison hamburger veniam pancetta ut.
      Source: Voicemail_vRecording_Ardian.htmHTTP Parser: No favicon
      Source: file:///C:/Users/user/Desktop/Voicemail_vRecording_Ardian.htmHTTP Parser: No favicon
      Source: unknownHTTPS traffic detected: 142.251.32.100:443 -> 192.168.2.16:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.214.233:443 -> 192.168.2.16:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49729 version: TLS 1.2
      Source: chrome.exeMemory has grown: Private usage: 1MB later: 38MB
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.99
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.99
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /G6YRK?e=YW5uZS5yb3NlbmJlcmdAYXJkaWFuLmNvbQ== HTTP/1.1Host: lovemi.centralizedstorage.deConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficDNS traffic detected: DNS query: lovemi.centralizedstorage.de
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
      Source: unknownHTTP traffic detected: POST /report/v4?s=0fAe%2BmW%2FvhFztmWV8ypv0JpYWKcPkOhs6JrSd1Z06T7ZZ17qmksRevc16boJcKxjwV5tzd4btO84I9XZF4i6pWyf0YdsLrNMA7PL8HVTq1UjP5kAh5b5Pv7BgT61HwExcRQeIt3FFtcGSeeIBOtQ HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 445Content-Type: application/reports+jsonOrigin: https://lovemi.centralizedstorage.deUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownHTTPS traffic detected: 142.251.32.100:443 -> 192.168.2.16:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.214.233:443 -> 192.168.2.16:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49729 version: TLS 1.2

      System Summary

      barindex
      Source: Name includes: Voicemail_vRecording_Ardian.htmInitial sample: recording
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir2192_944691033
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir2192_944691033
      Source: classification engineClassification label: mal68.phis.winHTM@20/0@9/138
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Voicemail_vRecording_Ardian.htm
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,4219147839140760578,4597248012323198973,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,4219147839140760578,4597248012323198973,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      Browser Extensions
      1
      Process Injection
      1
      Masquerading
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Extra Window Memory Injection
      1
      Process Injection
      LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      File Deletion
      Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Extra Window Memory Injection
      NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
      Ingress Tool Transfer
      Traffic DuplicationData Destruction

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      file:///C:/Users/user/Desktop/Voicemail_vRecording_Ardian.htm0%Avira URL Cloudsafe
      https://lovemi.centralizedstorage.de/G6YRK?e=YW5uZS5yb3NlbmJlcmdAYXJkaWFuLmNvbQ==100%Avira URL Cloudmalware
      https://a.nel.cloudflare.com/report/v4?s=0fAe%2BmW%2FvhFztmWV8ypv0JpYWKcPkOhs6JrSd1Z06T7ZZ17qmksRevc16boJcKxjwV5tzd4btO84I9XZF4i6pWyf0YdsLrNMA7PL8HVTq1UjP5kAh5b5Pv7BgT61HwExcRQeIt3FFtcGSeeIBOtQ0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      a.nel.cloudflare.com
      35.190.80.1
      truefalse
        high
        www.google.com
        142.251.32.100
        truefalse
          high
          lovemi.centralizedstorage.de
          104.21.91.93
          truefalse
            unknown
            NameMaliciousAntivirus DetectionReputation
            https://a.nel.cloudflare.com/report/v4?s=0fAe%2BmW%2FvhFztmWV8ypv0JpYWKcPkOhs6JrSd1Z06T7ZZ17qmksRevc16boJcKxjwV5tzd4btO84I9XZF4i6pWyf0YdsLrNMA7PL8HVTq1UjP5kAh5b5Pv7BgT61HwExcRQeIt3FFtcGSeeIBOtQfalse
            • Avira URL Cloud: safe
            unknown
            https://lovemi.centralizedstorage.de/G6YRK?e=YW5uZS5yb3NlbmJlcmdAYXJkaWFuLmNvbQ==true
            • Avira URL Cloud: malware
            unknown
            file:///C:/Users/user/Desktop/Voicemail_vRecording_Ardian.htmtrue
            • Avira URL Cloud: safe
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            1.1.1.1
            unknownAustralia
            13335CLOUDFLARENETUSfalse
            142.250.65.195
            unknownUnited States
            15169GOOGLEUSfalse
            142.251.32.99
            unknownUnited States
            15169GOOGLEUSfalse
            172.253.62.84
            unknownUnited States
            15169GOOGLEUSfalse
            142.250.64.110
            unknownUnited States
            15169GOOGLEUSfalse
            142.251.40.142
            unknownUnited States
            15169GOOGLEUSfalse
            142.250.65.227
            unknownUnited States
            15169GOOGLEUSfalse
            142.250.65.238
            unknownUnited States
            15169GOOGLEUSfalse
            142.251.32.100
            www.google.comUnited States
            15169GOOGLEUSfalse
            35.190.80.1
            a.nel.cloudflare.comUnited States
            15169GOOGLEUSfalse
            172.67.214.233
            unknownUnited States
            13335CLOUDFLARENETUSfalse
            IP
            192.168.2.17
            192.168.2.16
            192.168.2.13
            192.168.2.23
            192.168.2.15
            192.168.2.14
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1648887
            Start date and time:2025-03-26 10:07:22 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            Analysis Mode:stream
            Analysis stop reason:Timeout
            Sample name:Voicemail_vRecording_Ardian.htm
            Detection:MAL
            Classification:mal68.phis.winHTM@20/0@9/138
            Cookbook Comments:
            • Found application associated with file extension: .htm
            • Exclude process from analysis (whitelisted): svchost.exe
            • Excluded IPs from analysis (whitelisted): 142.250.64.110, 142.251.32.99, 142.250.65.238, 172.253.62.84, 142.251.40.142, 142.250.65.206
            • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenFile calls found.
            • VT rate limit hit for: lovemi.centralizedstorage.de
            No created / dropped files found
            File type:HTML document, ASCII text, with very long lines (316), with CRLF line terminators
            Entropy (8bit):5.351941172795003
            TrID:
              File name:Voicemail_vRecording_Ardian.htm
              File size:2'420 bytes
              MD5:3614c4cf8b6b83bc62f323ddec4d04f3
              SHA1:ca79fc3143088b2ae3f577c59b76422dd8c9e5f0
              SHA256:cf501cf74780c66e4c43118def0428a9d96fcbaa510570da3ee233e6865741f7
              SHA512:30c34474613b13bceedae75e2f2ade3a88c0dccfd0366bd9fada297a6e882bbe4d79b2b9010879c331b560cc1f594f67f9c350261a29c0980f74bbc84c4ebb3d
              SSDEEP:48:3ZRuFH4TxPFjK7ZQq1hFm6YmB3fiFtO4/hpPLKKUt3lGfmu7mBLK/H:JIFH4TxPFjK7ZQ2uDev05/T+ttVgJ/H
              TLSH:F841B839DE848D3416B68756829029DBCF67CD8BF70C11AAF84D2B171F318E510735E8
              File Content Preview: VC1ib25lIHF1aSBzaW50LCBjdWxwYSB2ZW5pc29uIGhhbWJ1cmdlciB2ZW5pYW0gcGFuY2V0dGEgdXQu --> Boudin meatball buffalo cupidatat nostrud ham officia swine fatback bacon turkey magna beef ribs pastrami.-->.. <svg xmlns="http://www.w3.org/2000/svg" w
              Icon Hash:1270ce868a8686b8