Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091

Overview

General Information

Sample URL:https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
Analysis ID:1649252
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA
Score:100
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Yara detected AntiDebug via timestamp check
Yara detected HtmlPhish10
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
Phishing site or detected (based on various text indicators)
Creates files inside the system directory
Deletes files inside the Windows folder
HTML body contains low number of good links
HTML body contains password input but no form action
HTML page contains hidden javascript code
HTML page contains string obfuscation
HTML title does not match URL
Invalid T&C link found
Program does not show much activity (idle)
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 5064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
4.260.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
    4.260.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
      4.266.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
        4.261.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
          4.267..script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
            Click to see the 23 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            • Phishing
            • Compliance
            • Software Vulnerabilities
            • System Summary
            • Malware Analysis System Evasion
            • Anti Debugging

            Click to jump to signature section

            Show All Signature Results

            Phishing

            barindex
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains an unusual domain name 'iatrivvbe.com' which is not associated with Microsoft., The presence of input fields like 'Email, phone, or Skype' is typical for phishing attempts targeting Microsoft services. DOM: 5.29.pages.csv
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains a domain 'iatrivvbe.com' which is not associated with Microsoft., The presence of an input field asking for a password on a non-legitimate domain is suspicious., The URL does not contain any recognizable association with Microsoft, indicating a potential phishing attempt. DOM: 5.31.pages.csv
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains an unusual domain name 'iatrivvbe.com' which is not associated with Microsoft., The presence of a subdomain 'sa' does not mitigate the suspicious nature of the main domain., The email 'not@real.com' suggests a placeholder or non-legitimate input, which is often used in phishing sites. DOM: 5.30.pages.csv
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: Yara matchFile source: 4.261.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.26.pages.csv, type: HTML
            Source: Yara matchFile source: 4.22.pages.csv, type: HTML
            Source: Yara matchFile source: 4.27.pages.csv, type: HTML
            Source: Yara matchFile source: 4.261.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.267..script.csv, type: HTML
            Source: Yara matchFile source: 4.26.pages.csv, type: HTML
            Source: Yara matchFile source: 4.22.pages.csv, type: HTML
            Source: Yara matchFile source: 5.280..script.csv, type: HTML
            Source: Yara matchFile source: 4.27.pages.csv, type: HTML
            Source: Yara matchFile source: 5.277.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.260.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.266.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.271.d.script.csv, type: HTML
            Source: Yara matchFile source: 5.272..script.csv, type: HTML
            Source: Yara matchFile source: 5.273..script.csv, type: HTML
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: Chrome DOM: 0.2OCR Text: i sBPa n % rokers Apollo Insurance Brokers Ltd YOU HAVE 2 NEW DOCUMENTS! *Pages :** 2 * *Resolution : ** 250x500 DPI From :** MPD49729- 23183 CLICK HERE TO VIEW YOUR DOCUMENT Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged Information which is not for the use of any third party. If you are not the Intended reciprent, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway, If this message has been received in error, please notify the sender Immediately by e-mail by return and delete the message from your system.
            Source: Chrome DOM: 1.10OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more With the file shared with you. oo oo Sign in % rokers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF * *Resolution 250x500 DPI PDF to JPG From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT z Fill & Sign 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c Work on PDFs directly In-browser View, edit, sign, and comrrtent on PDFs directly in browser with the free Acrobat extension Add to Chrome
            Source: Chrome DOM: 1.6OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more With the file shared with you. oo oo Sign in % rokers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF * *Resolution 250x500 DPI PDF to JPG From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT z Fill & Sign 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c Work on PDFs directly In-browser View, edit, sign, and comrrtent on PDFs directly in browser with the free Acrobat extension Add to Chrome Ask A1 Assistant Short on time? Ask for a quick summary
            Source: Chrome DOM: 1.7OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more with the file shared with you. oo oo Sign in kers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF ** Resolution 250x500 DPI PDF to From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT Fill & Sign 1 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c work on PDFs directly In-browser View, edit, sign, and cornrnent on PDFs directly in browser with the free Acrobat extension Add to Chrome
