Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Message has been processed Request for Best Price Offer.msg

Overview

General Information

Sample name:Message has been processed Request for Best Price Offer.msg
Analysis ID:1538059
MD5:3fd5248616a4072f3eefc862a0b01177
SHA1:501dd5e6b268b88128e66d83477f04ad5db45a2a
SHA256:436b30930666eefe9b4f3114e0919bb5adedbcc75d15d7b32fa5c810ea5e17f6
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7280 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Message has been processed Request for Best Price Offer.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7544 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDFFC684-55B8-4BBF-993F-CA8D282ABB3A" "90DCD6BD-804E-417E-848D-A22B5F466C39" "7280" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Message has been processed Request for Best Price Offer.msgString found in binary or memory: https://knowledge.validity.com/hc/en-us/articles/20961730681243
Source: classification engineClassification label: clean1.winMSG@3/10@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241020T0121420049-7280.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Message has been processed Request for Best Price Offer.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDFFC684-55B8-4BBF-993F-CA8D282ABB3A" "90DCD6BD-804E-417E-848D-A22B5F466C39" "7280" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDFFC684-55B8-4BBF-993F-CA8D282ABB3A" "90DCD6BD-804E-417E-848D-A22B5F466C39" "7280" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1538059 Sample: Message has been processed ... Startdate: 20/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 95 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://knowledge.validity.com/hc/en-us/articles/209617306812430%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://knowledge.validity.com/hc/en-us/articles/20961730681243Message has been processed Request for Best Price Offer.msgfalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538059
Start date and time:2024-10-20 07:20:38 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Message has been processed Request for Best Price Offer.msg
Detection:CLEAN
Classification:clean1.winMSG@3/10@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msg

