Sample details: c036bc8bd451da83f67a64467f5cb34a --

Hashes
MD5: c036bc8bd451da83f67a64467f5cb34a
SHA1: dc71d12f23383a65b4eeb88e3644e28ce92584e8
SHA256: 85881c3a6d20fd64b684989a70af0252aa3a30becc4f582df00f2ff317605076
SSDEEP: 96:LyL1nwn06l5CzjoINElz1liGPt/bmPYWy0FlO1++umUKLm:tqjoIoyGPtjmQlWmUKLm
Details
File Type: HTML
Yara Hits
YRP/domain | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings |
Source
https://onedrive.live.com/download?cid=FF83A83D48CFF433&resid=FF83A83D48CFF433!3076&authkey=AGGxJ9iNtJmx4fw
Strings
		<html>
    <head>
        <title>Microsoft OneDrive - Access files anywhere. Create docs with free Office Online.</title><meta name="title" content="Microsoft OneDrive - Access files anywhere. Create docs with free Office Online."/><meta name="description" content="Store photos and docs online. Access them from any PC, Mac or phone. Create and work together on Word, Excel or PowerPoint documents."/><meta property="og:title" content="Swift Copy.ace"/><meta property="og:image" content="https&#58;//p.sfx.ms/icons/v2/Large/Default.png"/><meta property="og:image:width" content="96"/><meta property="og:image:height" content="96"/><meta property="og:url" content="https&#58;//skydrive.live.com/redir.aspx&#63;resid&#61;FF83A83D48CFF433&#37;213076&#38;avres&#61;Infected&#38;averror&#61;SUCCESS&#38;vinfo&#61;Backdoor&#37;3aWin32&#37;2fNanocore.G&#37;21MTB&#38;authkey&#61;&#37;21AGGxJ9iNtJmx4fw&#38;page&#61;viruswarning"/><meta property="og:description" content="ACE File"/><meta property="twitter:site" content="&#64;OneDrive"/><meta property="twitter:card" content="summary"/><meta property="twitter:image" content="https&#58;//p.sfx.ms/icons/v2/Large/Default.png"/><meta property="twitter:image:width" content="96"/><meta property="twitter:image:height" content="96"/>
        <noscript><meta http-equiv="refresh" content="0;url=https://onedrive.live.com/viruswarning.aspx/Swift&#37;20Copy.ace&#63;cid&#61;ff83a83d48cff433&#38;avres&#61;Infected&#38;resid&#61;FF83A83D48CFF433&#33;3076&#38;authkey&#61;&#33;AGGxJ9iNtJmx4fw" /></noscript>
        <script type="text/javascript">//<![CDATA[
var _d=document,_dh=_d.getElementsByTagName("head")[0];function _ge(a){return _d.getElementById(a)}var $U={a:"^((ftp|http|https):)?//",b:"(^(\\s?ftp:|\\s?http:|\\s?https:|\\s?//))",primaryAjaxDelimiter:"#",pairDelimiter:"&",keyValueDelimiter:"=",queryDelimiter:"?",isAbsoluteUrl:function(a){var b=new RegExp($U.a,"i"),c=new RegExp($U.b,"i");return b.test(a)||c.test(a)},getHost:function(c){var a=$U.a+"([^:/]*([:][^@/]*)?[@])?([-.a-z0-9]*)[^-.a-z0-9]?",b=new RegExp(a,"i");return urlHost=(String(c).search(b)<0?"":RegExp.$5).toLowerCase()},doesMatchHost:function(b,e){var f="^(mailto|tel|sms):",g=new RegExp(f,"i"),c=$U.isAbsoluteUrl(b),a=$U.getHost(b),i=g.test(b),d="."+e,h=a.substr(a.length-d.length)==d||a==""&&!c||a.charAt(0)=="#"||a==e;return (!c||h)&&!i},isLinkABookmark:function(a,b){b=b||_d;var d=b.createElement("span");d.innerHTML='<a href="#"></a>';var f=d.firstChild.href,c=a.indexOf("#"),e=a.indexOf("javascript:");if(c>-1)if(c==0||a.indexOf(f)==0)return 1;if(e==0)return 1;return 0},getUrlFragment:function(c){var a="",b=c.indexOf("#");if(b>-1)a=c.substr(b+1);return a},getHashUrl:function(){var c,e=window.location,a=e.href,b=a.indexOf($U.primaryAjaxDelimiter),d=b==-1?"":a.substr(b+1);if(d)c=$U.getNormalizedUrl(a,$U.primaryAjaxDelimiter);return c},getNormalizedUrl:function(a,c){c=c||$U.primaryAjaxDelimiter;var f="",e=$U.getAjaxIndex(a,c);if(e>-1){f=a.substr(e+1);a=a.substr(0,e)}var b="",d=a.indexOf($U.queryDelimiter);if(d>-1){b=a.substr(d+1);a=a.substr(0,d)}b=$U.serialize($U.deserialize(f?f:b));if(b)a=[a,$U.queryDelimiter,b].join("");a=a.replace(/[!]/g,"%21");return a},getAjaxIndex:function(a,d){var h=-1,c=a.indexOf(d);while(c!