Edit tour

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091

Overview

General Information

Sample URL:https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
Analysis ID:1649252
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA
Score:100
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Yara detected AntiDebug via timestamp check
Yara detected HtmlPhish10
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
Phishing site or detected (based on various text indicators)
Creates files inside the system directory
Deletes files inside the Windows folder
HTML body contains low number of good links
HTML body contains password input but no form action
HTML page contains hidden javascript code
HTML page contains string obfuscation
HTML title does not match URL
Invalid T&C link found
Program does not show much activity (idle)
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 5064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
4.260.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
    4.260.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
      4.266.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
        4.261.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
          4.267..script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
            Click to see the 23 entries
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            Phishing

            barindex
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains an unusual domain name 'iatrivvbe.com' which is not associated with Microsoft., The presence of input fields like 'Email, phone, or Skype' is typical for phishing attempts targeting Microsoft services. DOM: 5.29.pages.csv
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains a domain 'iatrivvbe.com' which is not associated with Microsoft., The presence of an input field asking for a password on a non-legitimate domain is suspicious., The URL does not contain any recognizable association with Microsoft, indicating a potential phishing attempt. DOM: 5.31.pages.csv
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'sa.iatrivvbe.com' does not match the legitimate domain for Microsoft., The URL contains an unusual domain name 'iatrivvbe.com' which is not associated with Microsoft., The presence of a subdomain 'sa' does not mitigate the suspicious nature of the main domain., The email 'not@real.com' suggests a placeholder or non-legitimate input, which is often used in phishing sites. DOM: 5.30.pages.csv
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: Yara matchFile source: 4.261.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.26.pages.csv, type: HTML
            Source: Yara matchFile source: 4.22.pages.csv, type: HTML
            Source: Yara matchFile source: 4.27.pages.csv, type: HTML
            Source: Yara matchFile source: 4.261.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.267..script.csv, type: HTML
            Source: Yara matchFile source: 4.26.pages.csv, type: HTML
            Source: Yara matchFile source: 4.22.pages.csv, type: HTML
            Source: Yara matchFile source: 5.280..script.csv, type: HTML
            Source: Yara matchFile source: 4.27.pages.csv, type: HTML
            Source: Yara matchFile source: 5.277.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.260.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.266.d.script.csv, type: HTML
            Source: Yara matchFile source: 4.271.d.script.csv, type: HTML
            Source: Yara matchFile source: 5.272..script.csv, type: HTML
            Source: Yara matchFile source: 5.273..script.csv, type: HTML
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: Chrome DOM: 0.2OCR Text: i sBPa n % rokers Apollo Insurance Brokers Ltd YOU HAVE 2 NEW DOCUMENTS! *Pages :** 2 * *Resolution : ** 250x500 DPI From :** MPD49729- 23183 CLICK HERE TO VIEW YOUR DOCUMENT Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged Information which is not for the use of any third party. If you are not the Intended reciprent, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway, If this message has been received in error, please notify the sender Immediately by e-mail by return and delete the message from your system.
            Source: Chrome DOM: 1.10OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more With the file shared with you. oo oo Sign in % rokers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF * *Resolution 250x500 DPI PDF to JPG From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT z Fill & Sign 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c Work on PDFs directly In-browser View, edit, sign, and comrrtent on PDFs directly in browser with the free Acrobat extension Add to Chrome
            Source: Chrome DOM: 1.6OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more With the file shared with you. oo oo Sign in % rokers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF * *Resolution 250x500 DPI PDF to JPG From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT z Fill & Sign 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c Work on PDFs directly In-browser View, edit, sign, and comrrtent on PDFs directly in browser with the free Acrobat extension Add to Chrome Ask A1 Assistant Short on time? Ask for a quick summary
            Source: Chrome DOM: 1.7OCR Text: Tools Edit Convert E-Sign Sign in Welcome to Acrobat x Sign in to do more with the file shared with you. oo oo Sign in kers you MAY LIKE Apollo Insurance Brokers Ltd Ask A1 Assistant YOU HAVE 2 NEW DOCUMENTS! Generate a summary *Pages Edit text & images Compress a PDF ** Resolution 250x500 DPI PDF to From MPD49729- 23183 Export a PDF CLICK HERE TO VIEW YOUR DOCUMENT Fill & Sign 1 1 Copyright 2025 (Burns & Wilcox Limited) All rights reserved. This e-mail and any attachments are for the exclusive and confidential use of the intended addressee only. It may contain privileged information which is not for the use of any third party. If you are not the intended recipient, you may not copy, forward, disclose or otherwise use it, or any part of it, in anyway. If this message has been received in error, please notify the sender immediately by e-mail by return and delete the message from your system. c work on PDFs directly In-browser View, edit, sign, and cornrnent on PDFs directly in browser with the free Acrobat extension Add to Chrome
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Number of links: 0
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: <input type="password" .../> found but no <form action="...