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 20.42.65.85, 104.208.16.95
  • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, onedscolprdcus20.centralus.cloudapp.azure.com, onedscolprdeus05.eastus.cloudapp.azure.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, neu-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: Model: claude-3-5-sonnet-20240620
{
  "explanation": [
    "The email appears to be a legitimate business communication requesting a price offer",
    "The sender's email address matches the signature and seems to be from a real company",
    "The content and structure of the email are professional and consistent with normal business practices"
  ],
  "phishing": false,
  "confidence": 8
}
Is this email content a phishing attempt? Please respond only in valid JSON format:
    Email content converted to JSON:
{
    "date": "Thu, 17 Oct 2024 18:06:58 +0200", 
    "subject": "Message has been processed :Request for Best Price Offer", 
    "communications": [
        "Dear Sir/Madam,\n\n\n\n\nI hope this message finds you well.\n\n\n\n\nPlease find the attached Letter of Intent (LOI), provided for your reference. We would appreciate it if you could kindly offer your most competitive price.\n\n\n\n\nThank you for your time and consideration.\n\n\n\n\nBest regards,\n\n\n\n\nMohammadjavad Haghshenas Lari\n\nExport Sales Account Manager\n\nSales & Marketing Dept.\n\nArya Sasol Polymer Company\n\nPars Special Economic Energy Zone (PSEEZ), Iran\n\nIP Phone:    +98 21 8592 2924\n\nCell Phone: +98 905 340 5259\n\n"
    ], 
    "from": "\"Mohammadjavad Haghshenas\" <haghshenasm@aryasasol.com>", 
    "to": "<sales7@sabasea.com>"
}
URL: Email Model: claude-3-haiku-20240307
```json
{
  "contains_trigger_text": true,
  "trigger_text": "Please find the attached Letter of Intent (LOI), provided for your reference. We would appreciate kindly offer your most competitive price.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false
}
URL: Email Model: claude-3-haiku-20240307
```json
{
  "brands": [
    "Arya Sasol Polymer Company"
  ]
}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.391545287863859
Encrypted:false
SSDEEP:1536:pNYLrYxgsCvPe7gG3WvgsfFNcAz79ysQqt2DjylqoQHlrcm0FvZmsyDnWDLy60+0:o6gg7pagimiGu2cqoQFrt0FvIK6Av4Jb
MD5:D08DE6FECD84B16A0375A21BDB828547
SHA1:822520561AC7BD4C7D1D3EB6047014DBDA911A60
SHA-256:C6DA411A52A13F30F643382458D929B686529180EEDB5B0A1D60F0556D654917
SHA-512:E34F88E690E138A2C9964D3E655CA0CDD4D3AD36C804D805C151339111881557F86E98E94E6951C69DB6D52D16481818003489660D3031D60E652D25D33983C5
Malicious:false
Reputation:low
Preview:TH02...... ...X."......SM01X...,....hC."..........IPM.Activity...........h...............h............H..h..V.......7`...h............H..h\jon ...ppDa...h....0...P.V....hb.Q............h........_`.j...h..Q.@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h..k7....h.V...#h....8.........$h........8....."hx.............'h..f...........1hb.Q.<.........0h....4.....j../h....h......jH..h....p.....V...-h .........V...+h..Q......V................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.045583106806383875
Encrypted:false
SSDEEP:3:Gtlxtjlj92Z+qvjuoPlxtjlj92Z+qvj2/lll1R9//8l1lvlll1lllwlvlllglbep:GtDYAq71PDYAq7Slt9X01PH4l942wU
MD5:2A5FB0A7318C240989C3EB8EBC8568F0
SHA1:83392469058BF7507D646BFFCE2D62C4806D26A0
SHA-256:98E69400BFE84E5EE9ABE0868E389F3B33B38D5103E8AD03C51C5D1CB7BD7237
SHA-512:82D958772A05B64A2D4F5D3AC1833F12603D2192C19E5A347A5F30C6676045DD9B43367FF5358CB053A66D6A636643B2ED90EFBD0EB74D4909F0D45B246F63C0
Malicious:false
Reputation:low
Preview:..-.....................C..Xn.^o..=[...y.I....k...-.....................C..Xn.^o..=[...y.I....k.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):49472
Entropy (8bit):0.4835353849347518
Encrypted:false
SSDEEP:48:9gtJQ1cvF/Ull7DYMc2gbzO8VFDYMcVIBO8VFDYML:9Tll4djVGgjVGC
MD5:5917756C503AA7F779D2B488F9CC05DF
SHA1:665D0B8E019483BC03AC579502313453CF352D74
SHA-256:AB2BB50934576D71AAF95CFC43184BC3A2AFCD7E04A0B81D6B771A0AA6DAD53D
SHA-512:786BD5B625891130799C49D7BBF0A2A15C5BBFB3452FCA4E9576B09AE20AF5D989ADCFEA2240FF74CB970068B6C48DCB0167F4BA94954193FB76D93564AD8E75
Malicious:false
Reputation:low
Preview:7....-............=[...y0$..a..T..........=[...y.s\D..#bSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729401702351035100_4C83E36A-69F6-4DDB-8C3D-93DBDB98E4E0.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28773), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.16107919210437227
Encrypted:false
SSDEEP:1536:DceeTz2/TzZbXDlRPJm1VQZ2k2U7C3HQRpdjAveQqIUj14y/T9B7smB:EzoBbXmV7Kx
MD5:EA5716775BEEDB61DE68153D718B8F35
SHA1:D830C1FC3CB14D21EE35100B62D23A6354AE10AD
SHA-256:D5684A7D6E400E04F2BED93E8A7BE3405E1043E18069D8C0D6D460C53F3A3166
SHA-512:8D72BF2D048B0424D0AD503032B04079724312968F07510BBF4301060E1C056CA92FD95071833CAED904084B082EA69226FFD592AF0C562A8A771B05039944FB
Malicious:false
Reputation:low
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/20/2024 05:21:42.440.OUTLOOK (0x1C70).0x1C74.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":16,"Time":"2024-10-20T05:21:42.440Z","Contract":"Office.System.Activity","Activity.CV":"auODTPZp202MPZPb25jk4A.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/20/2024 05:21:42.456.OUTLOOK (0x1C70).0x1C74.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":18,"Time":"2024-10-20T05:21:42.456Z","Contract":"Office.System.Activity","Activity.CV":"auODTPZp202MPZPb25jk4A.4.10","Activity.Duration":10277,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729401702351822800_4C83E36A-69F6-4DDB-8C3D-93DBDB98E4E0.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Reputation:high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241020T0121420049-7280.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):102400
Entropy (8bit):4.590403084174379
Encrypted:false
SSDEEP:768:jL+hUVHmvwg2RXn4S08mM9RuLhXL19BZEEEVVFAkKM8q05bzVqNeXgWoWnlT1Wkf:Jr4SuM9RuLhX7rX
MD5:50211F2453B58A7FBE3F49B82632F501
SHA1:3601EFEDBABDD6327657BAFFC9F9FB8701360CD9
SHA-256:99510350D01875A27974E08EB5B4A0034DE251702C87FF76DAB263169D62D5CD
SHA-512:1079E48F02D3893F95DBCDB3B6EAF3320CCDE3BFE6198CD1219788AA50ED2661CA461015F373F648F05A8B2DA87EC1C2EAF135729514E61558B6A73BE3937164
Malicious:false
Reputation:low
Preview:............................................................................b...t...p.....}."..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................z\L..............}."..........v.2._.O.U.T.L.O.O.K.:.1.c.7.0.:.e.f.9.d.a.8.c.8.8.7.c.1.4.e.c.f.9.f.8.1.e.d.4.6.7.a.8.a.0.9.c.9...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.0.T.0.1.2.1.4.2.0.0.4.9.-.7.2.8.0...e.t.l.............P.P.t...p.....}."..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF77054866801399AD.TMP

