Hello Daniel -
Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.
We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP. Looking at the HTML provided, it still would take end-user interaction in order submit the information. AMP would not take that into consideration.
Do you have Virus Outbreak Filters also configured on the appliance? Seeing the message tracking for this message as processed would be helpful.
The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13). Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.
AMP does not score this malicious from Cisco side. The top hit in Sandbox scanning is the outbound connection...
Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.
Virus Total does not as well:
https://virustotal.com/en/file/26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13/analysis/
-Robert
Hello Daniel -
Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.
We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP. Looking at the HTML provided, it still would take end-user interaction in order submit the information. AMP would not take that into consideration.
Do you have Virus Outbreak Filters also configured on the appliance? Seeing the message tracking for this message as processed would be helpful.
The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13). Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.
AMP does not score this malicious from Cisco side. The top hit in Sandbox scanning is the outbound connection...
Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.
Virus Total does not as well:
https://virustotal.com/en/file/26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13/analysis/