Play interactive tourEdit tour

# Analysis Report https://trotech-my.sharepoint.com:443/:b:/g/personal/ikraam_efficient-trotech_co_za/EQccQ3Y1AFpPhkQAot32X-AB4gLH19tc9YKT5NxYgXT3FQ?e=4%3aIyocBb&at=9

## Overview

### General Information

 Sample URL: https://trotech-my.sharepoint.com:443/:b:/g/personal/ikraam_efficient-trotech_co_za/EQccQ3Y1AFpPhkQAot32X-AB4gLH19tc9YKT5NxYgXT3FQ?e=4%3aIyocBb&at=9 Analysis ID: 289700 Most interesting Screenshot:

### Detection

HTMLPhisher
 Score: 76 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_20
Machine Learning detection for dropped file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
HTML body contains low number of good links
HTML title does not match URL
Yara signature match

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\login[1].htmSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
• 0x105e:$x1: 78 34 4E 44 4E 63 65 44 51 30 58 48 67 • 0x106e:$x1: 78 34 4E 44 5A 63 65 44 51 33 58 48 67
• 0x107e:$x1: 78 34 4E 44 6C 63 65 44 52 68 58 48 67 • 0x108e:$x1: 78 34 4E 47 4E 63 65 44 52 6B 58 48 67
• 0x109e:$x1: 78 34 4E 47 5A 63 65 44 55 77 58 48 67 • 0x10ae:$x1: 78 34 4E 54 4A 63 65 44 55 7A 58 48 67
• 0x10be:$x1: 78 34 4E 54 56 63 65 44 55 32 58 48 67 • 0x10ce:$x1: 78 34 4E 54 68 63 65 44 55 35 58 48 67
• 0x10de:$x1: 78 34 4E 6A 46 63 65 44 59 79 58 48 67 • 0x10ee:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
• 0x10fe:$x1: 78 34 4E 6A 64 63 65 44 59 34 58 48 67 • 0x110e:$x1: 78 34 4E 6D 46 63 65 44 5A 69 58 48 67
• 0x111e:$x1: 78 34 4E 6D 52 63 65 44 5A 6C 58 48 67 • 0x112e:$x1: 78 34 4E 7A 42 63 65 44 63 78 58 48 67
• 0x113e:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67 • 0x114e:$x1: 78 34 4E 7A 5A 63 65 44 63 33 58 48 67
• 0x115e:$x1: 78 34 4E 7A 6C 63 65 44 64 68 58 48 67 • 0x11b2:$x1: 78 34 4E 6D 56 63 65 44 63 7A 58 48 67
• 0x11c2:$x1: 78 34 4E 7A 42 63 65 44 63 77 58 48 67 • 0x11d2:$x1: 78 34 4E 7A 4A 63 65 44 63 30 58 48 67
• 0x11e2:$x1: 78 34 4E 6A 52 63 65 44 49 77 58 48 67 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\login[1].htmSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth • 0x105e:$x1: 78 34 4E 44 4E 63 65 44 51 30 58 48 67
• 0x106e:$x1: 78 34 4E 44 5A 63 65 44 51 33 58 48 67 • 0x107e:$x1: 78 34 4E 44 6C 63 65 44 52 68 58 48 67
• 0x108e:$x1: 78 34 4E 47 4E 63 65 44 52 6B 58 48 67 • 0x109e:$x1: 78 34 4E 47 5A 63 65 44 55 77 58 48 67
• 0x10ae:$x1: 78 34 4E 54 4A 63 65 44 55 7A 58 48 67 • 0x10be:$x1: 78 34 4E 54 56 63 65 44 55 32 58 48 67
• 0x10ce:$x1: 78 34 4E 54 68 63 65 44 55 35 58 48 67 • 0x10de:$x1: 78 34 4E 6A 46 63 65 44 59 79 58 48 67
• 0x10ee:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67 • 0x10fe:$x1: 78 34 4E 6A 64 63 65 44 59 34 58 48 67
• 0x110e:$x1: 78 34 4E 6D 46 63 65 44 5A 69 58 48 67 • 0x111e:$x1: 78 34 4E 6D 52 63 65 44 5A 6C 58 48 67
• 0x112e:$x1: 78 34 4E 7A 42 63 65 44 63 78 58 48 67 • 0x113e:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
• 0x114e:$x1: 78 34 4E 7A 5A 63 65 44 63 33 58 48 67 • 0x115e:$x1: 78 34 4E 7A 6C 63 65 44 64 68 58 48 67
• 0x11b2:$x1: 78 34 4E 6D 56 63 65 44 63 7A 58 48 67 • 0x11c2:$x1: 78 34 4E 7A 42 63 65 44 63 77 58 48 67