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Number of links: 0
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: <input type="password" .../> found but no <form action="...
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: Base64 decoded: if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) { window.location = "about:blank";}document.addEventListener("keydown", function (event) { function wCPxvjXLYV(event) { co...
            Source: https://acrobat.adobe.com/dc-conversions2-dropin/3.17.1_2.146.0/translations-en-US-json.jsHTTP Parser: Found new string: script "use strict";(self["webpackJsonp-conversions2"]=self["webpackJsonp-conversions2"]||[]).push([[818],{R5i5:e=>{e.exports=JSON.parse('{"pdfti.dropzone.heading.seo":"Convert a PDF to JPG image","pdftw.dropzone.heading.seo":"Convert PDF to Word","pdftxls.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft Excel converter.","pdftxls.dropzone.heading.seo":"Convert PDF to Excel","pdftw.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft Word converter.","pdftppt.dropzone.heading.seo":"Convert PDF to PPT","pdftppt.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft PowerPoint (PPT) converter.","pdftw.dropzone.description.mobile.seo":"Select a PDF file to use our PDF to Microsoft Word converter.","pdfti.dropzone.description.mobile.seo":"Select a PDF, then convert to JPG, PNG, or TIFF file formats.","pdftxls.dropzone.description.mobile.seo":"Select a PDF file to use our PDF to Microsoft Excel converter.","pdftppt.dropzone.description.mob...
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Title: Secure Profile Access Login does not match URL
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: var otherweburl = "";var websitenames = ["godaddy", "okta"];var bes = ["apple.com","netflix.com"];var pes = ["https:\/\/t.me\/","https:\/\/t.com\/","t.me\/","https:\/\/t.me.com\/","t.me.com\/","t.me@","https:\/\/t.me@","https:\/\/t.me","https:\/\/t.com","t.me","https:\/\/t.me.com","t.me.com","t.me\/@","https:\/\/t.me\/@","https:\/\/t.me@\/","t.me@\/","https:\/\/www.telegram.me\/","https:\/\/www.telegram.me"];var capnum = 1;var appnum = 1;var pvn = 0;var view = "";var pagelinkval = "di1x2p";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "/qzlzgbzx5i6dvs9of04r81ckle4lhpncag1sealowog4hv6lqfq";var gdf = "/ijcwn3npohihdymdyhn0xdelvznntyzuodwaalubpgslfab115";var odf = "/ghl8bh1z2f4ek4qtmme3pyzqp8igkpdpihqab650";var twa = 0;var currentreq = null;var requestsent = false;var pagedata = "";var redirecturl = "";var useragent = navigator.useragent;var browsername;var userip;var usercountry;var errorcodeexecuted = false;if(useragent.match(/edg/i)){ ...
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: function fxspenbzzp(){loarrlslcf = atob("pcfet0nuwvbfigh0bww+cjxodg1sigxhbmc9imvuij4kpghlywq+ciagpg1ldgegy2hhcnnldd0ivvrgltgipgogidxtzxrhig5hbwu9inzpzxdwb3j0iibjb250zw50psj3awr0ad1kzxzpy2utd2lkdggsigluaxrpywwtc2nhbgu9ms4wij4kica8dgl0bgu+rwr1vmlzaw9uic0gvhjhbnnmb3jtaw5nievkdwnhdglvbjwvdgl0bgu+ciagphn0ewxlpgogicagym9kesb7ciagicagigzvbnqtzmftawx5oianu2vnb2ugvuknlcbuywhvbwesiedlbmv2yswgvmvyzgfuyswgc2fucy1zzxjpzjskicagicagbwfyz2luoiawowogicagicbwywrkaw5noiawowogicagicbiywnrz3jvdw5klwnvbg9yoiajzjlmowy5owogicagicbjb2xvcjogizmzmzskicagih0kicagighlywrlcib7ciagicagigjhy2tncm91bmq6igxpbmvhci1ncmfkawvudcgxmzvkzwcsicm2ytexy2isicmyntc1zmmpowogicagicbjb2xvcjogi2zmzjskicagicagcgfkzgluzzognjbwecaymhb4owogicagicb0zxh0lwfsawduoibjzw50zxi7ciagicb9ciagicbozwfkzxigadegewogicagicbtyxjnaw46ida7ciagicagigzvbnqtc2l6ztogm3jlbtskicagicagzm9udc13zwlnahq6igjvbgq7ciagicb9ciagicbozwfkzxigccb7ciagicagigzvbnqtc2l6ztogms4ycmvtowogicagicbtyxjnaw4tdg9woiaxmhb4owogicagfqogicagbmf2ihskicagicagymfja2dyb3vuzdogcmdiysgyntusidi1nswgmju1lcawljkpowogi...
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: <input type="password" .../> found
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091HTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091HTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091?viewer%21megaVerb=group-discoverHTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091?viewer%21megaVerb=group-discoverHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: chrome.exeMemory has grown: Private usage: 1MB later: 30MB
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6976_247053650
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6976_247053650
            Source: classification engineClassification label: mal100.phis.evad.win@25/0@0/460
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: 4.260.d.script.csv, type: HTML
            Source: Yara matchFile source: 5.272..script.csv, type: HTML
            Source: Yara matchFile source: 5.273..script.csv, type: HTML
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid AccountsWindows Management Instrumentation1
            Scripting            		1
            Process Injection            		12
            Masquerading            		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Extra Window Memory Injection            		1
            Process Injection            		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            File Deletion            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Extra Window Memory Injection            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            No bigger version
            No bigger version
            No bigger version
            No bigger version
            No bigger version
            No bigger version