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: Base64 decoded: if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) { window.location = "about:blank";}document.addEventListener("keydown", function (event) { function wCPxvjXLYV(event) { co...
            Source: https://acrobat.adobe.com/dc-conversions2-dropin/3.17.1_2.146.0/translations-en-US-json.jsHTTP Parser: Found new string: script "use strict";(self["webpackJsonp-conversions2"]=self["webpackJsonp-conversions2"]||[]).push([[818],{R5i5:e=>{e.exports=JSON.parse('{"pdfti.dropzone.heading.seo":"Convert a PDF to JPG image","pdftw.dropzone.heading.seo":"Convert PDF to Word","pdftxls.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft Excel converter.","pdftxls.dropzone.heading.seo":"Convert PDF to Excel","pdftw.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft Word converter.","pdftppt.dropzone.heading.seo":"Convert PDF to PPT","pdftppt.dropzone.description.seo":"Drag and drop a PDF file to use our PDF to Microsoft PowerPoint (PPT) converter.","pdftw.dropzone.description.mobile.seo":"Select a PDF file to use our PDF to Microsoft Word converter.","pdfti.dropzone.description.mobile.seo":"Select a PDF, then convert to JPG, PNG, or TIFF file formats.","pdftxls.dropzone.description.mobile.seo":"Select a PDF file to use our PDF to Microsoft Excel converter.","pdftppt.dropzone.description.mob...
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Title: Secure Profile Access Login does not match URL
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Terms of use
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: Invalid link: Privacy & cookies
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: var otherweburl = "";var websitenames = ["godaddy", "okta"];var bes = ["apple.com","netflix.com"];var pes = ["https:\/\/t.me\/","https:\/\/t.com\/","t.me\/","https:\/\/t.me.com\/","t.me.com\/","t.me@","https:\/\/t.me@","https:\/\/t.me","https:\/\/t.com","t.me","https:\/\/t.me.com","t.me.com","t.me\/@","https:\/\/t.me\/@","https:\/\/t.me@\/","t.me@\/","https:\/\/www.telegram.me\/","https:\/\/www.telegram.me"];var capnum = 1;var appnum = 1;var pvn = 0;var view = "";var pagelinkval = "di1x2p";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "/qzlzgbzx5i6dvs9of04r81ckle4lhpncag1sealowog4hv6lqfq";var gdf = "/ijcwn3npohihdymdyhn0xdelvznntyzuodwaalubpgslfab115";var odf = "/ghl8bh1z2f4ek4qtmme3pyzqp8igkpdpihqab650";var twa = 0;var currentreq = null;var requestsent = false;var pagedata = "";var redirecturl = "";var useragent = navigator.useragent;var browsername;var userip;var usercountry;var errorcodeexecuted = false;if(useragent.match(/edg/i)){ ...
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: function fxspenbzzp(){loarrlslcf = atob("pcfet0nuwvbfigh0bww+cjxodg1sigxhbmc9imvuij4kpghlywq+ciagpg1ldgegy2hhcnnldd0ivvrgltgipgogidxtzxrhig5hbwu9inzpzxdwb3j0iibjb250zw50psj3awr0ad1kzxzpy2utd2lkdggsigluaxrpywwtc2nhbgu9ms4wij4kica8dgl0bgu+rwr1vmlzaw9uic0gvhjhbnnmb3jtaw5nievkdwnhdglvbjwvdgl0bgu+ciagphn0ewxlpgogicagym9kesb7ciagicagigzvbnqtzmftawx5oianu2vnb2ugvuknlcbuywhvbwesiedlbmv2yswgvmvyzgfuyswgc2fucy1zzxjpzjskicagicagbwfyz2luoiawowogicagicbwywrkaw5noiawowogicagicbiywnrz3jvdw5klwnvbg9yoiajzjlmowy5owogicagicbjb2xvcjogizmzmzskicagih0kicagighlywrlcib7ciagicagigjhy2tncm91bmq6igxpbmvhci1ncmfkawvudcgxmzvkzwcsicm2ytexy2isicmyntc1zmmpowogicagicbjb2xvcjogi2zmzjskicagicagcgfkzgluzzognjbwecaymhb4owogicagicb0zxh0lwfsawduoibjzw50zxi7ciagicb9ciagicbozwfkzxigadegewogicagicbtyxjnaw46ida7ciagicagigzvbnqtc2l6ztogm3jlbtskicagicagzm9udc13zwlnahq6igjvbgq7ciagicb9ciagicbozwfkzxigccb7ciagicagigzvbnqtc2l6ztogms4ycmvtowogicagicbtyxjnaw4tdg9woiaxmhb4owogicagfqogicagbmf2ihskicagicagymfja2dyb3vuzdogcmdiysgyntusidi1nswgmju1lcawljkpowogi...