• 0x11d2:$x1: 78 34 4E 7A 4A 63 65 44 63 30 58 48 67 • 0x11e2:$x1: 78 34 4E 6A 52 63 65 44 49 77 58 48 67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\login[2].htmSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
• 0x105e:$x1: 78 34 4E 44 4E 63 65 44 51 30 58 48 67 • 0x106e:$x1: 78 34 4E 44 5A 63 65 44 51 33 58 48 67
• 0x107e:$x1: 78 34 4E 44 6C 63 65 44 52 68 58 48 67 • 0x108e:$x1: 78 34 4E 47 4E 63 65 44 52 6B 58 48 67
• 0x109e:$x1: 78 34 4E 47 5A 63 65 44 55 77 58 48 67 • 0x10ae:$x1: 78 34 4E 54 4A 63 65 44 55 7A 58 48 67
• 0x10be:$x1: 78 34 4E 54 56 63 65 44 55 32 58 48 67 • 0x10ce:$x1: 78 34 4E 54 68 63 65 44 55 35 58 48 67
• 0x10de:$x1: 78 34 4E 6A 46 63 65 44 59 79 58 48 67 • 0x10ee:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
• 0x10fe:$x1: 78 34 4E 6A 64 63 65 44 59 34 58 48 67 • 0x110e:$x1: 78 34 4E 6D 46 63 65 44 5A 69 58 48 67
• 0x111e:$x1: 78 34 4E 6D 52 63 65 44 5A 6C 58 48 67 • 0x112e:$x1: 78 34 4E 7A 42 63 65 44 63 78 58 48 67
• 0x113e:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67 • 0x114e:$x1: 78 34 4E 7A 5A 63 65 44 63 33 58 48 67
• 0x115e:$x1: 78 34 4E 7A 6C 63 65 44 64 68 58 48 67 • 0x11b2:$x1: 78 34 4E 6D 56 63 65 44 63 7A 58 48 67
• 0x11c2:$x1: 78 34 4E 7A 42 63 65 44 63 77 58 48 67 • 0x11d2:$x1: 78 34 4E 7A 4A 63 65 44 63 30 58 48 67
• 0x11e2:$x1: 78 34 4E 6A 52 63 65 44 49 77 58 48 67 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\index[1].htmSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth • 0x4f6:$x1: 78 34 4E 6D 5A 63 65 44 5A 6B 58 48 67
• 0x506:$x1: 78 34 4E 6A 6C 63 65 44 5A 6A 58 48 67 • 0x51a:$x1: 78 34 4E 7A 5A 63 65 44 59 78 58 48 67
• 0x53e:$x1: 78 34 4E 6A 4A 63 65 44 59 78 58 48 67 • 0x54e:$x1: 78 34 4E 7A 4A 63 65 44 59 78 58 48 67
• 0x562:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67 • 0x576:$x1: 78 34 4E 7A 5A 63 65 44 59 78 58 48 67
• 0x59a:$x1: 78 34 4E 6A 56 63 65 44 63 7A 58 48 67 • 0x5be:$x1: 78 34 4E 6A 52 63 65 44 59 35 58 48 67
• 0x5ce:$x1: 78 34 4E 7A 52 63 65 44 49 77 58 48 67 • 0x5de:$x1: 78 34 4E 6D 4E 63 65 44 59 78 58 48 67
• 0x60e:$x1: 78 34 4E 7A 52 63 65 44 49 77 58 48 67 • 0x61e:$x1: 78 34 4E 7A 56 63 65 44 63 77 58 48 67
• 0x62e:$x1: 78 34 4E 6D 5A 63 65 44 63 79 58 48 67 • 0x652:$x1: 78 34 4E 6D 5A 63 65 44 5A 6B 58 48 67
• 0x662:$x1: 78 34 4E 7A 4A 63 65 44 59 31 58 48 67 • 0x672:$x1: 78 34 4E 7A 4E 63 65 44 59 35 58 48 67
• 0x682:$x1: 78 34 4E 6D 56 63 65 44 55 30 58 48 67 • 0x6a6:$x1: 78 34 4E 6D 56 63 65 44 5A 69 58 48 67
• 0x6b6:$x1: 78 34 4E 6D 5A 63 65 44 63 33 58 48 67 • 0x6d6:$x1: 78 34 4E 54 6C 63 65 44 55 77 58 48 67

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Antivirus detection for URL or domain Show sources
 Source: https://storage.googleapis.com/anonvariable-962929450/login.html?jhgnzon=TejqFBY5owQxiOCQsPZ4mNyG&mzsgv=3W1SRruGTOlM3ac76uzOte7TMJE&bhgb=gaN2wv1i1QNSFYdyjcZ4dqSalD6d&gbmrhjjss=aFeoYXdQrPDrzvs SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
 Multi AV Scanner detection for domain / URL Show sources
 Source: bomohsmtp.com Virustotal: Detection: 10% Perma Link
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Mise%20 %20jour%20substantielle%20urgente[1].pdf Joe Sandbox ML: detected

