Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview

Overview

General Information

Sample URL:	https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview
Analysis ID:	807406

Detection

HTMLPhisher

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Phishing site detected (based on image similarity)

HTML body contains low number of good links

Invalid T&C link found

No HTML title found

Classification

×

Process Tree

System is w10x64_ra

chrome.exe (PID: 1492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,4806942962402137978,8722282257215584760,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
68610.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 68610.6.pages.csv, type: HTML

Phishing site detected (based on image similarity)

Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
Source: embedded	Matcher: Found strong image similarity, brand: Microsoft image: 68610.6.img.2.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB

Source: https://best-face-serum.com/release/Odrivex%203%202/

HTTP Parser: Number of links: 0

Source: https://best-face-serum.com/release/Odrivex%203%202/

HTTP Parser: Invalid link: Privacy & Cookies

Source: https://best-face-serum.com/release/Odrivex%203%202/

HTTP Parser: HTML title missing

Source: https://best-face-serum.com/release/Odrivex%203%202/

HTTP Parser: No <meta name="author".. found

Source: https://best-face-serum.com/release/Odrivex%203%202/

HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: unknown

DNS traffic detected: queries for: preview.webflow.com

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: classification engine

Classification label: mal52.phis.win@30/0@36/291

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,4806942962402137978,8722282257215584760,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,4806942962402137978,8722282257215584760,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview	0%	Avira URL Cloud	safe
https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paypal-dynamic.map.fastly.net	151.101.65.21	true	false		unknown
apilayer.net	18.210.254.78	true	false		unknown
partnerlinks.io	104.18.31.133	true	false		unknown
d296je7bbdd650.cloudfront.net	18.66.91.228	true	false		high
snippet.growsumo.com	104.18.2.70	true	false		high
cdnjs.cloudflare.com	104.17.24.14	true	false		high
best-face-serum.com	69.49.247.78	true	false		unknown
preview.webflow.com	54.242.54.202	true	false		high
www.google.com	142.250.185.68	true	false		high
uploads-ssl.webflow.com	18.66.112.117	true	false		high
grsm.io	104.18.10.212	true	false		unknown
stackpath.bootstrapcdn.com	104.18.11.207	true	false		high
accounts.google.com	172.217.18.13	true	false		high
sessions.bugsnag.com	35.190.88.7	true	false		high
webflow.refersion.com	104.18.40.222	true	false		high
maxcdn.bootstrapcdn.com	104.18.10.207	true	false		high
HHN-efz.ms-acdc.office.com	52.98.171.242	true	false		high
stripecdn.map.fastly.net	151.101.64.176	true	false		unknown
d3e54v103j8qbb.cloudfront.net	99.86.1.184	true	false		high
7bp2kqlfyczm.stspg-customer.com	52.215.192.132	true	false		unknown
webflow.com	35.169.14.133	true	false		high
m.stripe.com	54.184.107.160	true	false		high
www-fastly.glb.paypal.com	151.101.65.21	true	false		high
part-0017.t-0009.fdv2-t-msedge.net	13.107.237.45	true	false		unknown
clients.l.google.com	216.58.212.142	true	false		high
unpkg.com	104.16.123.175	true	false		high
m.stripe.network	unknown	unknown	false		high
outlook.live.com	unknown	unknown	false		high
www.paypal.com	unknown	unknown	false		high
cdn.segment.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
code.jquery.com	unknown	unknown	false		high
ow2.res.office365.com	unknown	unknown	false		high
exo.nel.measure.office.net	unknown	unknown	false		high
status.webflow.com	unknown	unknown	false		high
a.clarity.ms	unknown	unknown	false		unknown
www.clarity.ms	unknown	unknown	false		unknown
r4.res.office365.com	unknown	unknown	false		high
api.ipstack.com	unknown	unknown	false		unknown
js.stripe.com	unknown	unknown	false		high
www.sandbox.paypal.com	unknown	unknown	false		high
www.hotmail.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.stripe.com/v3/m-outer-93afeeb17bc37e711759584dbfc50d47.html#url=https%3A%2F%2Fpreview.webflow.com%2Fpreview%2Fsecure-document-59ad7d%3Futm_medium%3Dpreview_link%26utm_source%3Ddesigner%26utm_content%3Dsecure-document-59ad7d%26preview%3D9a2adf8bcbeeee4bfc926853e0f2eb24%26workflow%3Dpreview&title=Designer&referrer=&muid=NA&sid=NA&version=6&preview=false	false		high
