Analysis Report cremocompany-Invoice_216083-xlsx.html

Overview

General Information

Sample Name:	cremocompany-Invoice_216083-xlsx.html
Analysis ID:	339241
MD5:	1a47aae367d4ac2427943631bd4d08f5
SHA1:	87fc8341efabb13c8a33d6acb28bb6e5a5d23b54
SHA256:	9c7b05df9abde7ae8d91cfea08ca275132a6692bec1875aca9c49f1b74f766c9
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish_6

Obfuscated HTML file found

Phishing site detected (based on image similarity)

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

Invalid T&C link found

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Suspicious form URL found

Classification

Signatures

Phishing:

Yara detected HtmlPhish_6

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5343434322[1].js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\7565654564[1].js, type: DROPPED

Phishing site detected (based on image similarity)

Source: http://svgur.com/i/G6D.svg

Matcher: Found strong image similarity, brand: Microsoft

Jump to dropped file

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Title: Microsoft Office Center does not match URL
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Title: Microsoft Office Center does not match URL

Invalid T&C link found

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Invalid link: Privacy & cookies

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Form action: http://www.tanikawashuntaro.com/dir/443545/009808989.php?455455667-78766
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: Form action: http://www.tanikawashuntaro.com/dir/443545/009808989.php?455455667-78766

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.138.65:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.138.65:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.207.103.145:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.207.103.145:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.239.131.51:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.239.131.51:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.91.224.95:443 -> 192.168.2.3:49737 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 145.239.131.51 145.239.131.51
Source: Joe Sandbox View	IP Address: 51.91.224.95 51.91.224.95
Source: Joe Sandbox View	IP Address: 216.239.38.21 216.239.38.21
Source: Joe Sandbox View	IP Address: 216.239.38.21 216.239.38.21

