Edit tour

Windows Analysis Report
GasTechnologyPartnership.pdf

Overview

General Information

Sample name:	GasTechnologyPartnership.pdf
Analysis ID:	1615833
MD5:	b032e18d6fc45f4d1ca894c6e203d5ce
SHA1:	aa10156a60f0a1145bfc10788db7f26766d78986
SHA256:	1083d09f6d3069e0c5ce4e0bf04418532237e411e59662e32039418c9f04078c
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Antivirus detection for URL or domain

Yara detected HtmlPhish10

AI detected landing page (webpage, office document or email)

Phishing site or detected (based on various text indicators)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

IP address seen in connection with other malware

Invalid T&C link found

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

Acrobat.exe (PID: 5476 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\GasTechnologyPartnership.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7040 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6196 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1612 --field-trial-handle=1328,i,693445659236905266,17174218232691262086,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2052,i,707301809966039499,12431789452607259477,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
1.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
1.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.9.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /cdn-cgi/challenge-platform/h/b/flow/ov1/1040579449:1739625959:wSb2TEm14uTFk-oEzRNGMlrLjKqx-64zh1SsXiytOL0/9125fe502e1b5e5f/JqkVCYLRJMIxTo.96ylrkCmjruSlikGLnUxC9wppq3k-1739629801-1.1.1.1-oeVVb9_LpPZTyCvQ_2Aj9CPThhkweddgvWy7lM1S2c3QRsXIaaTAkVJMlVBm9TlG HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveContent-Length: 3583sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: text/plain;charset=UTF-8cf-chl: JqkVCYLRJMIxTo.96ylrkCmjruSlikGLnUxC9wppq3k-1739629801-1.1.1.1-oeVVb9_LpPZTyCvQ_2Aj9CPThhkweddgvWy7lM1S2c3QRsXIaaTAkVJMlVBm9TlGcf-chl-ra: 0sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://challenges.cloudflare.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/9g28j/0x4AAAAAAA6uHAjbAitLrelw/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 15 Feb 2025 14:30:02 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400cf-cache-status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1SuxzKV9W5Hm8EC6Lhl9c2T%2Fj%2BmKJBt43t0fInQloc1yRzKCbG19Dp3tdp79fwJsX3SZruTW5eZVo7vrC0St0y3w2ycx1cV6PeAOmV4TkniwDAAv5KGT4xRbwISjHlYET5EORsNLK3OSv5iui%2BW9o%2B7MZLdW%2FIZk8jVacmR%2BuBO6UjllQQrwAfKjkVPq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9125fe5aa89e42bc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1716&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2891&recv_bytes=1302&delivery_rate=1656267&cwnd=230&unsent_bytes=0&cid=99ec31a4f90d850b&ts=171&x=0"

Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_217.14.dr, chromecache_198.14.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: 2D85F72862B55C4EADD9E66E06947F3D0.2.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: 5ea30e9c-6ab6-4f66-9f6c-d3d7b7d6e6ae.tmp.3.dr, b2b13f84-2dce-41e4-aa35-d8094b8528f9.tmp.3.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: GasTechnologyPartnership.pdf	String found in binary or memory: https://ci4.googleusercontent.com/proxy/1pGOSXmFfcsucKNbbWKvS51B6NtaR-NO1Uwx7pJ8i-RRJ3yWiKB0vDQvoNCr
Source: GasTechnologyPartnership.pdf	String found in binary or memory: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u)
Source: chromecache_220.14.dr, chromecache_202.14.dr	String found in binary or memory: https://getbootstrap.com)
Source: chromecache_208.14.dr, chromecache_205.14.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_220.14.dr, chromecache_208.14.dr, chromecache_205.14.dr, chromecache_202.14.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_220.14.dr, chromecache_208.14.dr, chromecache_205.14.dr, chromecache_202.14.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: GasTechnologyPartnership.pdf	String found in binary or memory: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificat

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: classification engine

Classification label: mal72.phis.winPDF@32/103@49/19

Source: GasTechnologyPartnership.pdf	Initial sample: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=gbl_xx_dbu_ups_2211_signnotificationemailfooter&utm_medium=product&utm_source=postsend
Source: GasTechnologyPartnership.pdf	Initial sample: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u
Source: GasTechnologyPartnership.pdf	Initial sample: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/uci2u
Source: GasTechnologyPartnership.pdf	Initial sample: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificationEmailFooter&utm_medium=product&utm_source=postsend

