Statements and Invoice 5400981237 PDF.vbs

Performs some HTTP requests (1 event)

request

GET https://dat-voip-sit-cio.trycloudflare.com/V8.ps1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Symantec	Scr.Malcode!gen114
ESET-NOD32	a variant of Generik.IFKWAD
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Rising	Trojan.Undefined!8.1327C (TOPIS:E0:7VNtCOvqy8T)
Ikarus	Trojan.SuspectCRC
Google	Detected
Antiy-AVL	Trojan/Script.Agent
GData	Script.Trojan.Agent.9LAI0Z
AhnLab-V3	Downloader/VBS.Generic

Wscript.exe initiated network communications indicative of a script based payload download (6 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 8, 2025, 9:27 a.m.	url: https://dat-voip-sit-cio.trycloudflare.com/V8.ps1 flags: 0	1	1	0
HttpOpenRequestW April 8, 2025, 9:27 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /V8.ps1	1	13369356	0
InternetReadFile April 8, 2025, 9:27 a.m.	buffer: <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i request_handle: 0x00cc000c	1	1	0
InternetReadFile April 8, 2025, 9:27 a.m.	buffer: class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enc request_handle: 0x00cc000c	1	1	0
InternetReadFile April 8, 2025, 9:27 a.m.	buffer: type="text/plain"> <input type="hidden" name="atok" value="P6feduhCKs0wH9r7EkdTtEcm5eB16zNx6zJiGaxStjs-1744072147-0.0.1.1-/V8.ps1"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">92cda609098aa7cc</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">121.133.128.1</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-rev request_handle: 0x00cc000c	1	1	0
InternetReadFile April 8, 2025, 9:27 a.m.	buffer: eal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html> request_handle: 0x00cc000c	1	1	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (9 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 8, 2025, 9:27 a.m.	url: https://dat-voip-sit-cio.trycloudflare.com/V8.ps1 flags: 0	1	1	0
HttpOpenRequestW April 8, 2025, 9:27 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /V8.ps1	1	13369356	0
send April 8, 2025, 9:27 a.m.	buffer: ! socket: 836 sent: 1	1	1	0
send April 8, 2025, 9:27 a.m.	buffer:   gômtÄҚo®ÛPõƘxs0o ^æƒA_e¤‚/5 ÀÀÀ À 28 @ÿ '%"dat-voip-sit-cio.trycloudflare.com  socket: 948 sent: 138	1	138	0
send April 8, 2025, 9:27 a.m.	buffer: ! socket: 836 sent: 1	1	1	0
send April 8, 2025, 9:27 a.m.	buffer:  FBA¤ 3AA*®ïlEpR¦•ØI•1òƬçòùðâQ>~_›—'ÍïXõŠç°§üOwɮܛûø¢§û£  0Q.8òý^a×Kª“~—i:9浔Î4ðv+[Õږœ|oÊ£j ª‚øPîwžºŠ socket: 948 sent: 134	1	134	0
send April 8, 2025, 9:27 a.m.	buffer: ! socket: 836 sent: 1	1	1	0
send April 8, 2025, 9:27 a.m.	buffer:  `°ýg³Yµ*à:IµÚcoÓ`eÿs7®Ü-—5HÁÝi„}*à˗;ìl“w¿5Ýq$Á:€_¡n«cát´ªTÙvÒtkÖì9L“li”€úJ.¼½ÜæÍÏr呪Å^/jBuX*ç,¤»$uN1S áWã³¼¥ ô©yN ŠÙn‡ ¶lÞ#=B˜ ˆÑItw^a9s€©t&ß:6”õ?èãõ½i&­Q83HDcL¹;½‡Uøÿ÷f³ì»Y•þŽW¡7N¢blïIˆœÊS¡=ž³Gٟº36á›è«aɼÈÑŸ÷wó‘é°(¶ A‰RµÎ«„<ÄÖô>)¦£ëåäcõ´e+ ¿ÿäN†ß®½³×$DE%üü;bP~ 1À¿Qxu&ÜM##{ÏߣÐüá—pž¡žù§êF¦EÀ‡–#DŽ ¶GÄ socket: 948 sent: 357	1	357	0
send April 8, 2025, 9:27 a.m.	buffer: ! socket: 836 sent: 1	1	1	0