https://outlook.live.com/owa/prefetch.aspx	false		high
https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview	false		high
https://preview.webflow.com/site/empty.html	false		high
https://m.stripe.network/inner.html#url=https%3A%2F%2Fpreview.webflow.com%2Fpreview%2Fsecure-document-59ad7d%3Futm_medium%3Dpreview_link%26utm_source%3Ddesigner%26utm_content%3Dsecure-document-59ad7d%26preview%3D9a2adf8bcbeeee4bfc926853e0f2eb24%26workflow%3Dpreview&title=Designer&referrer=&muid=NA&sid=NA&version=6&preview=false	false		high
https://best-face-serum.com/release/Odrivex%203%202/	false		unknown
https://outlook.live.com/owa/	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.99	unknown	United States		15169	GOOGLEUS	false
2.16.238.152	unknown	European Union		20940	AKAMAI-ASN1EU	false
104.18.10.207	maxcdn.bootstrapcdn.com	United States		13335	CLOUDFLARENETUS	false
152.199.19.160	unknown	United States		15133	EDGECASTUS	false
216.58.212.142	clients.l.google.com	United States		15169	GOOGLEUS	false
172.217.18.13	accounts.google.com	United States		15169	GOOGLEUS	false
18.66.112.117	uploads-ssl.webflow.com	United States		3	MIT-GATEWAYSUS	false
35.169.14.133	webflow.com	United States		14618	AMAZON-AESUS	false
52.98.171.242	HHN-efz.ms-acdc.office.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.190.88.7	sessions.bugsnag.com	United States		15169	GOOGLEUS	false
104.16.123.175	unpkg.com	United States		13335	CLOUDFLARENETUS	false
142.250.181.234	unknown	United States		15169	GOOGLEUS	false
23.96.225.71	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.40.222	webflow.refersion.com	United States		13335	CLOUDFLARENETUS	false
69.16.175.10	unknown	United States		20446	HIGHWINDS3US	false
54.242.54.202	preview.webflow.com	United States		14618	AMAZON-AESUS	false
54.184.107.160	m.stripe.com	United States		16509	AMAZON-02US	false
204.79.197.212	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
95.101.111.130	unknown	European Union		12956	TELEFONICATELXIUSES	false
18.66.91.228	d296je7bbdd650.cloudfront.net	United States		3	MIT-GATEWAYSUS	false
69.49.247.78	best-face-serum.com	United States		46606	UNIFIEDLAYER-AS-1US	false
104.17.24.14	cdnjs.cloudflare.com	United States		13335	CLOUDFLARENETUS	false
142.250.185.67	unknown	United States		15169	GOOGLEUS	false
142.250.185.68	www.google.com	United States		15169	GOOGLEUS	false
34.104.35.123	unknown	United States		15169	GOOGLEUS	false
18.210.254.78	apilayer.net	United States		14618	AMAZON-AESUS	false
99.86.1.184	d3e54v103j8qbb.cloudfront.net	United States		16509	AMAZON-02US	false
104.18.10.212	grsm.io	United States		13335	CLOUDFLARENETUS	false
104.18.2.70	snippet.growsumo.com	United States		13335	CLOUDFLARENETUS	false
104.45.184.134	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.11.207	stackpath.bootstrapcdn.com	United States		13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.185.131	unknown	United States		15169	GOOGLEUS	false
151.101.65.21	paypal-dynamic.map.fastly.net	United States		54113	FASTLYUS	false
13.107.237.45	part-0017.t-0009.fdv2-t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.181.228	unknown	United States		15169	GOOGLEUS	false
52.215.192.132	7bp2kqlfyczm.stspg-customer.com	United States		16509	AMAZON-02US	false
104.18.31.133	partnerlinks.io	United States		13335	CLOUDFLARENETUS	false
151.101.64.176	stripecdn.map.fastly.net	United States		54113	FASTLYUS	false
142.250.184.234	unknown	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	807406
Start date and time:	2023-02-14 17:21:43 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://preview.webflow.com/preview/secure-document-59ad7d?utm_medium=preview_link&utm_source=designer&utm_content=secure-document-59ad7d&preview=9a2adf8bcbeeee4bfc926853e0f2eb24&workflow=preview
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.phis.win@30/0@36/291

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.126.31.67, 20.190.159.0, 40.126.31.69, 20.190.159.73, 20.190.159.23, 20.190.159.64, 20.190.159.71, 40.126.31.73, 142.250.185.131, 34.104.35.123, 142.250.181.234, 142.250.185.99
Excluded domains from analysis (whitelisted): fonts.googleapis.com, prda.aadg.msidentity.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, login.live.com, fonts.gstatic.com, clientservices.googleapis.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Created / dropped Files

⊘No created / dropped files found

Static File Info

⊘No static file info