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-02-15 09-29-38-746.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\GasTechnologyPartnership.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1612 --field-trial-handle=1328,i,693445659236905266,17174218232691262086,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2052,i,707301809966039499,12431789452607259477,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1612 --field-trial-handle=1328,i,693445659236905266,17174218232691262086,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2052,i,707301809966039499,12431789452607259477,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: GasTechnologyPartnership.pdf	Initial sample: PDF keyword /JS count = 0
Source: GasTechnologyPartnership.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: GasTechnologyPartnership.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	3 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GasTechnologyPartnership.pdf	0%	Virustotal		Browse

Source	Detection	Scanner	Label
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u	0%	Avira URL Cloud	safe
https://5320986944.businessapptools.com/next.php	100%	Avira URL Cloud	malware
https://5320986944-1317754460.cos.ap-singapore.myqcloud.com/bootstrap.min.js	0%	Avira URL Cloud	safe
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u)	0%	Avira URL Cloud	safe
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jsdelivr.map.fastly.net	151.101.1.229	true	false	high
stackpath.bootstrapcdn.com	104.18.10.207	true	false	high
sgp.file.myqcloud.com	43.152.64.193	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
e329293.dscd.akamaiedge.net	95.101.182.65	true	false	high
e8652.dscx.akamaiedge.net	92.123.17.129	true	false	high
maxcdn.bootstrapcdn.com	104.18.11.207	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
5320986944.businessapptools.com	69.49.246.64	true	false	high
code.jquery.com	151.101.130.137	true	false	high
cdnjs.cloudflare.com	104.17.25.14	true	false	high
challenges.cloudflare.com	104.18.94.41	true	false	high
www.google.com	216.58.206.36	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
cdn.jsdelivr.net	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
5320986944-1317754460.cos.ap-singapore.myqcloud.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://5320986944.businessapptools.com/next.php	false	Avira URL Cloud: malware	unknown
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	true		unknown
https://code.jquery.com/jquery-3.2.1.slim.min.js	false		high
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/pat/9125fe502e1b5e5f/1739629802804/374b58c21d0747b091960d5b9f9cae0fa3c35b7af8a15622fcf2261e0eb71326/OCoEaIv0MSUoKlC	false		high
https://challenges.cloudflare.com/turnstile/v0/api.js	false		high
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/1040579449:1739625959:wSb2TEm14uTFk-oEzRNGMlrLjKqx-64zh1SsXiytOL0/9125fe502e1b5e5f/JqkVCYLRJMIxTo.96ylrkCmjruSlikGLnUxC9wppq3k-1739629801-1.1.1.1-oeVVb9_LpPZTyCvQ_2Aj9CPThhkweddgvWy7lM1S2c3QRsXIaaTAkVJMlVBm9TlG	false		high
https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://cdn.jsdelivr.net/gh/pranaynamnaik/files@latest/micro-123787483.png	false		high
https://challenges.cloudflare.com/turnstile/v0/b/324d0dcf743c/api.js	false		high
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=9125fe502e1b5e5f&lang=auto	false		high
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/cmg/1	false		high
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/#	true		unknown
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	false		high
https://5320986944-1317754460.cos.ap-singapore.myqcloud.com/bootstrap.min.js	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/9g28j/0x4AAAAAAA6uHAjbAitLrelw/auto/fbE/new/normal/auto/	false		high
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/d/9125fe502e1b5e5f/1739629802804/adcRnfq0rV6-Gl_	false		high
https://a.nel.cloudflare.com/report/v4?s=1SuxzKV9W5Hm8EC6Lhl9c2T%2Fj%2BmKJBt43t0fInQloc1yRzKCbG19Dp3tdp79fwJsX3SZruTW5eZVo7vrC0St0y3w2ycx1cV6PeAOmV4TkniwDAAv5KGT4xRbwISjHlYET5EORsNLK3OSv5iui%2BW9o%2B7MZLdW%2FIZk8jVacmR%2BuBO6UjllQQrwAfKjkVPq	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	false		high
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com	5ea30e9c-6ab6-4f66-9f6c-d3d7b7d6e6ae.tmp.3.dr, b2b13f84-2dce-41e4-aa35-d8094b8528f9.tmp.3.dr	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.2.dr	false		high
https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u)	GasTechnologyPartnership.pdf	false	Avira URL Cloud: safe	unknown
https://getbootstrap.com/)	chromecache_208.14.dr, chromecache_205.14.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_220.14.dr, chromecache_208.14.dr, chromecache_205.14.dr, chromecache_202.14.dr	false		high
https://getbootstrap.com)	chromecache_220.14.dr, chromecache_202.14.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_220.14.dr, chromecache_208.14.dr, chromecache_205.14.dr, chromecache_202.14.dr	false		high
http://opensource.org/licenses/MIT).	chromecache_217.14.dr, chromecache_198.14.dr	false		high
https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificat	GasTechnologyPartnership.pdf	false		high
https://ci4.googleusercontent.com/proxy/1pGOSXmFfcsucKNbbWKvS51B6NtaR-NO1Uwx7pJ8i-RRJ3yWiKB0vDQvoNCr	GasTechnologyPartnership.pdf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.101.182.65	e329293.dscd.akamaiedge.net	European Union	20940	AKAMAI-ASN1EU	false
104.18.10.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
104.18.94.41	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
43.152.64.193	sgp.file.myqcloud.com	Japan	4249	LILLY-ASUS	false
151.101.130.137	code.jquery.com	United States	54113	FASTLYUS	false
69.49.246.64	5320986944.businessapptools.com	United States	46606	UNIFIEDLAYER-AS-1US	false
151.101.66.137	unknown	United States	54113	FASTLYUS	false
43.153.232.151	unknown	Japan	4249	LILLY-ASUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
151.101.1.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.11.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
92.123.17.129	e8652.dscx.akamaiedge.net	European Union	16625	AKAMAI-ASUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
95.101.182.112	unknown	European Union	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1615833
Start date and time:	2025-02-15 15:29:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GasTechnologyPartnership.pdf
Detection:	MAL
Classification:	mal72.phis.winPDF@32/103@49/19
Cookbook Comments:	Found application associated with file extension: .pdf

