Analysis Report https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

Overview

General Information

Sample URL: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub
Analysis ID: 356040

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_20
Phishing site detected (based on various OCR indicators)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_20
Source: Yara match File source: 098239.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm, type: DROPPED
Phishing site detected (based on various OCR indicators)
Source: Screenshots OCR Text: lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V Mx8sjlwiw2d C;Search... determine-1217x [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes :: Microsoft' a Office 365 Redirecting - Click here to continue W p 0 X " Published by Google Drive - Report Abuse

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: themes.googleusercontent.com
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://docs./url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161400152712
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://docs.ax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://docs.google.com/
Source: pub[1].htm.2.dr String found in binary or memory: https://docs.google.com/abuse?id=AKkXjoxmn0VxVYna4R2kMixj6xjU5UyiFnb84SzAYSNZgyuuoUgq56SJglMCAzzK8sA
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr, ~DFC597EDA9F124D6A1.TMP.1.dr String found in binary or memory: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp
Source: css[2].css.2.dr String found in binary or memory: https://fonts.google.com/license/googlerestricted
Source: pub[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: pub[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: css[1].css0.2.dr String found in binary or memory: https://fonts.gstatic.com/s/comfortaa/v30/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc.woff)
Source: css[2].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v27/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: pub[1].htm.2.dr String found in binary or memory: https://lh3.googleusercontent.com/FCtkh_cVMnq9w0w2EefouDOYE-kLx6conTHn_lapO1sUkLA_arG-RSCq96SJ6Dsgqq
Source: pub[1].htm.2.dr String found in binary or memory: https://lh4.googleusercontent.com/4lqrNCf-I_g3G-ZRjSCrk4CzHer9-aZGLVZMAv1E5urrkm5iZ-6srIQnL3bv29zPMl
Source: pub[1].htm.2.dr String found in binary or memory: https://lh4.googleusercontent.com/592S7q3HqTUOgiQvkzddFGMOaqBqKIpIo48LskWavhxGbCFORGwwPJB3K3jyWmt0xY
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://sistema.grutor
Source: url[1].htm.2.dr String found in binary or memory: https://sistema.grutorax.com.br/deliver.php
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDo
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=Root
Source: ~DFC597EDA9F124D6A1.TMP.1.dr String found in binary or memory: https://sistema.grutorax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614
Source: imagestore.dat.2.dr, pub[1].htm.2.dr String found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
Source: imagestore.dat.2.dr String found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico~
Source: pub[1].htm.2.dr String found in binary or memory: https://themes.googleusercontent.com/fonts/css?kit=fND5XPYKrF2tQDwwfWZJI_esZW2xOQ-xsNqO47m55DA
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://www.google.com
Source: imagestore.dat.2.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.2.dr String found in binary or memory: https://www.google.com/favicon.ico~
Source: pub[1].htm.2.dr String found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors
Source: ~DFC597EDA9F124D6A1.TMP.1.dr String found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://www.google.comm/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: classification engine Classification label: mal60.phis.win@3/20@4/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93318288-7557-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF8D165E106D3995D4.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356040 URL: https://docs.google.com/doc... Startdate: 22/02/2021 Architecture: WINDOWS Score: 60 20 Antivirus / Scanner detection for submitted sample 2->20 22 Yara detected HtmlPhish_20 2->22 24 Phishing site detected (based on various OCR indicators) 2->24 6 iexplore.exe 1 51 2->6         started        process3 process4 8 iexplore.exe 2 50 6->8         started        dnsIp5 14 sistema.grutorax.com.br 198.57.186.221, 443, 49740, 49741 UNIFIEDLAYER-AS-1US United States 8->14 16 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49722, 49723 GOOGLEUS United States 8->16 18 3 other IPs or domains 8->18 12 C:\Users\user\AppData\Local\...\pub[1].htm, HTML 8->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.57.186.221
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
142.250.186.33
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
sistema.grutorax.com.br 198.57.186.221 true
googlehosted.l.googleusercontent.com 142.250.186.33 true
themes.googleusercontent.com unknown unknown
lh3.googleusercontent.com unknown unknown
lh4.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://sistema.grutorax.com.br/deliver.php true
    		unknown