Joe Sandbox AI: June 2025 Update

Over the past few months, we’ve been working intensively to enhance Joe Sandbox AI with a range of powerful new capabilities. As a reminder, Joe Sandbox AI is our advanced AI plugin that leverages generative AI for phishing and malware detection—bringing intelligent automation to your threat analysis workflows.

If you're new to Joe Sandbox AI, you can learn more about it here.

In this blog post, we’ll walk you through the latest features, improvements, and how they boost the performance and flexibility of Joe Sandbox AI.

AI based Email analysis

More and more of our customers are leveraging Joe Sandbox to analyze emails—primarily in EML and MSG formats. Through live interaction analysis, Joe Sandbox dynamically detonates embedded links and attachments to uncover malicious behavior.

In addition to dynamic analysis, Joe Sandbox also performs static extraction of key email information, including:

• Sender and recipient details

• Subject and message body

• Attachments and embedded links

• Headers and meta data

Those information can be inspected in the "Static" section of the report:

The entire email content is now also passed to Joe Sandbox AI, which employs the latest reasoning-capable AI models to assess whether the email is malicious.

In addition, the model generates a comprehensive summary of its assessment, highlighting key indicators, attack type analysis, IOCs, and the final verdict.

 Email Threat Assessment

 1. Initial Analysis of Email Structure

- From: Paul Deshaies <paul@meprimeproperties.com>
- To: Paul Deshaies <paul@meprimeproperties.com>
- Subject: Meprimeproperties
- Date: Fri, 13 Jun 2025 10:35:35 -0700
- Filesize: 8786 bytes
- Attachments: None

Initial observations: The sender is emailing themselves, which is unusual but not necessarily malicious. The subject line is simply the domain name without any actionable context.

 2. Content Analysis

The email contains minimal text with these key elements:
- Notification that "Your document has been completed"
- A prominently displayed "VIEW COMPLETED DOCUMENT" button/link
- Statement that "A document is now available, has been encrypted for the security reason"
- Urgency statement: "Document expired in 24hours"
- Signature block with name, address, and email: "Paul Deshaies, 8 Casey Ln, OOB 04064 Paul@meprimeproperties.com"

The email lacks specifics about what document is being referenced, which service is being used, or any context about why this document would be important to the recipient.

 3. Attachment and QR Code Analysis

No attachments or QR codes are present in this email.

 4. Key Suspicious Indicators

1. Suspicious URL: The "VIEW COMPLETED DOCUMENT" button links to:
   `https://reviewdocsteamworks7fdbb.myclickfunnels.com/meprimeproperties--56c47?preview=true`
   - Uses ClickFunnels domain (marketing platform) rather than a legitimate document service
   - Contains a suspicious, seemingly random subdomain "reviewdocsteamworks7fdbb"
   - No relation to the apparent sender domain (meprimeproperties.com)

2. Urgency tactic: The 24-hour expiration creates artificial time pressure to act quickly without thinking

3. Vague content: No specific information about what document is completed or what service is being used

4. Incomplete information: The statement "Powered by" doesn't complete what service it's powered by

5. Self-addressed email: The sender is emailing themselves, which is unusual in normal business communications

 5. Attack Type Analysis (MITRE ATT&CK)

- Initial Access [TA0001]: Phishing [T1566]
- Credential Access [TA0006]: Likely attempting to harvest credentials via the phishing website
- Defense Evasion [TA0005]: Impersonation of legitimate business [T1036]

 6. False Positive Analysis

Some factors suggesting potential legitimacy:
- The search results confirm Paul Deshaies appears to be associated with meprimeproperties.com
- The email doesn't contain obvious spelling errors or grammar mistakes
- The formatting is clean and professional-looking

However, these positive indicators are outweighed by the suspicious link to a ClickFunnels domain and the vague, urgent nature of the message.

 7. Overall Assessment

This email appears to be a phishing attempt impersonating Paul Deshaies of ME Prime Properties. The email leverages the identity of what seems to be a legitimate real estate agent to create trust. The suspicious link to a ClickFunnels domain rather than a legitimate document service strongly suggests this is designed to harvest credentials or deliver malware.