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 92.123.16.204, 18.213.11.84, 50.16.47.176, 54.224.241.105, 34.237.241.83, 172.64.41.3, 162.159.61.3, 199.232.214.172, 2.22.242.11, 2.22.242.123, 216.58.212.163, 142.250.185.142, 74.125.71.84, 142.250.185.78, 216.58.206.78, 142.250.185.170, 216.58.212.138, 142.250.184.206, 142.250.181.238, 142.250.186.46, 142.250.186.170, 172.217.18.10, 142.250.184.202, 172.217.23.106, 172.217.16.202, 216.58.206.74, 142.250.186.42, 172.217.16.138, 142.250.186.138, 142.250.186.74, 216.58.212.170, 216.58.206.42, 142.250.181.234, 142.250.184.234, 142.250.186.106, 172.217.18.106, 142.250.185.174, 142.250.185.206, 142.250.184.238, 142.250.186.174, 172.217.16.206, 216.58.206.67, 142.250.185.238, 2.19.106.160, 20.12.23.50, 23.56.162.204, 13.107.246.45, 13.107.253.45
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, slscr.update.microsoft.com, clientservices.googleapis.com, thesilkfactorycloudfileshub.click, acroipm2.adobe.com, clients2.google.com, redirector.gvt1.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, update.googleapis.com, gastechnologypartnership.thesilkfactorycloudfileshub.click, wu-b-net.trafficmanager.net, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ajax.googleapis.com, aadcdnoriginwus2.azureedge.net, ctldl.windowsupdate.com, aadcdn.msauth.net, p13n.adobe.io, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, edgedl.me.gvt1.com, armmf.adobe.com, aadcdnoriginwus2.afd.azureedge.net, clients.l.google.com, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:29:49	API Interceptor	3x Sleep call for process: AcroCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.101.182.65	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af4e37c622ca8b13b0643e/67af4e500930257798ab6691?signature=6622e2772a21e189f04bbff6dbd8020cb3c1977d0aa04e3285c329f387017382	Get hash	malicious	Unknown	Browse
	http://gaer.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	ID_60232912649455456988.eml	Get hash	malicious	HTMLPhisher	Browse
	http://office.biofcnn.com/GrEkVrfg	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse
	http://mm-2.uxr919zm.eu.org/	Get hash	malicious	Unknown	Browse
	http://cgcudtuctydcgujtd.d3e0e9479pu9h0.amplifyapp.com/	Get hash	malicious	TechSupportScam	Browse
	https://guildmortgage.filestoweb.com/COv5d	Get hash	malicious	HTMLPhisher	Browse
	5483691287.htm	Get hash	malicious	HTMLPhisher	Browse
	5483691287.htm	Get hash	malicious	HTMLPhisher	Browse
	https://click.mailchimp.com/track/click/30010842/forms.office.com?p=eyJzIjoiUU5MTE43blNUdEQxbUdOR3lwdVJ3M1kyVHBzIiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2Zvcm1zLm9mZmljZS5jb21cXFwvUGFnZXNcXFwvU2hhcmVGb3JtUGFnZS5hc3B4P2lkPWkwYWxtWEtzYWtDTnNoUThad2JsWnVHaXRELXJkRk5MbngxZkVDU0RBUGRVT1VWWE9WSTJUa0ZNVFRaSU1EUldUa2RZVmtWSlEwczBVUzR1JnNoYXJldG9rZW49cWhZMVVQRWtyM0NGdjJpcUlpTUtcIixcImlkXCI6XCIzYjUxMDE1ZDY0ODc0ZDdkOWMwNjg2OGM5Y2M5OWVjOFwiLFwidXJsX2lkc1wiOltcIjVkMTg5YTdhMzU1NWIyZWQ5ZjBlNmQ4ZTM3MWFjZmM1ZDE4NzMwYmRcIl19In0	Get hash	malicious	HTMLPhisher	Browse
104.18.10.207	http://desifoodcorner.wb4.xyz/	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0
	SecuriteInfo.com.Exploit.Siggen3.17149.11632.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.32268.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.4633.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.21631.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.14541.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
104.18.94.41	https://blovkdappfixkk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://sweet-truth-af82.igtyitifweh.workers.dev/admin/	Get hash	malicious	HTMLPhisher	Browse