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a66010910%Avira URL Cloudsafe

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDtrue
              		unknown
              https://sa.iatrivvbe.com/trs/false
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                23.223.209.71
                		unknownUnited States
                		16625AKAMAI-ASUSfalse
                140.82.113.4
                		unknownUnited States
                		36459GITHUBUSfalse
                199.232.89.138
                		unknownUnited States
                		54113FASTLYUSfalse
                34.254.217.29
                		unknownUnited States
                		16509AMAZON-02USfalse
                172.67.196.90
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                172.67.159.28
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                23.223.209.35
                		unknownUnited States
                		16625AKAMAI-ASUSfalse
                3.233.129.217
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                172.64.155.61
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                172.67.196.11
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                142.251.40.131
                		unknownUnited States
                		15169GOOGLEUSfalse
                34.252.184.159
                		unknownUnited States
                		16509AMAZON-02USfalse
                18.164.124.11
                		unknownUnited States
                		3MIT-GATEWAYSUSfalse
                23.223.209.5
                		unknownUnited States
                		16625AKAMAI-ASUSfalse
                35.190.80.1
                		unknownUnited States
                		15169GOOGLEUSfalse
                63.140.39.35
                		unknownUnited States
                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                99.83.173.21
                		unknownUnited States
                		16509AMAZON-02USfalse
                142.250.65.170
                		unknownUnited States
                		15169GOOGLEUSfalse
                104.16.3.189
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                1.1.1.1
                		unknownAustralia
                		13335CLOUDFLARENETUSfalse
                54.175.249.133
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                63.140.39.9
                		unknownUnited States
                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                54.228.247.11
                		unknownUnited States
                		16509AMAZON-02USfalse
                142.251.32.110
                		unknownUnited States
                		15169GOOGLEUSfalse
                67.202.29.163
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                3.87.180.44
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                52.73.181.51
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                18.213.11.84
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                104.26.0.100
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                3.236.206.94
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                3.232.122.107
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                13.35.93.57
                		unknownUnited States
                		16509AMAZON-02USfalse
                13.225.63.26
                		unknownUnited States
                		16509AMAZON-02USfalse
                13.35.93.13
                		unknownUnited States
                		16509AMAZON-02USfalse
                104.18.94.41
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                79.125.71.5
                		unknownIreland
                		16509AMAZON-02USfalse
                104.21.92.165
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                23.51.56.185
                		unknownUnited States
                		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                104.21.33.57
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                63.140.39.130
                		unknownUnited States
                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                142.251.32.106
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.250.64.74
                		unknownUnited States
                		15169GOOGLEUSfalse
                23.48.224.112
                		unknownUnited States
                		20940AKAMAI-ASN1EUfalse
                23.44.201.201
                		unknownUnited States
                		20940AKAMAI-ASN1EUfalse
                44.198.154.229
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                3.230.130.186
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                104.16.6.189
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                108.138.128.75
                		unknownUnited States
                		16509AMAZON-02USfalse
                3.219.243.226
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                104.17.24.14
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                18.164.124.91
                		unknownUnited States
                		3MIT-GATEWAYSUSfalse
                23.51.57.57
                		unknownUnited States
                		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                104.18.21.58
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                142.251.179.84
                		unknownUnited States
                		15169GOOGLEUSfalse
                13.225.63.103
                		unknownUnited States
                		16509AMAZON-02USfalse
                162.159.140.165
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                34.199.101.34
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                23.44.201.171
                		unknownUnited States
                		20940AKAMAI-ASN1EUfalse
                142.250.81.228
                		unknownUnited States
                		15169GOOGLEUSfalse
                151.101.2.137
                		unknownUnited States
                		54113FASTLYUSfalse
                18.173.219.72
                		unknownUnited States
                		3MIT-GATEWAYSUSfalse
                23.48.224.103
                		unknownUnited States
                		20940AKAMAI-ASN1EUfalse
                13.249.91.73
                		unknownUnited States
                		16509AMAZON-02USfalse
                23.48.224.105
                		unknownUnited States
                		20940AKAMAI-ASN1EUfalse
                172.67.70.233
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                185.199.108.133
                		unknownNetherlands
                		54113FASTLYUSfalse
                34.197.224.31
                		unknownUnited States
                		14618AMAZON-AESUSfalse
                34.120.195.249
                		unknownUnited States
                		15169GOOGLEUSfalse

