Edit tour

Windows Analysis Report
original (2).eml

Overview

General Information

Sample name:	original (2).eml
Analysis ID:	1640938
MD5:	c5f449000ffab5ae9bc32a3e4614ea76
SHA1:	c174c66215ff3e94f878843c938e479c444fe0db
SHA256:	553ebc2e1c7a6ed03ec6cdb0df5be7f60ad28e033b396d04ae36e5423bce0c4d
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

AI detected suspicious Javascript

AI detected suspicious elements in Email content

Creates files inside the system directory

Deletes files inside the Windows folder

Detected suspicious crossdomain redirect

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 7024 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\original (2).eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7156 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C8DC6384-3A0B-426B-8760-C7F8DC604A86" "95BBAE79-6410-4E7F-A7B0-1FF9DF940318" "7024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

OUTLOOK.EXE (PID: 6536 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7D5VXBYN\phish_alert_iocp_v1.4.85.eml" MD5: 91A5292942864110ED734005B7E005C0)

chrome.exe (PID: 6656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/dai1vzajkb.p%25c2%25adu%25C2%25adt%25C2%25ADr%25C2%25Adp%25C2%25ADo%25C2%25Adt%25c2%25adh%25C2%25aDm%25c2%25aDw%25c2%25ADe%25C2%25adr%25C2%25ADo%25C2%25aDr%25C2%25aDp%25c2%25adiw.t%25E2%2580%258bop%25E2%2580%258B%25E2%2580%258B/y2TYDIZDf&source=gmail&ust=1742307258851000&usg=AOvVaw2GgUzI0hp2jnZrbCF192Lv&LtfWxQqmrRSGf=MVTqSyHMki&JWbYjMpGB=iOSznYK&sIEKwEPjJiYw=ibQinnVwBu&BPkNYjbo=jILTWBcexOfcPwj&cuCoqckCZU=JJBfUKXheHPA&AwNCDi=PtROASWZhakuofg&PQoWKvrRr=roohznaOp&rqUwXvE=GcSfNGrMzVkLSzS&QtKuvWMoLiTSs=rJaGmQxqY&GoiSqFtcFyQUd=skLuWTpZuxeVu&WBlHgoKfBm=uxKbOQLTTECfim&CLagPILMHCaAR=xdswEZhoNqvOX&navhvgpnQg=ONXVKVjKH&uaaoQIrvhbZR=https://HQIOnJwkRcNfdR&pygAZxjSA=cGqHEKBg&MLdRMa=DQoyvELfJx&CELnAYgGvfGE=hiRTITUMwqjfHsb&aYXzjuNZs=vDJTADq&zZBBJRM=gRqAsccEFxeNi&ulDWzDukgBx=WzasrvbeuiJsVqh&HvvphPGs=XNLKzAXQbGax&cwvFccS=YyyAvkHxpvwHcI&DzMPlvyNlvOL=OKzNITUK MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,2454400271209340085,3763998520828507470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected suspicious Javascript

Source: 0.0..script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://37pj6q4eh7dxt5finjn4afsirfm7h3uyt3mjp3jzqm... This script demonstrates high-risk behavior by using obfuscated code to redirect the user to a suspicious domain, which is a common tactic in phishing and malware attacks. The use of `location.replace()` to redirect the user, combined with the heavily encoded URL, indicates a strong likelihood of malicious intent.

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: Contains suspicious obfuscated/encoded URLs with unusual patterns and random-looking domains (e.g., rvkqovku2797.com). Mismatched sender domain (firstontario.com) with newsletter subscription content and suspicious recipient domain (phisher.knowbe4.com). Uses common phishing tactics like fake confirmation buttons and social media links leading to suspicious domains

Source: Email

Classification: Credential Stealer

Source: unknown	HTTPS traffic detected: 142.250.184.228:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.45:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.45:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: www.google.com to https://cdn.ampproject.org/c/s/dai1vzajkb.p%c2%adu%c2%adt%c2%adr%c2%adp%c2%ado%c2%adt%c2%adh%c2%adm%c2%adw%c2%ade%c2%adr%c2%ado%c2%adr%c2%adp%c2%adiw.t%e2%80%8bop%e2%80%8b%e2%80%8b/y2tydizdf