	https://x1y.homitarnor.ru/ZESoY/#Dhelpdesk@cme.boxerproperty.com	Get hash	malicious	Unknown	Browse
	ID_60232912649455456988.eml	Get hash	malicious	HTMLPhisher	Browse
	https://online.fliphtml5.com/dxwae/aonn/	Get hash	malicious	HTMLPhisher	Browse
	https://app.getbeamer.com/product6322/en/heil-mechanical-inc-document-info	Get hash	malicious	Unknown	Browse
	phish_alert_iocp_v1.4.48 (57).eml	Get hash	malicious	HTMLPhisher	Browse
	https://jhnet.sakura.ne.jp/tentatively/cc/cc_jump.cgi?id=1534465659&url=https://link.mail.beehiiv.com/ss/c/u001.sdS3eWpjudN7fTp69IC9XT9OcVa73zYzUt9rrLynJmz9ZSXn9AUNAdWutA-C4dbkhVsDUD7yhN57lRXcC-TIt8sTXcmHELzrA8y2fhJ9nhkhaLvELdLDgZl22dVdGdS4yaUnpbz3JlwFPYwvh4KXF_qMWhefWBWupvWJ_DcA9-pvp-kTopZ2TcvvkdGdr5EBuxrp3NlLlwHHBBZIqb4I5fnt2gQudwwAxO4djd0uO8ppKz92X-rX7mtbGeu8yn8iuUR8p-gT77qPaNKFDkWZimosXxmW_GwxI4v99POqbQQlypjVRYjLgTWLmFGzwqBP69FgmYZ_789Wo7zpzwyNqnUyvnTqzWq1R7oel-VhDC3Oc_GI9gdfn9DnOvDuzI7D8wENPzNHEI6BLLrTzm-jVw/4ds/H90D6rggQ2uWp8c3ti8u1w/h11/h001.HSj78OBZ0DjeE1IKQy2351fOYStVYg0ibjpURBvbJFA#XBESTIE@GMAIL.COM	Get hash	malicious	Unknown	Browse
	2025_Simplified_Tips_to_Stay_on_Track.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://notifications.google.com/g/p/ANiao5qKfpKGd2jYVQDb7vORoVGY96M_apQZWQcfuLgUh0GZyBJANTtYK9_noZQ1711qN-Nnm0DMf_B0c07RxsIpTsLOXIG6nNUkP7-522wWZZkizIeUQoaYMxfvubAPN7K6vgKfJCjpF3Y3VSFZPtNm5n34HM86QMFnOVYHFycjRojvprEeSViyQqV_RbPVd9Nh3y1jQx8FWiMJd_UXkRWlNs4	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
stackpath.bootstrapcdn.com	https://we324msnbi.pages.dev/Xfi_files/prism-ui.esm-53da3fe.js	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
	https://we324msnbi.pages.dev/assets/favicons/default/site.webmanifest	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://webmail-server2.vercel.app/pp.html#darek.delton@state.ne.gov	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://wix-filters.autopolis.lt/modules/banner/banner.php?page_id=34&banner_id=386&url=https://tiny-raincoat-big.on-fleek.app/nova.html#Info@ips-intelligence.com	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://cgcudtuctydcgujtd.d3e0e9479pu9h0.amplifyapp.com/	Get hash	malicious	TechSupportScam	Browse	104.18.10.207
	https://careinternacional.com/.well-known/en/ahab/	Get hash	malicious	Unknown	Browse	104.18.10.207
	http://bafkreihpneoaanrtqm7jws6g2sgj3mto5db5vxnqqbquwhbtynkanbusfa.ipfs.flk-ipfs.xyz/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://master78.club/	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://rb.gy/g9uf0e#8zEXJynqyNOSci6LR?cbdQXrZMccbRbRccm0Rcdcjhczcgdzdmh3mcbbbcd	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://app.powerbi.com/view?r=eyJrIjoiYTg1YmYxMjMtODA5Mi00MWMwLTg1ZTItZTg2MGU1MzE5ODkxIiwidCI6IjE1MWMxNjZlLWM3ZWEtNGI1ZC1hMjQ3LTNkMTAyNTEzY2IwMyJ9	Get hash	malicious	Unknown	Browse	104.18.10.207
e329293.dscd.akamaiedge.net	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af5eb00c1882c8ec3f69d6/67af5ec97ca8d566b11e2a98?signature=66c3083f785cd7181708c087851b2abb37a20f51ffb2631c7fbdc20d93250623	Get hash	malicious	Unknown	Browse	92.123.12.139
	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af4e37c622ca8b13b0643e/67af4e500930257798ab6691?signature=6622e2772a21e189f04bbff6dbd8020cb3c1977d0aa04e3285c329f387017382	Get hash	malicious	Unknown	Browse	95.101.182.65
	https://aryenmotors.com/office365login/office-3D8/	Get hash	malicious	HTMLPhisher	Browse	95.101.182.112
	http://sbcjet5.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	95.101.182.112
	ID_60232912649455456988.eml	Get hash	malicious	HTMLPhisher	Browse	23.15.178.179
	Notification Detail.html	Get hash	malicious	Unknown	Browse	95.101.182.112
	https://online.fliphtml5.com/dxwae/aonn/	Get hash	malicious	HTMLPhisher	Browse	95.101.182.65
