Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url

Overview

General Information

Sample URL:https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url
Analysis ID:1523779
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Phishing site detected (based on image similarity)
Phishing site detected (based on logo match)
Detected non-DNS traffic on DNS port
Found iframes
HTML body contains password input but no form action

Classification

  • System is w10x64
  • chrome.exe (PID: 560 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2044,i,7567244149684416942,9825071640950979937,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6608 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3992 --field-trial-handle=2044,i,7567244149684416942,9825071640950979937,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6620 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=2044,i,7567244149684416942,9825071640950979937,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_urlLLM: Score: 9 Reasons: The brand 'Office 365' is well-known and commonly associated with Microsoft., The URL 'docs.google.com' does not match the legitimate domain for Office 365, which is 'office.com' or 'microsoft.com'., The URL 'docs.google.com' is associated with Google Docs, not Office 365., The input fields request sensitive information such as email addresses and passwords, which is a common tactic in phishing attempts. DOM: 0.0.pages.csv
Source: https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_urlMatcher: Found strong image similarity, brand: OFFICE
Source: https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_urlMatcher: Template: office matched
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1896787112&timestamp=1727828426581
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: Iframe src: /_/bscframe
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1896787112&timestamp=1727828426581
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: Iframe src: /_/bscframe
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: <input type="password" .../> found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No favicon
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No favicon
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No favicon
Source: https://support.google.com/chrome/answer/6130773?hl=enHTTP Parser: No favicon
Source: https://support.google.com/chrome/answer/6130773?hl=enHTTP Parser: No favicon
Source: https://support.google.com/accounts?hl=en&visit_id=638634252608336702-1752789113&rd=2&p=account_iph#topic=3382296HTTP Parser: No favicon
Source: https://support.google.com/accounts?hl=en&visit_id=638634252608336702-1752789113&rd=2&p=account_iph#topic=3382296HTTP Parser: No favicon
Source: https://support.google.com/accounts/?hl=en&sjid=1193402883343399146-EU#topic=3382296HTTP Parser: No favicon
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg%2Fviewform%3Fusp%3Dpp_url&ifkv=ARpgrqfOZp6NCsTsfbvZSfxDoaZi5nR5EJuNJRSv9lrXTrmFpbuFXEQLMZN8jK3eH2MO8c10NQSByQ&rip=1&sacu=1&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-603437513%3A1727828422398961&ddm=0HTTP Parser: No <meta name="copyright".. found
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:54869 version: TLS 1.2