The use of urgency ("expires in 24 hours") combined with vague information about an unspecified "document" are classic social engineering tactics to prompt hasty action. The fact that the sender is emailing themselves suggests either account compromise or spoofing.

The search engine results show that Paul Deshaies appears to be a real person associated with ME Prime Properties in Maine, which makes this impersonation particularly concerning.

 8. IOCs (Indicators of Compromise)

- Domain: reviewdocsteamworks7fdbb.myclickfunnels.com
- Full URL: https://reviewdocsteamworks7fdbb.myclickfunnels.com/meprimeproperties--56c47?preview=true
- Email address used for impersonation: paul@meprimeproperties.com

 Verdict: Malicious

Risk Score: 8

TTPs:
- Phishing [T1566]
- Impersonation [T1036]
- Social engineering with urgency tactics

Reasoning Summary: This email contains a suspicious link to a ClickFunnels domain disguised as a document service notification. It impersonates what appears to be a legitimate real estate agent, creates artificial urgency, and provides vague information about a completed document to entice clicking. The link destination has no relation to the apparent sender's business domain and is almost certainly designed to harvest credentials or deliver malware.

Full Analysis Report: https://www.joesandbox.com/analysis/1715678/0/html#ai-reasoning-pagination

Detecting Suspicious Domains

Phishing URLs often have a short lifespan—by the time analysis is performed, the malicious page may already be offline. In such cases, Joe Sandbox cannot browse the page directly anymore. However, analysts still need to assess whether the URL exhibits signs of typosquatting, brand impersonation, or other suspicious characteristics.

This is where Joe Sandbox AI adds significant value. Even when the page is no longer accessible, the AI performs a deep domain analysis, evaluating the URL’s structure, domain components, and semantic patterns to identify phishing indicators.

Detecting SVG Files

There is a growing trend among attackers to use SVG files as containers for delivering phishing links to endpoints. These SVGs often embed JavaScript code that leverages obfuscation and unpacking techniques to conceal malicious URLs—making detection significantly harder.

However, detecting threats in SVGs is challenging because many legitimate SVG files also contain JavaScript for valid interactive purposes.

Thanks to Joe Sandbox AI, these threats can now be accurately identified. The AI model performs context-aware analysis of SVG content, distinguishing between benign scripts and malicious behavior, enabling effective detection of phishing attempts hidden within SVGs.

Full Analysis Link: https://www.joesandbox.com/analysis/1721102/0/html

Detecting low trust Authenticode Signatures

Code signing is widely used to establish trust in executable files—but that trust can be misleading. A good example are Authenticode signatures, which are designed to improve the trustworthiness of Windows PE (Portable Executable) files, but are increasingly abused by attackers to bypass EDR systems and deliver malicious payloads to endpoints.

Detecting suspicious Authenticode signatures is particularly challenging. It requires maintaining up-to-date lists of trusted and suspicious issuers, as well as performing temporal analysis—for example, evaluating when a certificate was issued, its validity period, and whether it aligns with known threat patterns.

Thanks to recent improvements in Joe Sandbox AI, Authenticode signatures are now subjected to comprehensive AI-driven analysis. The model inspects both issuer reputation and detailed certificate metadata, enabling a thorough and contextual assessment that enhances detection accuracy, even against stealthy or novel threats.

Full Analysis Report: https://www.joesandbox.com/analysis/1718964/0/html

Fighting Captchas with AI

We’ve recently observed that popular phishing kits are evolving, introducing new obstacles that make it harder to dynamically analyze phishing webpages. One common tactic is the use of CAPTCHAs, which are specifically designed to block automated browsing and prevent security tools from reaching the final phishing page.

To address this challenge, we’ve implemented a new technology in Joe Sandbox AI that allows it to bypass these evasive techniques—without actually solving the CAPTCHA. By analyzing the page structure, script behavior, and content flow, the AI can infer and extract the malicious intent and final phishing payload, even when traditional browsing is blocked.