	2025_Simplified_Tips_to_Stay_on_Track.pdf	Get hash	malicious	HTMLPhisher	Browse	92.123.12.181
	http://office.biofcnn.com/GrEkVrfg	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	95.101.182.65
	phish_alert_iocp_v1.4.85.eml	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	95.101.182.112
e8652.dscx.akamaiedge.net	2025_Simplified_Tips_to_Stay_on_Track.pdf	Get hash	malicious	HTMLPhisher	Browse	23.209.209.135
	https://drive.google.com/uc?export=download&id=1CmHgECvh_EHGsZqLVn0a5drEg1A7U8vx	Get hash	malicious	Unknown	Browse	23.209.209.135
	Termax_Q1_2025_SKM00949343.pdf	Get hash	malicious	Unknown	Browse	92.123.17.129
	Michael.langedijk Vacations and salaries.pdf	Get hash	malicious	HTMLPhisher	Browse	72.246.169.163
	http://www.medici.co.za/import-assistance.html	Get hash	malicious	Unknown	Browse	72.246.169.163
	SASABB051008555001_13092023170716B8.pdf	Get hash	malicious	HTMLPhisher	Browse	104.76.201.34
	CONCONI SUD SA.pdf	Get hash	malicious	HTMLPhisher	Browse	23.209.213.129
	InvoiceData.exe	Get hash	malicious	Unknown	Browse	23.209.213.129
	https://www.jumbomail.me/j/4W3aiJGGX0a31Ac	Get hash	malicious	Unknown	Browse	2.19.105.127
	receipt-ach-ref782-file2722.pdf	Get hash	malicious	HTMLPhisher	Browse	2.19.245.44
jsdelivr.map.fastly.net	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af5eb00c1882c8ec3f69d6/67af5ec97ca8d566b11e2a98?signature=66c3083f785cd7181708c087851b2abb37a20f51ffb2631c7fbdc20d93250623	Get hash	malicious	Unknown	Browse	151.101.193.229
	https://livecoinbasechat.com	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://allocations-kelp.net	Get hash	malicious	Unknown	Browse	151.101.1.229
	https://blovkdappfixkk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://zxx-ingkx-pylters.cz1.us.kg/	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://appwebconnect.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	http://alert-account-verify.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://sweet-truth-af82.igtyitifweh.workers.dev/admin/	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://hsvxfzso.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	http://www.cdn196888888.com/	Get hash	malicious	Unknown	Browse	151.101.129.229
sgp.file.myqcloud.com	https://app.powerbi.com/view?r=eyJrIjoiYTg1YmYxMjMtODA5Mi00MWMwLTg1ZTItZTg2MGU1MzE5ODkxIiwidCI6IjE1MWMxNjZlLWM3ZWEtNGI1ZC1hMjQ3LTNkMTAyNTEzY2IwMyJ9	Get hash	malicious	Unknown	Browse	43.152.64.193
	https://guildmortgage.filestoweb.com/COv5d	Get hash	malicious	HTMLPhisher	Browse	43.153.232.152
	https://us-west-2.protection.sophos.com/?d=powerbi.com&u=aHR0cHM6Ly9hcHAucG93ZXJiaS5jb20vdmlldz9yPWV5SnJJam9pWWpBNU5UZGtPVEl0T1RVNVpDMDBNVEl3TFRrNFpqVXROR1U1T0dWaU5XVTVNRE01SWl3aWRDSTZJakUxTVdNeE5qWmxMV00zWldFdE5HSTFaQzFoTWpRM0xUTmtNVEF5TlRFelkySXdNeUo5&i=NjAzNTFlYmUxMmQ2N2MzMjNhNzYzZDg0&t=cXRBVTE0Z3RLSGRTdEd4cm1WNzFhUm4wLzUzdXZKYklHYmduYnhYNlpsVT0=&h=5e715a0526a946bcaa614abc851141f0&s=AVNPUEhUT0NFTkNSWVBUSVYXtWfTC_gnxLfx0tqsdWatsuMxIHchoBDvy0tVrFrMxg	Get hash	malicious	Unknown	Browse	43.152.64.207
	https://app.powerbi.com/view?r=eyJrIjoiMDA2ZDU1NjAtYWIzNS00NWI5LThmZjQtZGNkNzUzYjk3YWJhIiwidCI6IjE1MWMxNjZlLWM3ZWEtNGI1ZC1hMjQ3LTNkMTAyNTEzY2IwMyJ9	Get hash	malicious	Unknown	Browse	43.153.232.152
	ATTT003.html	Get hash	malicious	HTMLPhisher	Browse	43.152.64.193
	ATTT003.html	Get hash	malicious	HTMLPhisher	Browse	43.152.64.207
	ATTT003.html	Get hash	malicious	HTMLPhisher	Browse	43.152.64.207
	ATTT003.html	Get hash	malicious	HTMLPhisher	Browse	43.153.232.152
	Ferc Q1 2025 401(k) Statement-5997707969.pdf	Get hash	malicious	HTMLPhisher	Browse	43.153.232.151
	ATTT003.html	Get hash	malicious	HTMLPhisher	Browse	43.153.232.151

