Share :

Phishing Sample Analysis 10-06-2021


Phishing Sample Analysis

MD5 : 140F716E974CD7483EEAA380A9C4FD82
SHA1 : 4D5B17CA34D8D15FBAE65AB637919E13E72A3476
SHA256 : 4DCED4DDB2FFA1E0E1E9C2F6A2D4B1302CEBCA59E7D340ADA0F2E421288B54FE
Motivation : Steal user credentials

Recently the CYFIRMA research team has observed an active phishing campaign to steal victims’ credentials. The email contains a malicious attachment in .html format containing an embedded JavaScript which upon execution will bring the user to a fake Sharepoint login page. The objective is to steal credentials and redirected the user to other malicious URLs.

This phishing malware sample was written in a combination of Html and JavaScript language. The identity of the threat actor is unknown at this point. Threat actors are delivering this phishing Html file using spear-phishing technique.

Upon execution of this malicious Html, it opens the share point online page. Threat actors hide the information about the share point details in excel behind a fake login page.

Fig: Phishing Page

To view the excel, users must enter their credentials on this phishing page. After the user enters their credentials, the threat actor tricks the user into believing the page is legitimate by showing “verifying”. Meanwhile, the unsuspecting user is redirected to the following phishing URL without their knowledge.

Phishing URL: hxxps://

Next, the threat actor throws an error message such as “please try again later “. This error message is hardcoded in JavaScript to prompt the user to think that this could be due to a technical issue. Thus, users are unlikely to report this to their security provider/vendor.

Fig: Error message

The threat actor uses the Window object in JavaScript to hide the phishing link from the user.

Fig: Window object in JavaScript

The Threat actor calls the window object [In this code window.phpurl] after the user enters their credentials and clicks the Login button.

MITRE ATT&CK Tactics and Techniques

Sr No. Tactic Technique
1 TA0001: Initial Access T1566: Phishing
2 TA0002: Execution T1059.007: Command and Scripting Interpreter: JavaScript
3 TA0003: Persistence T1176: Browser Extensions
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion
5 TA0009: Collection T1056.003: Input Capture: Web Portal Capture
T1005: Data from Local System

Conclusion: Threat actors are using phishing or spear-phishing emails as the primary vector to exploit vulnerable users and organizations in order to steal user credentials. Additional verification and security countermeasures are required to deal with suspicious emails specifically those having .html, pdf, and JavaScript files as attachments or links.