While this technology is highly effective, it does have its limitations and may not work for all CAPTCHA implementations. In such cases, security analysts can fall back on Joe Sandbox’s Live Interaction feature to manually solve the CAPTCHA and continue the analysis seamlessly.

Full Analysis Report: https://www.joesandbox.com/analysis/1722868/1/html#overview

AI Summaries

While our customers greatly appreciate the depth and detail of Joe Sandbox’s analysis reports, there are situations where a concise, high-level summary is more practical—especially for quick reviews or executive overviews.

    

With the latest enhancements, Joe Sandbox AI now delivers exactly that: an automatically generated summary that captures the key findings, verdicts, and reasoning in a clear, digestible format—complementing the full report without replacing it.

Malware Behavior Analysis

 Initial Access
The malware executes through PowerShell, launched with the command line `powershell.exe -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sd2.ps1"`. The PowerShell process (PID 7804) spawns a console host process (conhost.exe, PID 7816) as expected for PowerShell execution.

 Evasion Techniques
The malware employs several evasion mechanisms:
- Script Obfuscation: The PowerShell script contains heavily obfuscated byte array data spanning 478KB, designed to evade static detection by security tools
- Execution Policy Bypass: Uses the `-ExecutionPolicy unrestricted` parameter to bypass PowerShell's default execution restrictions
- Dynamic Code Loading: The large obfuscated byte arrays suggest encrypted or encoded malicious code intended for runtime execution rather than static analysis

 Payload Execution
The PowerShell process loads and executes multiple malicious payloads:
- KoiLoader: Detected in the PowerShell process memory space, indicating the presence of a loader component
- AgentTesla: Multiple instances detected in unpacked PE files within the PowerShell process, suggesting successful payload deployment
- .NET Components: Large array initializations (6229 elements) in .NET source code indicate substantial payload data being processed

 Data Theft
The malware targets cryptocurrency-related data extensively. Memory analysis of the PowerShell process reveals targeting of numerous cryptocurrency wallets and related applications:
- Cryptocurrency Wallets: Targets multiple wallet applications including Ledger Live, Trezor, Electrum, Exodus, Jaxx, Guarda, Wasabi, Atomic, and others
- FTP Credentials: Searches for FileZilla configuration files (recentservers.xml, sitemanager.xml) and WinSCP session data
- VPN Credentials: Targets OpenVPN credential files (creds.txt)
- Wallet Files: Specifically looks for wallet files, keystores, and configuration data across various cryptocurrency applications

 Network Activity
No explicit network communication signatures were detected in the provided data, though the presence of loader components suggests potential command and control capabilities.

 Process Relationships
The execution chain is straightforward: an external process (PID 5748) launches PowerShell (PID 7804), which in turn spawns the standard console host process (PID 7816). All malicious activity is attributed to the PowerShell process, which serves as the primary execution environment for the obfuscated payload.

 MITRE ATT&CK TTPs
- T1059.001 (Command and Scripting Interpreter: PowerShell) - Primary execution vector
- T1027 (Obfuscated Files or Information) - Heavy script obfuscation to evade detection
- T1555 (Credentials from Password Stores) - Targeting cryptocurrency wallets and credential stores
- T1005 (Data from Local System) - Systematic collection of wallet and credential files

Full Analysis Report: https://www.joesandbox.com/analysis/1723376/0/html#ai-reasoning-pagination

AI Summaries are generated Phishing and Malware behavior. 

Conclusion

With the extension and improvements of Joe Sandbox AI, we’re raising the bar in automated threat detection and analysis. The new capabilities empower analysts to detect phishing, malware, and evasive threats with greater precision and context awareness. From in-depth email and domain reasoning to SVG and Authenticode inspection, each enhancement brings smarter automation into the security workflow.

Whether bypassing CAPTCHAs, detecting threats hidden in obfuscated scripts, or summarizing complex behaviors, Joe Sandbox AI acts as an intelligent co-pilot—accelerating response time, reducing false positives, and surfacing critical insights with clarity. These upgrades make Joe Sandbox AI an indispensable tool in the fight against modern cyber threats.

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!