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):163840
Entropy (8bit):0.3331489686023434
Encrypted:false
SSDEEP:192:t+GmCyr4jkDgrfP5zt7vi/WuQNgz0XHWQOAqAbAFAqwNh/:tiCdAWfhztsz0XHOAqMu
MD5:48B4B161F4B3859E0DD58FB721E78D79
SHA1:ED907614C2FEEE86E0E0F1CBD77F33F20860094F
SHA-256:41DBBCE2E551B424E5FE829AE969B77F17515A0A81B2974297E8AA526F8D6C67
SHA-512:3782C72E2190329FEE201F656C34820A5EB1672BFC3CF0F0C4B7648600A3E443BA5B5BBE9649E21CC2589B34B781E1DBCB8A030F83A668A7D3EFC5DB86C2849A
Malicious:false
Reputation:low
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:qnl7v:ql
MD5:47C484E6CA7DFA0BC3D28607091B83E4
SHA1:AC4E650E6C8B369A585180C7C8EF877FF8CBDA7E
SHA-256:6A80832060EFE1626F339CFB52460DF14A68FE77F84AC205B63A725638162ECD
SHA-512:33AC5084106C9B07D209A6BAE29B66F5E083E526522C940ECC543B9A592271A0127DB402874F96BE21CEDDA8FD917B6E9E74A2B4580D41824E2D3CFAB24E92FC
Malicious:false
Reputation:low
Preview:..............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):1.2823632283228343
Encrypted:false
SSDEEP:768:AxQcDwhOP551E9CB5LdnO8lt3kacWmMGh5SHtNVTIS7p:5OPP1E+5hnO8ga0SHtgQ
MD5:41A3556E1DF92C581F06766035BA232F
SHA1:20FEBCDA70E0D9972F4FC6E04C960D14B54AA5E1
SHA-256:2BB0A3CB087C369F5E4121FEA7ADE8F4124EF43F4AE2D5B63EAED5B818C1C390
SHA-512:457AA4885285E6647B8D8B0AD57174D5B6684C004D9DD2B553E03E1C57643C6F92F7D605C7AF6FDB0891F5756C19CC09825AE9C37FACD54686C883EE6F45576E
Malicious:false
Reputation:low
Preview:!BDN...$SM......\...............*.......U................@...........@...@...................................@...........................................................................$.......D.......T..............&...............)...........................................................................................................................................................................................................................................................................................x........c}...G.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):0.7935380768751171
Encrypted:false
SSDEEP:192:YfkwjTIIJ27DeGV2rzEiJa3NuLRhpvRhZRvGx5XWc:sjTIgSDeejig3NwL51vGx
MD5:B8FD3B1EDCE91C98E1E84522B0E594C4
SHA1:7C9CDD97B864CE6CD8F206313FE4FF60C2A6D87C
SHA-256:F6873C32933229A32046CBB225E22A6D977D0CD824FBB590CC663C188045349F
SHA-512:998211F6F9578037FC828FB3487BAFFEE8197551EA0BB66548F81CC1007552175FF9B746080EFB9E864366376B8E4A5BCAC167F910B8F883F850F00DDF7DE699
Malicious:false
Preview:....C...R.......p......."....................#.!BDN...$SM......\...............*.......U................@...........@...@...................................@...........................................................................$.......D.......T..............&...............)...........................................................................................................................................................................................................................................................................................x........c}...G.....".......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:CDFV2 Microsoft Outlook Message
Entropy (8bit):4.108964691575022
TrID:
  • Outlook Message (71009/1) 58.92%
  • Outlook Form Template (41509/1) 34.44%
  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:Message has been processed Request for Best Price Offer.msg
File size:35'840 bytes
MD5:3fd5248616a4072f3eefc862a0b01177
SHA1:501dd5e6b268b88128e66d83477f04ad5db45a2a
SHA256:436b30930666eefe9b4f3114e0919bb5adedbcc75d15d7b32fa5c810ea5e17f6
SHA512:735f4444fb23e76c5709d95e4589b1f8651afc174e09b0078bf41a2ab080e3b37a6f1943c3749dc87d4a83f06d00a92e7287e2ff1e0bc5df414b5c701ae591b0
SSDEEP:768:joEoPXwcasKisKFLZ+o3nmsK2sK2txvPdpO:rca69gNu+txHdp
TLSH:79F29B113AE94605F27BDE760EE28596C6277C82ED31D68F319D730E0B73940E971B2A
File Content Preview:........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:Message has been processed :Request for Best Price Offer
From:"Mohammadjavad Haghshenas" <haghshenasm@aryasasol.com>
To:<sales7@sabasea.com>
Cc:
BCC:
Date:Thu, 17 Oct 2024 18:06:58 +0200
Communications:
  • Dear Sir/Madam, I hope this message finds you well. Please find the attached Letter of Intent (LOI), provided for your reference. We would appreciate it if you could kindly offer your most competitive price. Thank you for your time and consideration. Best regards, Mohammadjavad Haghshenas Lari Export Sales Account Manager Sales & Marketing Dept. Arya Sasol Polymer Company Pars Special Economic Energy Zone (PSEEZ), Iran IP Phone: +98 21 8592 2924 Cell Phone: +98 905 340 5259
Attachments:

