Windows Analysis Report
PAYMENT FORM.pdf.shtml

Overview

General Information

Sample Name: PAYMENT FORM.pdf.shtml
Analysis ID: 831013
MD5: 23f212782a200830b900150b7f10c60b
SHA1: e9874805219b812cfc629d310d78266cac9ee7b0
SHA256: e90c3b9b5355a0b2291b644ed190d3b68c38e09884020939fc8e547802d724c9
Infos:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
HTML document with suspicious name
Phishing site detected (based on logo template match)
HTML body contains low number of good links
IP address seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found

Classification

Phishing
barindex
Yara detected HtmlPhish10
Source: Yara match File source: PAYMENT FORM.pdf.shtml, type: SAMPLE
Source: Yara match File source: 49412.0.pages.csv, type: HTML
Phishing site detected (based on logo template match)
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml Matcher: Template: office matched
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: Number of links: 0
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: Has password / email / username input fields
No HTML title found
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 146.75.120.84 146.75.120.84
Source: unknown DNS traffic detected: queries for: accounts.google.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg HTTP/1.1Host: i.pinimg.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg HTTP/1.1Host: i.pinimg.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: PAYMENT FORM.pdf.shtml String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTNpnPzHT1IIeCix2vSs-MX3dcqgqvrqmH7Tg&usqp=CAU
Source: PAYMENT FORM.pdf.shtml String found in binary or memory: https://formspree.io/f/xeqwznlj
Source: PAYMENT FORM.pdf.shtml String found in binary or memory: https://i.pinimg.com/236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg
Source: PAYMENT FORM.pdf.shtml String found in binary or memory: https://www.google.com/url?q
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

System Summary
barindex
HTML document with suspicious name
Source: Name includes: PAYMENT FORM.pdf.shtml Initial sample: payment
Source: classification engine Classification label: mal56.phis.winSHTML@29/4@5/7
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1696,i,11738228780153301006,12006418429625946186,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\PAYMENT FORM.pdf.shtml
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1696,i,11738228780153301006,12006418429625946186,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831013 Sample: PAYMENT FORM.pdf.shtml Startdate: 21/03/2023 Architecture: WINDOWS Score: 56 24 Yara detected HtmlPhish10 2->24 26 HTML document with suspicious name 2->26 28 Phishing site detected (based on logo template match) 2->28 6 chrome.exe 14 1 2->6         started        9 chrome.exe 2->9         started        process3 dnsIp4 14 192.168.2.1 unknown unknown 6->14 16 239.255.255.250 unknown Reserved 6->16 11 chrome.exe 6->11         started        process5 dnsIp6 18 dualstack.pinterest.map.fastly.net 146.75.120.84, 443, 49700, 49705 SCCGOVUS Sweden 11->18 20 www.google.com 142.250.203.100, 443, 49702, 49773 GOOGLEUS United States 11->20 22 7 other IPs or domains 11->22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.203.100
 www.google.com United States
15169 GOOGLEUS false
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
142.250.203.109
 accounts.google.com United States
15169 GOOGLEUS false
146.75.120.84
 dualstack.pinterest.map.fastly.net Sweden
30051 SCCGOVUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
accounts.google.com 142.250.203.109 true
dualstack.pinterest.map.fastly.net 146.75.120.84 true
www.google.com 142.250.203.100 true
clients.l.google.com 142.250.203.110 true
clients2.google.com unknown unknown
i.pinimg.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    https://i.pinimg.com/236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg false
      		high
      file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml true
        		low
        https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
          		high