                Private

                IP
                127.0.0.1
                192.168.2.17
                192.168.2.16
                192.168.2.13
                192.168.2.14

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1649252
                Start date and time:2025-03-26 15:59:00 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Sample URL:https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:14
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.phis.evad.win@25/0@0/460
                • Exclude process from analysis (whitelisted): svchost.exe
                • Excluded IPs from analysis (whitelisted): 142.251.32.110, 142.251.40.131, 142.251.179.84, 142.251.40.206, 23.48.224.112, 23.48.224.105, 23.44.201.201, 23.44.201.197, 23.44.201.171, 192.168.2.16, 79.125.71.5, 52.213.110.235, 3.233.129.217, 52.22.41.97, 52.6.155.20, 3.219.243.226, 13.225.63.26, 13.225.63.7, 13.225.63.103, 13.225.63.53, 18.213.11.84, 50.16.47.176, 34.237.241.83, 54.224.241.105, 34.199.101.34, 44.198.154.229, 52.31.218.129, 34.252.184.159, 52.48.8.54, 54.228.247.11, 34.246.54.182, 52.48.126.58, 3.232.122.107, 34.193.3.138, 35.169.244.202, 44.214.7.0, 35.174.237.128, 3.209.175.155, 3.230.130.186, 34.197.224.31, 23.40.179.35, 23.40.179.19, 142.251.32.106, 142.251.35.170, 142.251.40.106, 142.251.40.138, 142.251.40.170, 142.250.64.74, 142.250.64.106, 142.250.72.106, 142.250.80.10, 142.250.80.42, 142.250.80.74, 142.250.80.106, 142.250.65.170, 142.250.65.202, 142.250.65.234, 142.250.81.234, 23.9.183.29, 2.23.227.208, 172.64.155.61, 4.245.163.56, 63.140.39.130, 63.140.39.35
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091

                Created / dropped Files

                No created / dropped files found

                Static File Info

                No static file info