Analysis Report ACH & WlRE REMlTTANCE ADVlCE.xlsx

Overview

General Information

Sample Name: ACH & WlRE REMlTTANCE ADVlCE.xlsx
Analysis ID: 321281
MD5: 75e913502474fa4bb098d201fd95d673
SHA1: f82825f0640281b5bd8b17957515700b346cc7a3
SHA256: c4fcd5eabfa2bd961ca72a963398df5f41d36f7eef3ea01f098ed42b4559de71

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_25
Phishing site detected (based on image similarity)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Steals Internet Explorer cookies

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://onggodwebs.typeform.com/to/ZLWgtC1e SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_25
Source: Yara match File source: 701188.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ZLWgtC1e[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ZLWgtC1e[2].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://images.typeform.com/images/EieTXNzHVqRh/background/large Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 99.86.0.85 99.86.0.85
Source: Joe Sandbox View IP Address: 162.247.242.18 162.247.242.18
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70379C3.jpeg Jump to behavior
Source: unknown DNS traffic detected: queries for: onggodwebs.typeform.com
Source: vendors~form.d48f3fb79ce238c3dfbc[1].js.3.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vendors~form.d48f3fb79ce238c3dfbc[1].js.3.dr String found in binary or memory: http://www.jacklmoore.com/autosize
Source: renderer.d9cd9e242faababc210a[1].js.3.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: vendors~form.d48f3fb79ce238c3dfbc[1].js.3.dr String found in binary or memory: https://github.com/kof/animationFrame
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/CFFf65RuaPdt/image/default
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/EieTXNzHVqRh/background/large
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/EieTXNzHVqRh/background/large);background-position:top
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/FYUps4mFKPYK/image/default
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typ
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.cRoot
Source: imagestore.dat.3.dr String found in binary or memory: https://onggodwebs.typeform.com/favicon.ico
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://onggodwebs.typeform.com/oembed?url=https%3A%2F%2Fonggodwebs.typeform.com%2Fto%2FZLWgtC1e
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e6MRoot
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e6Meform.com/to/ZLWgtC1eRoot
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e6MlCR0S0FT
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e6Mom/?utm_campaign=ZLWgtC1e&utm_soom/to/ZLWgtC1e
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1e6Mom/to/ZLWgtC1e
Source: ~DF0C806608EFF04186.TMP.6.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1eFiles=C:
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1eRoot
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://onggodwebs.typeform.com/to/ZLWgtC1ex
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/blocks-matrix.0742b4167bc8af329e18.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/form.44ecc65af94e261e9930.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/modern-renderer.1dc96dfb1da55c4cfd25.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/phonenumber.ae56d052e4544f833f45.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/renderer.d9cd9e242faababc210a.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~attachment.61b4a881f6eb809fa6a2.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~blocks-ranking.877fc127e125b1d5effd.js
Source: ZLWgtC1e[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~form.d48f3fb79ce238c3dfbc.js
Source: {E1A8B7C1-2BA8-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://www.typeform.c
Source: ~DF20A6A3F7EB8521E3.TMP.2.dr String found in binary or memory: https://www.typeform.com/?utm_campaign=ZLWgtC1e&utm_source=typeform.com-17244355-Free&utm_medium=typ
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: classification engine Classification label: mal60.phis.winXLSX@8/73@18/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$ACH & WlRE REMlTTANCE ADVlCE.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF018.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2304 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://onggodwebs.typeform.com/to/ZLWgtC1e
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2960 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://onggodwebs.typeform.com/to/ZLWgtC1e Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2304 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2960 CREDAT:275457 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Stealing of Sensitive Information:

barindex
Steals Internet Explorer cookies
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\2SFPAZKD.txt Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321281 Sample: ACH & WlRE REMlTTANCE ADVlCE.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 60 27 try.typeform.com 2->27 29 onggodwebs.typeform.com 2->29 51 Antivirus detection for URL or domain 2->51 53 Yara detected HtmlPhish_25 2->53 55 Phishing site detected (based on image similarity) 2->55 8 EXCEL.EXE 63 24 2->8         started        11 iexplore.exe 3 35 2->11         started        signatures3 process4 dnsIp5 37 onggodwebs.typeform.com 8->37 39 images.typeform.com 8->39 41 d2nvsmtq2poimt.cloudfront.net 8->41 13 iexplore.exe 1 35 8->13         started        16 iexplore.exe 5 52 11->16         started        process6 dnsIp7 43 onggodwebs.typeform.com 13->43 19 iexplore.exe 33 13->19         started        45 bam.nr-data.net 162.247.242.18, 443, 49176, 49177 NEWRELIC-AS-1US United States 16->45 47 d2nvsmtq2poimt.cloudfront.net 143.204.201.126, 443, 49169, 49170 AMAZON-02US United States 16->47 49 8 other IPs or domains 16->49 23 C:\Users\user\AppData\...\ZLWgtC1e[1].htm, HTML 16->23 dropped file8 process9 dnsIp10 31 54.149.50.128, 443, 49189, 49194 AMAZON-02US United States 19->31 33 renderer-assets.typeform.com 19->33 35 7 other IPs or domains 19->35 25 C:\Users\user\AppData\...\ZLWgtC1e[2].htm, HTML 19->25 dropped file11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
143.204.201.126
unknown United States
16509 AMAZON-02US false
99.86.0.85
unknown United States
16509 AMAZON-02US false
54.149.50.128
unknown United States
16509 AMAZON-02US false
162.247.242.18
unknown United States
23467 NEWRELIC-AS-1US false
50.112.221.239
unknown United States
16509 AMAZON-02US false
143.204.201.83
unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
d296je7bbdd650.cloudfront.net 99.86.0.85 true
api.segment.io 50.112.221.239 true
d2citsn5wf4j9j.cloudfront.net 143.204.201.83 true
d2nvsmtq2poimt.cloudfront.net 143.204.201.126 true
bam.nr-data.net 162.247.242.18 true
onggodwebs.typeform.com unknown unknown
cdn.segment.com unknown unknown
try.typeform.com unknown unknown
renderer-assets.typeform.com unknown unknown
js-agent.newrelic.com unknown unknown
images.typeform.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.typeform.com/?utm_campaign=ZLWgtC1e&utm_source=typeform.com-17244355-Free&utm_medium=typeform&utm_content=typeform-footer&utm_term=EN false
    high
    https://onggodwebs.typeform.com/to/ZLWgtC1e false
    • SlashNext: Fake Login Page type: Phishing & Social Engineering
    high