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.131
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.131
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /url?hl=en&q=https://cdn.ampproject.org/c/s/dai1vzajkb.p%25c2%25adu%25C2%25adt%25C2%25ADr%25C2%25Adp%25C2%25ADo%25C2%25Adt%25c2%25adh%25C2%25aDm%25c2%25aDw%25c2%25ADe%25C2%25adr%25C2%25ADo%25C2%25aDr%25C2%25aDp%25c2%25adiw.t%25E2%2580%258bop%25E2%2580%258B%25E2%2580%258B/y2TYDIZDf&source=gmail&ust=1742307258851000&usg=AOvVaw2GgUzI0hp2jnZrbCF192Lv&LtfWxQqmrRSGf=MVTqSyHMki&JWbYjMpGB=iOSznYK&sIEKwEPjJiYw=ibQinnVwBu&BPkNYjbo=jILTWBcexOfcPwj&cuCoqckCZU=JJBfUKXheHPA&AwNCDi=PtROASWZhakuofg&PQoWKvrRr=roohznaOp&rqUwXvE=GcSfNGrMzVkLSzS&QtKuvWMoLiTSs=rJaGmQxqY&GoiSqFtcFyQUd=skLuWTpZuxeVu&WBlHgoKfBm=uxKbOQLTTECfim&CLagPILMHCaAR=xdswEZhoNqvOX&navhvgpnQg=ONXVKVjKH&uaaoQIrvhbZR=https://HQIOnJwkRcNfdR&pygAZxjSA=cGqHEKBg&MLdRMa=DQoyvELfJx&CELnAYgGvfGE=hiRTITUMwqjfHsb&aYXzjuNZs=vDJTADq&zZBBJRM=gRqAsccEFxeNi&ulDWzDukgBx=WzasrvbeuiJsVqh&HvvphPGs=XNLKzAXQbGax&cwvFccS=YyyAvkHxpvwHcI&DzMPlvyNlvOL=OKzNITUK HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /c/s/dai1vzajkb.p%c2%adu%C2%adt%C2%ADr%C2%Adp%C2%ADo%C2%Adt%c2%adh%C2%aDm%c2%aDw%c2%ADe%C2%adr%C2%ADo%C2%aDr%C2%aDp%c2%adiw.t%E2%80%8bop%E2%80%8B%E2%80%8B/y2TYDIZDf HTTP/1.1Host: cdn.ampproject.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /c/s/dai1vzajkb.p%C2%ADu%C2%ADt%C2%ADr%C2%ADp%C2%ADo%C2%ADt%C2%ADh%C2%ADm%C2%ADw%C2%ADe%C2%ADr%C2%ADo%C2%ADr%C2%ADp%C2%ADiw.t%E2%80%8Bop%E2%80%8B%E2%80%8B/y2TYDIZDf HTTP/1.1Host: 37pj6q4eh7dxt5finjn4afsirfm7h3uyt3mjp3jzqm4x53yiuk7a.cdn.ampproject.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /y2TYDIZDf HTTP/1.1Host: dai1vzajkb.putrpothmwerorpiw.topConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://37pj6q4eh7dxt5finjn4afsirfm7h3uyt3mjp3jzqm4x53yiuk7a.cdn.ampproject.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdn.ampproject.org
Source: global traffic	DNS traffic detected: DNS query: 37pj6q4eh7dxt5finjn4afsirfm7h3uyt3mjp3jzqm4x53yiuk7a.cdn.ampproject.org
Source: global traffic	DNS traffic detected: DNS query: dai1vzajkb.putrpothmwerorpiw.top
Source: global traffic	DNS traffic detected: DNS query: wjak.1loms8mxr2scry5yj.com
Source: global traffic	DNS traffic detected: DNS query: google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 142.250.184.228:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.45:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.45:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6656_389474121

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6656_389474121

Source: classification engine

Classification label: mal48.winEML@31/6@25/190