    Headers

    Key Value
    Receivedfrom mail0.somccrop.com ([193.27.90.180]:37804) by vip16-233.cp.htz.privatedns.biz with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <reply43@somccrop.com>) id 1t1LA1-0004xX-3B for sales7@sabasea.com; Thu, 17 Oct 2024 07:43:07 +0000
    From"Mohammadjavad Haghshenas" <haghshenasm@aryasasol.com>
    To<sales7@sabasea.com>
    SubjectMessage has been processed :Request for Best Price Offer
    DateThu, 17 Oct 2024 19:36:58 +0330
    Message-ID<20241017090658.B7251B3CB59526AE@aryasasol.com>
    MIME-Version1.0
    Content-Typemultipart/alternative;
    X-MailerMicrosoft Outlook 16.0
    Thread-IndexAQJEKqsz37kiIxGoS5uUdnhR1ABexw==
    X-Spam-StatusNo, score=2.6
    X-Spam-Score26
    X-Spam-Bar++
    X-Ham-ReportSpam detection software, running on the system "vip16-233.cp.htz.privatedns.biz", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Dear Sir/Madam, I hope this message finds you well. Please find the attached Letter of Intent (LOI), provided for your reference. We would appreciate it if you could kindly offer your most competitive price. Content analysis details: (2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.7 DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.5 JMQ_SPF_NEUTRAL ASKDNS: SPF set to ?all [somccrop.com TXT:v=spf1 a mx ptr a:somccrop.com] [ip4:193.27.90.0/24 ?all] -0.0 SPF_PASS SPF: sender
    ord 0.0 DATE_IN_FUTURE_06_12 Dateis 6 to 12 hours after Received: date 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.27.90.180 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.27.90.180
    X-Spam-FlagNO
    X-MimeOLEProduced By Microsoft MimeOLE
    dateThu, 17 Oct 2024 18:06:58 +0200

    File Icon

    Icon Hash:c4e1928eacb280a2

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:01:21:38
    Start date:20/10/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Message has been processed Request for Best Price Offer.msg"
    Imagebase:0xf0000
    File size:34'446'744 bytes
    MD5 hash:91A5292942864110ED734005B7E005C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:1
    Start time:01:21:44
    Start date:20/10/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDFFC684-55B8-4BBF-993F-CA8D282ABB3A" "90DCD6BD-804E-417E-848D-A22B5F466C39" "7280" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Imagebase:0x7ff6a7fc0000
    File size:710'048 bytes
    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly