MD5 : 140F716E974CD7483EEAA380A9C4FD82
SHA1 : 4D5B17CA34D8D15FBAE65AB637919E13E72A3476
SHA256 : 4DCED4DDB2FFA1E0E1E9C2F6A2D4B1302CEBCA59E7D340ADA0F2E421288B54FE
Motivation : Steal user credentials
Upon execution of this malicious Html, it opens the share point online page. Threat actors hide the information about the share point details in excel behind a fake login page.
Fig: Phishing Page
To view the excel, users must enter their credentials on this phishing page. After the user enters their credentials, the threat actor tricks the user into believing the page is legitimate by showing “verifying”. Meanwhile, the unsuspecting user is redirected to the following phishing URL without their knowledge.
Phishing URL: hxxps://spanishcolonialcobs.com.
Fig: Error message
The Threat actor calls the window object [In this code window.phpurl] after the user enters their credentials and clicks the Login button.
MITRE ATT&CK Tactics and Techniques
|1||TA0001: Initial Access||T1566: Phishing|
|3||TA0003: Persistence||T1176: Browser Extensions|
|4||TA0005: Defense Evasion||T1027: Obfuscated Files or Information
T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion
|5||TA0009: Collection||T1056.003: Input Capture: Web Portal Capture
T1005: Data from Local System