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	arm4.elf	Get hash	malicious	Mirai	Browse	88.221.149.135
	arm5.elf	Get hash	malicious	Mirai	Browse	95.100.100.163
	x86.elf	Get hash	malicious	Mirai	Browse	88.221.95.65
	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af4e37c622ca8b13b0643e/67af4e500930257798ab6691?signature=6622e2772a21e189f04bbff6dbd8020cb3c1977d0aa04e3285c329f387017382	Get hash	malicious	Unknown	Browse	95.101.182.65
	https://blovkdappfixkk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	2.22.242.136
	https://reprogrammer.livraison.3-75-178-102.cprapid.com/dpd/update.php	Get hash	malicious	Unknown	Browse	2.22.242.130
	http://gaer.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	2.21.65.135
	http://ctakkponmndiri.siitusressmi.web.id/	Get hash	malicious	Unknown	Browse	23.213.161.219
	http://worker-aged-art.dzvg.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	2.21.65.135
	https://zxx-ingkx-pylters.cz1.us.kg/	Get hash	malicious	Unknown	Browse	2.16.164.24
CLOUDFLARENETUS	FAIRSAFE_setup.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	Mansion_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Mansion_setup (1).exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Faersafe_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.Trojan.PWS.Lumma.1819.6945.4874.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.177.222
	772a09d8ce7f9f4da9fc0087f1cf84f12aedb2e2cfbf9989.bin.ps1	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af5eb00c1882c8ec3f69d6/67af5ec97ca8d566b11e2a98?signature=66c3083f785cd7181708c087851b2abb37a20f51ffb2631c7fbdc20d93250623	Get hash	malicious	Unknown	Browse	104.17.25.14
	p.zip	Get hash	malicious	Unknown	Browse	104.21.85.212
	p.zip	Get hash	malicious	Unknown	Browse	104.21.85.212
	telnet.spc.elf	Get hash	malicious	Unknown	Browse	1.13.38.131
CLOUDFLARENETUS	FAIRSAFE_setup.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	Mansion_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Mansion_setup (1).exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Faersafe_setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.Trojan.PWS.Lumma.1819.6945.4874.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.177.222
	772a09d8ce7f9f4da9fc0087f1cf84f12aedb2e2cfbf9989.bin.ps1	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	https://cle.soundestlink.com/ce/c/67af4e08a90b85f6c51e3649/67af5eb00c1882c8ec3f69d6/67af5ec97ca8d566b11e2a98?signature=66c3083f785cd7181708c087851b2abb37a20f51ffb2631c7fbdc20d93250623	Get hash	malicious	Unknown	Browse	104.17.25.14
	p.zip	Get hash	malicious	Unknown	Browse	104.21.85.212
	p.zip	Get hash	malicious	Unknown	Browse	104.21.85.212
	telnet.spc.elf	Get hash	malicious	Unknown	Browse	1.13.38.131