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKLink: <https://webmention.herokuapp.com/api/webmention>; rel="webmention"ETag: sha1-0BoicgkYt4Ezi1u/kgKyQaX5nuQ= sha256-BNKSSO46E6B0UYyToY1u/Ekb8fKY+bh/yYmmrkufrXo=X-Cloud-Trace-Context: e26ffe84e2d12ae06f60b0d77789b2e8Content-Type: image/svg+xmlContent-Encoding: gzipDate: Wed, 13 Jan 2021 02:15:36 GMTServer: Google FrontendContent-Length: 1569Age: 53971Cache-Control: public, max-age=315360000Data Raw: 1f 8b 08 00 00 00 00 00 02 ff b4 97 4b 6f 5b 37 10 85 ff 8a a0 6e af 68 be c9 5b d8 01 d2 95 17 f6 d6 8b ec 94 c6 8e 0c d8 4d 10 0b 76 fa ef fb 1d ce bd b2 0b b4 0d b2 28 1c 1d 28 3c e4 70 38 8f 43 ea fc e9 f9 f3 e6 fb e3 c3 1f 4f 17 db c3 f1 f8 f5 d7 b3 b3 97 97 17 f7 92 dc 97 6f 9f cf a2 f7 fe 8c 19 db cd cb fd a7 e3 e1 62 1b 7c df 6e 0e b7 f7 9f 0f c7 8b 6d cc db cd f3 fd ed cb 6f 5f be 5f 6c fd c6 6f 60 37 0c be 3b 3f de 1f 1f 6e df ed 9f 9e 6e 8f 4f e7 67 f6 bf f3 af fb e3 61 f3 e9 62 7b 9d b3 eb a9 4e d9 d5 9b d0 5d 3e ec a2 cb 37 cd 95 9e 2e 33 5f af 52 77 21 cc 93 b8 cb 54 5d 49 e1 2a 45 17 72 9c c6 a4 c3 ce f9 38 8f a5 97 71 76 f3 0d 86 0e c9 e5 54 af 52 73 69 0a 32 7f 70 be f4 ab 1c 5c c9 45 3b 7d 78 8c 53 70 3e cf fb e0 62 ed 7c 17 7a fe c2 e4 72 98 77 6e ae 8d d1 1c 30 30 d0 b8 b0 73 09 57 00 ad 17 2e e3 f8 e0 b2 86 c6 67 35 e4 e6 32 6c e7 15 07 b1 c3 60 86 1a a6 a3 a8 0c 1a 85 53 18 e9 e5 3d 83 22 16 fb b9 b9 58 a6 ea ea f0 37 c0 c4 1a 96 25 2e 7b f9 9b fb 75 9e b1 6c 81 62 81 ef e1 a6 bb e2 db e5 18 ff f0 c8 50 cd bb e0 ea 9c f7 c9 45 8e 66 a8 9d 39 38 21 2d 3b 17 b1 40 c4 c2 8a 27 b2 40 d6 54 08 f4 9e 00 d6 11 46 70 75 3b d6 ea 72 0f f8 d8 7b 5d 70 e5 4a c9 2e d4 8c dd e6 db 82 c6 11 86 d0 77 a0 ef 53 71 95 bd 0d 07 ab f3 ef 92 9b 53 64 d4 97 b2 a0 71 8c e3 91 25 b4 28 a0 b0 c2 75 65 8a da b3 b3 5b 4e 3a 8b 70 e5 7c 4d e4 ee 39 ba 98 12 87 69 35 c9 29 50 13 3c 46 49 73 25 02 c9 85 9e 17 3c 51 8a 51 68 53 c4 f3 79 41 e3 30 17 f1 8a f9 a9 19 d8 b8 eb 59 d3 73 a8 8c c6 13 0e 72 22 d2 09 32 a5 2e 5b b4 81 a1 91 58 f4 33 d5 db ae 2b 87 9b ba 4b 39 ed 99 50 a2 a6 81 9a 46 c1 12 1d aa 92 9e 18 9f 65 30 b5 e2 02 67 4c a5 b3 c6 67 38 60 18 de d1 44 99 63 10 d2 48 d0 b5 a9 70 e1 7a 89 3b 17 54 df 9d ac 18 1a 45 3e 72 77 2d 46 0e 92 e9 0f c3 d5 24 cd 30 42 60 ad 58 bd 2b b1 58 01 1e f0 22 ce cf 24 ab cc 74 62 ea ef 23 56 e4 b1 50 eb a9 9b e4 3a fe 74 a7 40 28 f8 86 0b 79 3a fe a3 2a 24 96 fc be e8 60 7c 17 2e 93 9a 6b f8 30 bb 16 f6 1c 1d 6e cd b8 4c 93 d5 9c 46 09 22 1c 64 1b b4 65 c9 d5 38 ba 96 e2 c5 34 07 37 34 56 1d 9d 86 9b da b6 89 03 07 87 c5 44 a9 63 3c 31 ec a9 06 43 23 59 d4 14 c3 1c b5 e9 9c d4 2f c2 95 ad 44 19 03 25 be 67 bc ab 2b 84 b6 a9 5a c9 d7 29 e0 da 23 85 13 29 39 df 1a 3d 5b 30 60 a8 89 7e 72 2a ac 44 95 47 fa 5c c9 14 1a 45 b6 03 b9 0b e2 12 a2 67 68 5c c0 13 f2 2f 12 37 71 df 70 b1 59 11 89 b1 2b c3 b5 a8 0b 84 83 a4 2d 7a 17 39 f2 93 ba 52 28 34 12 b3 11 25 b2 8a ce 2a 38 e0 44 75 52 4b c9 b2 15 1a 60 b8 d8 d4 00 73 d3 23 0e c7 61 1d 99 a3 24 06 3d b9 84 f2 b7 ae ee cf b1 2e 68 14 d

Source: global traffic	HTTP traffic detected: GET /99821182021/5343434322.js HTTP/1.1Accept: application/javascript, /;q=0.8Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: yourjavascript.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /18210902102/7565654564.js HTTP/1.1Accept: application/javascript, /;q=0.8Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: yourjavascript.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vHgYSJgT/arrow.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.postimg.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /i/G6D.svg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: svgur.comConnection: Keep-Alive

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26cf680a,0x01d6ea1b</date><accdate>0x26cf680a,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26cf680a,0x01d6ea1b</date><accdate>0x26cf680a,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x26d42ca9,0x01d6ea1b</date><accdate>0x26d42ca9,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x26d42ca9,0x01d6ea1b</date><accdate>0x26d42ca9,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26d42ca9,0x01d6ea1b</date><accdate>0x26d42ca9,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26d42ca9,0x01d6ea1b</date><accdate>0x26d42ca9,0x01d6ea1b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: yourjavascript.com

Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://api.jquery.com/jQuery.browser
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: bootstrap.min[1].css.2.dr	String found in binary or memory: http://getbootstrap.com)
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_A
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://jquery.com/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://jquery.org/license
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://json.org/json2.js
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://perfectionkills.com/detecting-event-support-without-browser-sniffing/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://sizzlejs.com/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://developer.mozilla.org/en/Security/CSP
Source: jquery-1.8.2[1].js.2.dr	String found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: 0009098lm[1].css.2.dr	String found in binary or memory: https://i.ibb.co/518rjZQ/Fotoram-io.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.20.138.65:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.138.65:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.207.103.145:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.207.103.145:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.239.131.51:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.239.131.51:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.91.224.95:443 -> 192.168.2.3:49737 version: TLS 1.2

