Loading ...

Play interactive tourEdit tour

Analysis Report https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2

Overview

General Information

Sample URL:https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2
Analysis ID:321201

Most interesting Screenshot:

Detection

HTMLPhisher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected HtmlPhish_7
Yara detected obfuscated html page
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
Invalid T&C link found
Yara detected Encrypted html page by third party sevices

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6716 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6764 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6716 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5912 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6716 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • dllhost.exe (PID: 5212 cmdline: C:\Windows\system32\DllHost.exe /Processid:{49F171DD-B51A-40D3-9A6C-52D674CC729D} MD5: 2528137C6745C4EADD87817A1909677E)
    • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\OM9u8[1].htmJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\OM9u8[1].htmJoeSecurity_EncryptedhtmlYara detected Encrypted html page by third party sevicesJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social usering
      Antivirus detection for URL or domainShow sources
      Source: https://eagleeyeproduce-my.sharepoint.com/personal/mckrayp_eagleeyeproduce_com/_layouts/15/Doc.aspx?sourcedoc={d4c629da-9f03-4e7a-aa1b-d8e20fe01b70}&action=view&wd=target%28INV.one%7C599a019e-a35f-45c7-9412-5dae347e7e53%2FJosh%20Woods%C2%A0Shared%20PDF%20Document%20with%20you%7C442b4d04-5062-47cb-8554-05bc78fc39be%2F%29SlashNext: Label: Fake Login Page type: Phishing & Social usering
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpSlashNext: Label: Fake Login Page type: Phishing & Social usering
      Source: https://sbccpro.com/OMMOM/OM9u8SlashNext: Label: Fake Login Page type: Phishing & Social usering
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpSlashNext: Label: Fake Login Page type: Phishing & Social usering
      Source: https://sbccpro.com/OMMOM/OM9u8UrlScan: Label: phishing brand: onedrivePerma Link
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpSlashNext: Label: Fake Login Page type: Phishing & Social usering
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpUrlScan: Label: phishing brand: office 365Perma Link
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpUrlScan: Label: phishing brand: microsoftPerma Link
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.php9u8/Avira URL Cloud: Label: phishing
      Source: https://sbccpro.com/OMMOM/OM9u8//Avira URL Cloud: Label: phishing
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpZwAvira URL Cloud: Label: phishing
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.php0Avira URL Cloud: Label: phishing

      Phishing:

      barindex
      Yara detected HtmlPhish_7Show sources
      Source: Yara matchFile source: 065367.pages.csv, type: HTML
      Yara detected obfuscated html pageShow sources
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\OM9u8[1].htm, type: DROPPED
      Phishing site detected (based on image similarity)Show sources
      Source: https://sbccpro.com/OMMOM/OM9u8/images/Onedrive-logo.pngMatcher: Found strong image similarity, brand: MicrosoftJump to dropped file
      Phishing site detected (based on logo template match)Show sources
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpMatcher: Template: office matched
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpMatcher: Template: microsoft matched
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: Number of links: 0
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: Number of links: 0
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Number of links: 1
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Number of links: 1
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: Number of links: 0
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: Number of links: 0
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: Title: One Drive does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: Title: One Drive does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Title: One Drive does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Title: One Drive does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: Title: Sign in to your Microsoft account does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: Title: Sign in to your Microsoft account does not match URL
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Invalid link: Terms
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Invalid link: Privacy & Cookies
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Invalid link: Terms
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: Invalid link: Privacy & Cookies
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\OM9u8[1].htm, type: DROPPED
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: No <meta name="author".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: No <meta name="copyright".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Othermail.phpHTTP Parser: No <meta name="copyright".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: No <meta name="copyright".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Office365.phpHTTP Parser: No <meta name="copyright".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: No <meta name="copyright".. found
      Source: https://sbccpro.com/OMMOM/OM9u8/Outlook.phpHTTP Parser: No <meta name="copyright".. found
      Source: iexplore.exe, 00000001.00000002.471992806.00000268CD973000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.404496587.000000000F113000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
      Source: iexplore.exe, 00000001.00000002.471992806.00000268CD973000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.404496587.000000000F113000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
      Source: iexplore.exe, 00000001.00000002.471992806.00000268CD973000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.404496587.000000000F113000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
      Source: iexplore.exe, 00000001.00000002.471992806.00000268CD973000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.404496587.000000000F113000.00000002.00000001.sdmpString found in binary or memory: <URL>http://