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.213220772892281
Encrypted:	false
SSDEEP:	6:iOXV2UfA19N+q2PRN2nKuAl9OmbnIFUtFV2UfAQmmZmw7V2UfAQmiVkwORN2nKui:7FCP+vaHAahFUtf//R/V5JHAaSJ
MD5:	7CFDE420145680E64F4E5A7BB142BECC
SHA1:	6F9B43C88F4921E3586CA272451338D8FB358A59
SHA-256:	5CC8763E9030E77C4CA0FDD17E8EBCE123D68BD6C0948B5E22D375DE70A985AE
SHA-512:	2203B182260CBE31617A490A43512D916B52457EBCC330312010EF414BA1A1312049CAACD89AC6833686D8F10694CF3AF3ADFBB069767D3EE48C74BC6CBCABE2
Malicious:	false
Reputation:	low
Preview:	2025/02/15-09:29:37.346 182c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/02/15-09:29:37.350 182c Recovering log #3.2025/02/15-09:29:37.350 182c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	Joe Sandbox AI: Score: 9 Reasons: The URL does not match the legitimate domain name associated with Microsoft, which is microsoft.com., The domain 'thesilkfactorycloudfileshub.click' is unusual and not associated with Microsoft., The use of a '.click' domain extension is uncommon for a well-known brand like Microsoft and can be a red flag., The URL contains multiple words concatenated together, which is a common tactic in phishing URLs to confuse users., The brand 'Microsoft' is well-known, and any legitimate site would likely use a recognizable domain. DOM: 1.1.pages.csv
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'gastechnologypartnership.thesilkfactorycloudfileshub.click' does not match the legitimate domain for Microsoft., The domain contains multiple words and a non-standard domain extension '.click', which is often used in phishing attempts., The presence of input fields for 'Email, phone, or Skype' is typical for Microsoft services, but the URL does not match Microsoft's domain, raising suspicion. DOM: 1.6.pages.csv

