Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-03-10T103931.828.eml

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious elements in Email content

AI Classification

Signatures

Tries to load missing DLLs

Signatures

Spawns processes

Signatures

Allocates a big amount of memory (probably used for heap spraying)

Signatures

Creates files inside the user directory

Signatures

Queries a list of all running processes

Signatures

Queries the volume information (name, serial number etc) of a device

Checks the free space of harddrives

Queries the cryptographic machine GUID

Checks if Microsoft Office is installed

Signatures

Uses HTTPS

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signatures

Performs DNS lookups

Signatures

Performs DNS lookups

Uses HTTPS

Execution Graphs are highly condensed control flow graphs which give the user a synthetic view of the code detected during Hybrid Code Analysis. They include additional runtime information such as the execution status which is highlighted with different colors and shapes.

Entrypoint

Program entry point, most likely the entry point of the PE file.

Key Decision

A code location where a decision has been made to avoid execution of potentially malicious behavior.

Dynamic / Decrypted

Code which has been generated at runtime, often referred to as unpacked or self-modifying code.

Unpacker / Decrypter

Code section which is responsible for unpacking or decrypting a portion of dynamic code.

Executed

Code which has been executed at runtime.

Not Executed

Code which has not been executed at runtime.

Unknown

Code for which it is unknown if it has been executed or not at runtime.

Signature Matched

Code which matches a behavioral signature.

Rich Path

Path through the execution graph which shows a lot of behavior (e.g. with respect to called API functions).

Thread / callback entry

Code corresponding to a thread or callback entry point.

Thread / callback creation

Edges denoting either a thread creation (e.g. using CreateThread) or a callback registration (e.g. EnumWindows).

Entrypoint

VBA program entry point such as Document_Open.

Decryption Function

Function likely responsible for string decryption.

Executed

This line was executed during analysis.

Not Executed

This line was likely not executed during analysis.