### Phishing:

 Phishing site detected (based on favicon image match) Show sources
 Source: https://trotech-my.sharepoint.com/personal/ikraam_efficient-trotech_co_za/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fikraam%5Fefficient%2Dtrotech%5Fco%5Fza%2FDocuments%2FMicrosoft%20Teams%20Chat%20Files%2FMise%20%C3%A0%20jour%20substantielle%20urgente%2Epdf&parent=%2Fpersonal%2Fikraam%5Fefficient%2Dtrotech%5Fco%5Fza%2FDocuments%2FMicrosoft%20Teams%20Chat%20Files&originalPath=aHR0cHM6Ly90cm90ZWNoLW15LnNoYXJlcG9pbnQuY29tLzpiOi9nL3BlcnNvbmFsL2lrcmFhbV9lZmZpY2llbnQtdHJvdGVjaF9jb196YS9FUWNjUTNZMUFGcFBoa1FBb3QzMlgtQUI0Z0xIMTl0YzlZS1Q1TnhZZ1hUM0ZRP3J0aW1lPXFLelZsTGRnMkVn Matcher: Template: onedrive matched with high similarity
 Yara detected HtmlPhish_20 Show sources
 Source: Yara match File source: 128757.pages.csv, type: HTML Source: Yara match File source: 849224.0.links.csv, type: HTML
 HTML body contains low number of good links Show sources
 HTML title does not match URL Show sources
 Source: https://storage.googleapis.com/anonvariable-962929450/login.html?tolggu=jh48wQY8oDHoNI2jpKWPiEr&ghbuhozcn=odcSvHIvwoRH1hS&zeuqw=BLLUc1JD5ep4XPQDHbgS8Ju8WHGgd&jzyngprti=ibqdk4esKbPHmcGw3h9KsTTWPj7&zcxtipkl=4YxngIfPslkYXUolm7&qcoq=5biW4B35uoKOaunghgKiEMACLIscQh&eej=6kenvuDAPxOA8rdGRAwXf8jGQ&nfucfuro=eIf1lNcDn3BUbTU HTTP Parser: Title: does not match URL Source: https://storage.googleapis.com/anonvariable-962929450/login.html?tolggu=jh48wQY8oDHoNI2jpKWPiEr&ghbuhozcn=odcSvHIvwoRH1hS&zeuqw=BLLUc1JD5ep4XPQDHbgS8Ju8WHGgd&jzyngprti=ibqdk4esKbPHmcGw3h9KsTTWPj7&zcxtipkl=4YxngIfPslkYXUolm7&qcoq=5biW4B35uoKOaunghgKiEMACLIscQh&eej=6kenvuDAPxOA8rdGRAwXf8jGQ&nfucfuro=eIf1lNcDn3BUbTU HTTP Parser: Title: does not match URL Source: https://storage.googleapis.com/anonvariable-962929450/login.html?jhgnzon=TejqFBY5owQxiOCQsPZ4mNyG&mzsgv=3W1SRruGTOlM3ac76uzOte7TMJE&bhgb=gaN2wv1i1QNSFYdyjcZ4dqSalD6d&gbmrhjjss=aFeoYXdQrPDrzvs HTTP Parser: Title: does not match URL Source: https://storage.googleapis.com/anonvariable-962929450/login.html?jhgnzon=TejqFBY5owQxiOCQsPZ4mNyG&mzsgv=3W1SRruGTOlM3ac76uzOte7TMJE&bhgb=gaN2wv1i1QNSFYdyjcZ4dqSalD6d&gbmrhjjss=aFeoYXdQrPDrzvs HTTP Parser: Title: does not match URL
 Invalid 'forgot password' link found Show sources
 META author tag missing Show sources
 META copyright tag missing Show sources
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: trotech-my.sharepoint.com
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771 Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
 Yara signature match Show sources
 Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\login[1].htm, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\login[1].htm, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\login[2].htm, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\index[1].htm, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
 Classification label Show sources
 Source: classification engine Classification label: mal76.phis.win@23/140@9/3
 Clickable URLs found in PDF Show sources
 Source: Mise%20 %20jour%20substantielle%20urgente[1].pdf.18.dr Initial sample: https://storage.googleapis.com/anonvariable-962929450/index.html
 Creates files inside the user directory Show sources
 Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
 Creates temporary files Show sources
 Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\Low Jump to behavior
 Reads ini files Show sources
 Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
 Spawns processes Show sources