Source: classification engine

Classification label: mal56.phis.evad.winHTML@3/27@10/7

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9B8C62206A21CFC2.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3112 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3112 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Obfuscated HTML file found

Source: cremocompany-Invoice_216083-xlsx.html	Initial file: Did not found title: "Microsoft Office Center" in HTML/HTM content
Source: cremocompany-Invoice_216083-xlsx.html	Initial file: Did not found title: "Microsoft Office Center" in HTML/HTM content

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
145.239.131.51	unknown	France	16276	OVHFR	false
51.91.224.95	unknown	France	16276	OVHFR	false
91.207.103.145	unknown	Romania	9009	M247GB	false
216.239.38.21	unknown	United States	15169	GOOGLEUS	false
104.20.138.65	unknown	United States	13335	CLOUDFLARENETUS	false
5.189.183.184	unknown	Germany	51167	CONTABODE	false
104.16.19.94	unknown	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
tinyurl.com	104.20.138.65	true
yourjavascript.com	5.189.183.184	true
cdnjs.cloudflare.com	104.16.19.94	true
uceniciifbi.ro	91.207.103.145	true
i.postimg.cc	51.91.224.95	true
svgur.com	216.239.38.21	true
i.ibb.co	145.239.131.51	true
code.jquery.com	unknown	unknown
www.iconj.com	unknown	unknown
maxcdn.bootstrapcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://svgur.com/i/G6D.svg	false		high
http://i.postimg.cc/vHgYSJgT/arrow.jpg	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://yourjavascript.com/99821182021/5343434322.js	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
file:///C:/Users/user/Desktop/cremocompany-Invoice_216083-xlsx.html	true		low
http://yourjavascript.com/18210902102/7565654564.js	false	Avira URL Cloud: safe	unknown

ID:	339241
Product:	CloudBasic
Start time:	18:14:14
Start date:	13.01.2021
Sample:	cremocompany-Invoice_216083-xlsx.html
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1a47aae367d4ac2427943631bd4d08f5
SHA1:	87fc8341efabb13c8a33d6acb28bb6e5a5d23b54
SHA256:	9c7b05df9abde7ae8d91cfea08ca275132a6692bec1875aca9c49f1b74f766c9