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: <input type="password" .../> found
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091HTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091HTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091?viewer%21megaVerb=group-discoverHTTP Parser: No favicon
            Source: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091?viewer%21megaVerb=group-discoverHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/trs/HTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No favicon
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="author".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDHTTP Parser: No <meta name="copyright".. found
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: chrome.exeMemory has grown: Private usage: 1MB later: 30MB
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6976_247053650
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6976_247053650
            Source: classification engineClassification label: mal100.phis.evad.win@25/0@0/460
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,9500453346925882003,2616562952344092113,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:3
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: 4.260.d.script.csv, type: HTML
            Source: Yara matchFile source: 5.272..script.csv, type: HTML
            Source: Yara matchFile source: 5.273..script.csv, type: HTML
            Source: Yara matchFile source: 5.30.pages.csv, type: HTML
            Source: Yara matchFile source: 5.31.pages.csv, type: HTML
            Source: Yara matchFile source: 5.29.pages.csv, type: HTML
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting
            Valid AccountsWindows Management Instrumentation1
            Scripting
            1
            Process Injection
            12
            Masquerading
            OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Extra Window Memory Injection
            1
            Process Injection
            LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            File Deletion
            NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Extra Window Memory Injection
            LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            No bigger version
            No bigger version
            No bigger version
            No bigger version
            No bigger version
            No bigger version

            windows-stand
            SourceDetectionScannerLabelLink
            https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a66010910%Avira URL Cloudsafe
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            https://sa.iatrivvbe.com/jpmqjggfeokycqetkurlkuFO5M3M5E7N4BTAWSZ09GGL905YM08H?BXQIPYQRBDVXJMKNVOYQDtrue
              unknown
              https://sa.iatrivvbe.com/trs/false
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                23.223.209.71
                unknownUnited States
                16625AKAMAI-ASUSfalse
                140.82.113.4
                unknownUnited States
                36459GITHUBUSfalse
                199.232.89.138
                unknownUnited States
                54113FASTLYUSfalse
                34.254.217.29
                unknownUnited States
                16509AMAZON-02USfalse
                172.67.196.90
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                172.67.159.28
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                23.223.209.35
                unknownUnited States
                16625AKAMAI-ASUSfalse
                3.233.129.217
                unknownUnited States
                14618AMAZON-AESUSfalse
                172.64.155.61
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                172.67.196.11
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                142.251.40.131
                unknownUnited States
                15169GOOGLEUSfalse
                34.252.184.159
                unknownUnited States
                16509AMAZON-02USfalse
                18.164.124.11
                unknownUnited States
                3MIT-GATEWAYSUSfalse
                23.223.209.5
                unknownUnited States
                16625AKAMAI-ASUSfalse
                35.190.80.1
                unknownUnited States
                15169GOOGLEUSfalse
                63.140.39.35
                unknownUnited States
                4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                99.83.173.21
                unknownUnited States
                16509AMAZON-02USfalse
                142.250.65.170
                unknownUnited States
                15169GOOGLEUSfalse
                104.16.3.189
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                1.1.1.1
                unknownAustralia
                13335CLOUDFLARENETUSfalse
                54.175.249.133
                unknownUnited States
                14618AMAZON-AESUSfalse
                63.140.39.9
                unknownUnited States
                4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                54.228.247.11
                unknownUnited States
                16509AMAZON-02USfalse
                142.251.32.110
                unknownUnited States
                15169GOOGLEUSfalse
                67.202.29.163
                unknownUnited States
                14618AMAZON-AESUSfalse
                3.87.180.44
                unknownUnited States
                14618AMAZON-AESUSfalse
                52.73.181.51
                unknownUnited States
                14618AMAZON-AESUSfalse
                18.213.11.84
                unknownUnited States
                14618AMAZON-AESUSfalse
                104.26.0.100