Source: Yara match	File source: 1.6.pages.csv, type: HTML
Source: Yara match	File source: 1.7.pages.csv, type: HTML
Source: Yara match	File source: 2.9.pages.csv, type: HTML

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	Joe Sandbox AI: Page contains button: 'Verifying...' Source: '1.0.pages.csv'
Source: PDF document	Joe Sandbox AI: Page contains button: 'REVIEW DOCUMENTS' Source: 'PDF document'
Source: PDF document	Joe Sandbox AI: PDF document contains prominent button: 'review documents'

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: Invalid link: Privacy statement
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: Invalid link: Privacy statement

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No favicon

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No <meta name="author".. found
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No <meta name="author".. found

Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No <meta name="copyright".. found
Source: https://gastechnologypartnership.thesilkfactorycloudfileshub.click/ucI2u/	HTTP Parser: No <meta name="copyright".. found

Source: Joe Sandbox View	IP Address: 95.101.182.65 95.101.182.65
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View	IP Address: 104.18.94.41 104.18.94.41

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.97.3

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: 5320986944-1317754460.cos.ap-singapore.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: 5320986944.businessapptools.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Feb 15 13:29:59 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9885588257097133
Encrypted:	false
SSDEEP:	48:8s8doTMcJHWidAKZdA1FehwiZUklqehSy+3:8sLvm1y
MD5:	2DA2A0E6773899C24B4E6A8521B88F18
SHA1:	9E1AF43CEBEAF5CC97E919D0660D0EBDA36FC340
SHA-256:	7ECD4EC063DEAE8394D8879AA95F26AB4084581F117A34FEE22D3EF9F58EAA6A
SHA-512:	FC40F10B193A0DCEF9C1013367C7294DD1BC2A5A9D3DB27665663CF8E2A90278F39C8E7C8EB35B5C8E2E9271F247D4C55D58E8C23B4800790B72478172CEFD9C
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....4......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IOZ.s....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VOZ.s....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VOZ.s....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VOZ.s..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VOZ.s...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............T4......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PDF document, version 1.7, 1 pages
Entropy (8bit):	7.80404833720663
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	GasTechnologyPartnership.pdf
File size:	68'605 bytes
MD5:	b032e18d6fc45f4d1ca894c6e203d5ce
SHA1:	aa10156a60f0a1145bfc10788db7f26766d78986
SHA256:	1083d09f6d3069e0c5ce4e0bf04418532237e411e59662e32039418c9f04078c
SHA512:	55c36ed9b057c62250806d528de4189908efe18d0198a41a194d5240d3e6d22b72a95a50eb0ea1f6075f7b95f515652cae8f51fdd11e647beede1cd327b31d8d
SSDEEP:	768:ygIDPBnp0Hln+lPi6WUhz+b0EV8JgZSK2xRxlxnf3xFCjQVJCkynhQ0Ph9bX9p9Y:4dPASK2/xPSjW4jbX/9Bx06DTyQHFmR
TLSH:	20639D178808ABCED16497C57F073D482A5F7750F1C469A2367DCA8F1B80E3A89D751E
File Content Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 26 0 R/MarkInfo<</Marked true>>/Metadata 94 0 R/ViewerPreferences 95 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0

General
Header:	%PDF-1.7
Total Entropy:	7.804048
Total Bytes:	68605
Stream Entropy:	7.882994
Stream Bytes:	60408
Entropy outside Streams:	5.268742
Bytes outside Streams:	8197
Number of EOF found:	2
Bytes after EOF:

Name	Count
obj	35
endobj	35
stream	10
endstream	10
xref	2
trailer	2
startxref	2
/Page	1
/Encrypt	0
/ObjStm	1
/URI	6
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

ID	DHASH	MD5
19	cca66d5555558acc	2ea40adc801642de7499a1ab11605616
20	cca66d5555558acc	61d4b6efaf4ef250d34e1564825cf588
21	6267756627352606	6e79e58153c6296a29f8ad34ada5bc3c
23	b24d4c8e4c291382	0c9afa24b1235f5a043b61b3804e1e68
24	a2008000008000a2	2401d9dd5055c7c0fde0e1ba20666811

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GasTechnologyPartnership.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5ea30e9c-6ab6-4f66-9f6c-d3d7b7d6e6ae.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF6deb48.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b2b13f84-2dce-41e4-aa35-d8094b8528f9.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250215142940Z-166.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6516

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6516

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Windows Analysis Report
GasTechnologyPartnership.pdf