=-1){var b=c+1,e=a.indexOf(d,b),j=a.indexOf($U.pairDelimiter,b),k=a.indexOf($U.queryDelimiter,b),g=a.indexOf($U.keyValueDelimiter,b),i=[e,j,k,g].sort(function(a,b){return a==-1?1:b==-1?-1:a-b}),f=i[0];if(f==-1)break;else if(f==g){h=c;break}else c=e}return h},getCurrentUrl:function(){return $U.getHashUrl()||window.location.href},deserialize:function(f){var c={};if(f){var e=f.split($U.pairDelimiter),g=e.length,a=0;for(;a<g;a++){var j=e[a],b=j.split($U.keyValueDelimiter),i=b[0];b.splice(0,1);var h=b.join($U.keyValueDelimiter);try{c[i]=decodeURIComponent(h)}catch(d){if(!(d instanceof URIError))throw d;c={};break}}}return c},serialize:function(d){var a=[];for(var c in d){var b=d[c];b=b?b:"";a.push(c,$U.keyValueDelimiter,encodeURIComponent(b).replace(/[^\w.%-]/g,function(b){var a=b.charCodeAt(0).toString(16);return "%"+(a.length==1?"0"+a:a).toUpperCase()}),$U.pairDelimiter)}if(a.length>0)a.pop();return a.join("")}}
//]]></script>
        
<script type="text/javascript">//<![CDATA[
var $PF={"d":"live.com","ru":"https\u003a\u002f\u002fonedrive.live.com\u002fviruswarning.aspx\u002fSwift\u002520Copy.ace\u003fcid\u003dff83a83d48cff433\u0026avres\u003dInfected\u0026resid\u003dFF83A83D48CFF433\u00213076\u0026authkey\u003d\u0021AGGxJ9iNtJmx4fw"};
    (function(){var b=window,a=b.$PF=b.$PF||{},p=":",k="&colon",j="&#",g="&",d="=",f="?",e="#",n="!",o="!",l=new RegExp("[^a-z0-9-.+:]","i"),m=new RegExp("^[a-z0-9-.+]+:","i");a.isProtocolAllowed=function v(d){d=(d||"").toLowerCase();var b="",g=d.length,f;for(var e=0;e<g;e++){f=d.charCodeAt(e);if(f>32&&f<127)b+=d.charAt(e)}var a=b.indexOf(p);if(a==-1)a=b.indexOf(k);if(a==-1)a=b.indexOf(j);var c=b.substr(0,a+1);return !l.test(c)&&(!m.test(c)||c=="http:"||c=="https:"||c=="ftp:")};a.isInternalUrl=function y(b){try{return !!b&&$U.doesMatchHost(b,a.d)&&a.isProtocolAllowed(b)}catch(c){return false}};a.getHashUrl=function z(){var c,h=b.location,d=h.href,g=d.indexOf(e),f=g==-1?"":d.substr(g+1);if(f){var i=e;c=d;if(f.indexOf(o)==0)if(f.length>1){c=d.substr(d.indexOf(f)+1);i=n}else c=c.substr(0,g);if(c.indexOf("/")==0)c=[h.protocol,"//",h.host,c].join("");c=a.getNormalizedUrl(c,i)}return c};a.getCurrentUrl=function x(){var c=a.getHashUrl();return a.isInternalUrl(c)?c:b.location.href};a.getAppFrameWindow=function u(){try{return (!a.m||a.merged)&&_ge(a.fid).contentWindow}catch(b){return undefined}};a.getAppFrameDocument=function t(){try{return a.getAppFrameWindow().document}catch(b){return undefined}};function q(a,e){var k=-1,c=a.indexOf(e);while(c!=-1){var b=c+1,h=a.indexOf(e,b),m=a.indexOf(g,b),n=a.indexOf(f,b),j=a.indexOf(d,b),l=[h,m,n,j].sort(function(a,b){return a==-1?1:b==-1?-1:a-b}),i=l[0];if(i==-1)break;else if(i==j){k=c;break}else c=h}return k}a.getNormalizedUrl=function w(a,c){c=c||e;var h="",g=q(a,c);if(g>-1){h=a.substr(g+1);a=a.substr(0,g)}var b="",d=a.indexOf(f);if(d>-1){b=a.substr(d+1);a=a.substr(0,d)}b=s(r(h?h:b));if(b)a=[a,f,b].join("");a=a.replace(/[!]/g,"%21");return a};function r(h){var c={};if(h){var f=h.split(g),i=f.length,a=0;for(;a<i;a++){var l=f[a],b=l.split(d),k=b[0];b.splice(0,1);var j=b.join(d);try{c[k]=decodeURIComponent(j)}catch(e){if(!(e instanceof URIError))throw e;c={};break}}}return c}function s(e){var a=[];for(var c in e){var b=e[c];b=b?b:"";a.push(c,d,encodeURIComponent(b).replace(/[^\w.%-]/g,function(b){var a=b.charCodeAt(0).toString(16);return "%"+(a.length==1?"0"+a:a).toUpperCase()}),g)}if(a.length>0)a.pop();return a.join("")}if(!a.f)try{var c=a.getHashUrl()||a.ru;if(c){var h=document.location;try{if(b!=b.top){document.domain=a.d;if(c.indexOf("login."+a.d)>-1||c.indexOf("account."+a.d)>-1||c.indexOf(b.top.document.location.protocol)!=0)h=b.top.document.location}}catch(i){}if(a.isInternalUrl(c))h.replace(c)}}catch(i){}})();
//]]></script>
    </head>
</html>