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                3.236.206.94
                unknownUnited States
                14618AMAZON-AESUSfalse
                3.232.122.107
                unknownUnited States
                14618AMAZON-AESUSfalse
                13.35.93.57
                unknownUnited States
                16509AMAZON-02USfalse
                13.225.63.26
                unknownUnited States
                16509AMAZON-02USfalse
                13.35.93.13
                unknownUnited States
                16509AMAZON-02USfalse
                104.18.94.41
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                79.125.71.5
                unknownIreland
                16509AMAZON-02USfalse
                104.21.92.165
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                23.51.56.185
                unknownUnited States
                4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                104.21.33.57
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                63.140.39.130
                unknownUnited States
                4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                142.251.32.106
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.64.74
                unknownUnited States
                15169GOOGLEUSfalse
                23.48.224.112
                unknownUnited States
                20940AKAMAI-ASN1EUfalse
                23.44.201.201
                unknownUnited States
                20940AKAMAI-ASN1EUfalse
                44.198.154.229
                unknownUnited States
                14618AMAZON-AESUSfalse
                3.230.130.186
                unknownUnited States
                14618AMAZON-AESUSfalse
                104.16.6.189
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                108.138.128.75
                unknownUnited States
                16509AMAZON-02USfalse
                3.219.243.226
                unknownUnited States
                14618AMAZON-AESUSfalse
                104.17.24.14
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                18.164.124.91
                unknownUnited States
                3MIT-GATEWAYSUSfalse
                23.51.57.57
                unknownUnited States
                4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                104.18.21.58
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                142.251.179.84
                unknownUnited States
                15169GOOGLEUSfalse
                13.225.63.103
                unknownUnited States
                16509AMAZON-02USfalse
                162.159.140.165
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                34.199.101.34
                unknownUnited States
                14618AMAZON-AESUSfalse
                23.44.201.171
                unknownUnited States
                20940AKAMAI-ASN1EUfalse
                142.250.81.228
                unknownUnited States
                15169GOOGLEUSfalse
                151.101.2.137
                unknownUnited States
                54113FASTLYUSfalse
                18.173.219.72
                unknownUnited States
                3MIT-GATEWAYSUSfalse
                23.48.224.103
                unknownUnited States
                20940AKAMAI-ASN1EUfalse
                13.249.91.73
                unknownUnited States
                16509AMAZON-02USfalse
                23.48.224.105
                unknownUnited States
                20940AKAMAI-ASN1EUfalse
                172.67.70.233
                unknownUnited States
                13335CLOUDFLARENETUSfalse
                185.199.108.133
                unknownNetherlands
                54113FASTLYUSfalse
                34.197.224.31
                unknownUnited States
                14618AMAZON-AESUSfalse
                34.120.195.249
                unknownUnited States
                15169GOOGLEUSfalse
                IP
                127.0.0.1
                192.168.2.17
                192.168.2.16
                192.168.2.13
                192.168.2.14
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1649252
                Start date and time:2025-03-26 15:59:00 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Sample URL:https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:14
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.phis.evad.win@25/0@0/460
                • Exclude process from analysis (whitelisted): svchost.exe
                • Excluded IPs from analysis (whitelisted): 142.251.32.110, 142.251.40.131, 142.251.179.84, 142.251.40.206, 23.48.224.112, 23.48.224.105, 23.44.201.201, 23.44.201.197, 23.44.201.171, 192.168.2.16, 79.125.71.5, 52.213.110.235, 3.233.129.217, 52.22.41.97, 52.6.155.20, 3.219.243.226, 13.225.63.26, 13.225.63.7, 13.225.63.103, 13.225.63.53, 18.213.11.84, 50.16.47.176, 34.237.241.83, 54.224.241.105, 34.199.101.34, 44.198.154.229, 52.31.218.129, 34.252.184.159, 52.48.8.54, 54.228.247.11, 34.246.54.182, 52.48.126.58, 3.232.122.107, 34.193.3.138, 35.169.244.202, 44.214.7.0, 35.174.237.128, 3.209.175.155, 3.230.130.186, 34.197.224.31, 23.40.179.35, 23.40.179.19, 142.251.32.106, 142.251.35.170, 142.251.40.106, 142.251.40.138, 142.251.40.170, 142.250.64.74, 142.250.64.106, 142.250.72.106, 142.250.80.10, 142.250.80.42, 142.250.80.74, 142.250.80.106, 142.250.65.170, 142.250.65.202, 142.250.65.234, 142.250.81.234, 23.9.183.29, 2.23.227.208, 172.64.155.61, 4.245.163.56, 63.140.39.130, 63.140.39.35
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: https://acrobat.adobe.com/id/urn:aaid:sc:EU:dd1dc65d-ce42-4138-a001-66d6a6601091
                No created / dropped files found
                No static file info