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4FDAFE63-560E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	7DDE680C9698C57B63FE257669BC5AA9	0353B5197066479F784DD54EE450E0F8F2EE514E	8DF8FB5DFB11D69EB78DCD33DC499038297CFBC9810708F53C5ACB6C4BB75237
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4FDAFE65-560E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	B83CFA6A088558DD416049AB09A4E889	4770131F39C025B1048DADE66CFCA4B2586ECA4C	26FBE3CD506A09944E109C66D6653526D51465A4639ECF04C92B45982825432B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4FDAFE66-560E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	46057890C2780428393C2C32EEC6B5BF	7417EFAE255763A1C520F01082F9C661E7E3C2A6	B3252A6336242586C5D7F1C160A55585AB305EC6B770B1BB23A17A72512714FF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D7AE5F8DB75556993EE033BB3C7EBCFF	47F2B819A264897B350FE75C1B6EBCFC376A5AE9	49BE343338521FA8641E7BD7044B87347F5F2E03697832BD9571C0A36263756C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BAB04F8C83820922144216F366E8027A	BC8E0040EB44411DBBAC1B154AC62267B778B5A7	965AFDAC2D54A3C4B9203F74F3F847E91EFA021066D6BF4A57C057058F84FF9F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0A2FA849C56CE56970FF5C53E75E2E54	0AD288CE6F7CA8D3835E711D09B219C225A4A90B	ECB8800F72C484E96B8262ED4756A9D20CD20D7DEF7BCB5DD2E5E61A8E02F0CD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	36E7619032ED012657907D54D7A5C7EF	0E07A7F0CFC9E0456014712042EE5C3ADBA62B55	803E8761463F20E0F3B127905361EE8EBA53187B511221EB0807797D5DB824B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A4466CA88EFBAA7B7E46D44158BF29EB	617B89B0376FCBA04A51B5F65E3EBF8BC6AE70C4	58BFE3A4807985458E235A4A6DDCF7C5CD0D323B9EBF9AEA4C29FC8E4399E812
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BAA84963960518D81A4E0F0583A9B85A	4EC978BFF200894CDBA1D0A7AAE41A4C78EDE813	033E76B15CCE25385FB5865D8D14A5896B4279180EB0B3C53AA78B6C5EDFE039
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	67C115AF874EEE8D72F97165ECCB3758	ECE93F53B397C78266072C073E5561D0426E41A5	55D47F622367AD74DD4702B279C2E62D9E6BF0258B9A99137AE88A55596C1FE8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	15A8C92A0E009CC2485F2FCD740C4E65	212633DFA89D19994AD418B83615DD20685DC412	EDB354CE988624CD11BB20E60B16FC887C65980077E18246319609ABCD870C46
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	ADD465B61FEEEE8EB6CD01911630E93D	DA7D936C3D99F7931C38DCBFD6B98F9CE0628590	3C1CF30B42FFF262A1A5CEFD12DE9F49B873F6E48CA3613707A3D56939869ACC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\87875434-878676zxxzx[1].css	ASCII text, with CRLF line terminators	90BEDB096E96E2F61F9CBA93E66A32D1	D5401C13FE0A2E30F936BAC17BD19DD8217F6587	D8D834F352047EB60240C4A30290B8ACB28A309EF7B1789B747451C801BAC046
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\arrow[1].jpg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 29x32, frames 3	D9770E6DF0DBA2CA3E46CE1583D32969	83C5EA5FC0D13CB0E274A76BE8E47A63A5AA5655	A1628CEF037D3930ABED04E0DB3EAA1FE2EEEDFD60E843DA356ADA1FF9D0D432
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\off[1].png	PNG image data, 994 x 356, 8-bit/color RGBA, non-interlaced	B45D1E9490DF757F6AA15FF1DFA74CBE	214B5A46D5713D429CCA99B74234249CA20D8CB3	6D6D501FA6EE092B755FD24FFF5E5B6B0AE4AE502E5053F03B5CC264C52CA294
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\00[1].png	PNG image data, 1920 x 1039, 8-bit/color RGBA, non-interlaced	9EDC2BE222762F14FAD1642035AE5F36	16AFB4AFB50993AA33C8B6F4EAEDB46AE5CF4C59	07E4A81F6D8D46168779EB10E9B882DD2CE70ED1EC39F75617C321E5A3F72D43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\7565654564[1].js	ASCII text, with very long lines, with CRLF, LF line terminators	A07A9EE2F6041708DA29633E041AB6B3	BD8227AD11E2EEB361D33FD67506E473A61D0ED5	05D8B33C50EBFC8254C73EC8411368EB5254EF806FF2EBA867AF66DBDFAB4FAA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\jquery-1.8.2[1].js	UTF-8 Unicode text	3A316818411B5A80EF878DC5C8483950	A0F48B6AD5322B35383FFCB6E2FA779B8A5FCFFC	CFA69516375E27E56519CAE71F28818E0E52515B70E705A600D1DB459998335A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\G6D[1].svg	SVG Scalable Vector Graphics image	EE5C8D9FB6248C938FD0DC19370E90BD	D01A22720918B781338B5BBF9202B241A5F99EE4	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bootstrap.min[1].css	ASCII text, with very long lines	EC3BB52A00E176A7181D454DFFAEA219	6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68	F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0009098lm[1].css	ASCII text, with very long lines, with CRLF line terminators	ACF55A8739DDA447051BF052A0F919B3	21440192EA2845025D6779B7DA018B4AE80E407B	BC7AB1E5973A4CD2E0860DBA8F5E65A79182BECBCBC60F97CBB3C6D904FAA837
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5343434322[1].js	ASCII text, with very long lines, with CRLF, LF line terminators	86C95AAFD1AE1E1BCAD2EDCE3CBDAC2C	5BC8CA13DACD2246272F201F915A7D37271DA6EA	F75CB5FDAB358C01301CDEB6A0068116045B87535422CDCBDACA76AFE0B63C3F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\arrow[1].htm	HTML document, ASCII text, with CRLF line terminators	4F8E702CC244EC5D4DE32740C0ECBD97	3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF	9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery.min[1].js	ASCII text, with very long lines	A09E13EE94D51C524B7E2A728C7D4039	0DC32DB4AA9C5F03F3B38C47D883DBD4FED13AAE	160A426FF2894252CD7CEBBDD6D6B7DA8FCD319C65B70468F10B6690C45D02EF
C:\Users\user\AppData\Local\Temp\~DF07F4302587011DD4.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DF8B5138716A0631E4.TMP	data	3123F108676C80A7834C3475F85659E0	C64FC6434F1D3E89DD097E58C130C5CEC2491D4F	630AC927CE18A66F6264E41098968EB6EE97129A0B064325686D6F2FAF3B95F1
C:\Users\user\AppData\Local\Temp\~DF9B8C62206A21CFC2.TMP	data	E58BA60163D8CBCA29D667680DCC6195	64AAE2C267DDFEA35F3962E2C4EC2DE57B5B7B95	330A2C973ABE6757EAED87AD9604F2ABA74CE1940EA02C849A6F3F71046A2E8D

Analysis Report cremocompany-Invoice_216083-xlsx.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs