Loading ...

Analysis Report Ds9VCtABRL.hwp

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123517
Start date:15.04.2019
Start time:22:55:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Ds9VCtABRL.hwp
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winHWP@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to launch sample, stop analysis
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: 80040153

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Ds9VCtABRL.hwpvirustotal: Detection: 13%Perma Link

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winHWP@0/0@0/0
Sample is known by AntivirusShow sources
Source: Ds9VCtABRL.hwpvirustotal: Detection: 13%

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 123517 Sample: Ds9VCtABRL.hwp Startdate: 15/04/2019 Architecture: WINDOWS Score: 48 5 Multi AV Scanner detection for submitted file 2->5

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Ds9VCtABRL.hwp14%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:Hangul (Korean) Word Processor File 5.x
Entropy (8bit):7.761390987517032
TrID:
  • Hangul (Korean) Word Processor document (alternate) (16508/1) 67.34%
  • Generic OLE2 / Multistream Compound File (8008/1) 32.66%
File name:Ds9VCtABRL.hwp
File size:81408
MD5:2b62101042cb91f93b49a51a9c38c617
SHA1:573398fd6f3dc3048e75a26d68f1690cd4f51e45
SHA256:e4e85ed771868f3488bbd87d0ca5ed56de5689ac73c3220a5b6d77e3aeac71fb
SHA512:e25c1e859db89c9038bb6c6e5a1d3ef7aff19782e4af51ac3f8768fe5284fd6e6bb68c5f7f7d029a54a5c4e64975741330c35bcef41cde5babc7b55b6dd49315
SSDEEP:1536:cbC1xNo6EEN80PvpQ3Gs3GVaBsgXv1RUHo6Da6S8v8nVvmV:jXK6iWIBfvTQo6uG8nVeV
File Content Preview:........................>.......................................................)..............................................................................................................................................................................

File Icon

Icon Hash:74f0e4e4e4e4e0e4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

OLE File "Ds9VCtABRL.hwp"

Indicators

Has Summary Info:False
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:False
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False

Streams

Stream Path: \x5HwpSummaryInformation, File Type: data, Stream Size: 513
General
Stream Path:\x5HwpSummaryInformation
File Type:data
Stream Size:513
Entropy:3.66342520378
Base64 Encoded:False
Data ASCII:. . . . . . . . ` . . . a . . . . . . ` . . . . . . . . ` . . . a . . . . . . ` . . . . 0 . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 9 . 9 . 5 . D . . 1 . 0 . . . . 1 . 2 . | . .
Data Raw:fe ff 00 00 06 02 02 00 60 b6 a2 9f 61 10 d4 11 b4 c6 00 60 97 c0 9d 8c 01 00 00 00 60 b6 a2 9f 61 10 d4 11 b4 c6 00 60 97 c0 9d 8c 30 00 00 00 d1 01 00 00 0e 00 00 00 02 00 00 00 78 00 00 00 03 00 00 00 94 00 00 00 04 00 00 00 a0 00 00 00 14 00 00 00 ac 00 00 00 05 00 00 00 ec 00 00 00 06 00 00 00 00 01 00 00 08 00 00 00 18 01 00 00 09 00 00 00 2c 01 00 00 0c 00 00 00 90 01 00 00
Stream Path: BinData/BIN0001.eps, File Type: data, Stream Size: 3545
General
Stream Path:BinData/BIN0001.eps
File Type:data
Stream Size:3545
Entropy:7.92370586109
Base64 Encoded:True
Data ASCII:. V m n . 0 . . ? ` w . . F Q . % . . . . . ; . . m . . . . } . . m . K . ? . . . P T . . . . . . . j ^ . . . > . . . . . D . X s N . . . 3 . . . . u 5 X . Q . V . . j . . L . . . . X v . . . . . y k . . . . . . . . y . . . . . . . , . . . . . . . . ( N . . . . ] . < N y D . . . : = 1 . . ; . b . . . V 4 ^ o $ : . . x . . . . $ I . S g b . . . o . . \\ Z . . . . 9 . . . ' . . . $ . . . @ . . . . . . . . . 7 . . . . . . . . . M . . . l { . . z . > f . . } . v . . ? . . # . . . . y . . < b u . . m . . < . . (
Data Raw:ec 56 6d 6e db 30 0c fd 3f 60 77 e8 0d 46 51 12 25 01 c5 80 b6 a9 3b f4 16 6d ec dc ff 08 7d 94 fc 6d d9 4b b3 3f 05 ba 18 50 54 85 ef 91 14 1f e9 fe 6a 5e fe bc be 3e 9d 9a 97 bb fb 44 fa 58 73 4e e2 e2 bb 33 96 b0 12 9d 75 35 58 c9 51 1c 56 1f f3 6a ed 99 4c fb 86 1d 87 58 76 81 99 b0 eb 9c 79 6b f1 1d a3 b1 d1 05 f1 c1 79 0a fe e2 a2 81 a5 0b 2c 17 b1 ce 04 df bd e7 93 28 4e f4
Stream Path: BodyText/Section0, File Type: data, Stream Size: 59354
General
Stream Path:BodyText/Section0
File Type:data
Stream Size:59354
Entropy:7.98774062535
Base64 Encoded:True
Data ASCII:. V M h . U . . . G . N . X . . . . N . . . P ? * . d K & " . . . D . . ` # n q . H S . . . . . * . . . 1 . ` . - . . . . ! . . H . 0 . [ . . . . . T . ` B . A . . C . . 9 . . . . o . M w & . . 3 . . . . . { . . . ~ . . . . ^ ( . . . @ . . . . $ . 3 m . 8 - O 5 . 0 r . . . 6 . " . # . . / . . . . . l . . . . . ~ . . Z . @ . . . . . . . . x . . : . " . . . . . . g ! . . . > . s . I @ + . . . . Y . . . . . . w . . . . . . . . . . . ^ . . _ . . ] ~ c 2 . . . @ . . . X A . . . X . . . % . p . E . { . . . 8 . .
Data Raw:ac 56 4d 68 1c 55 1c ff cf 47 e2 4e 9b 58 9b ee 86 94 4e e9 ab f5 50 3f 2a dd 64 4b 26 22 b2 a6 91 44 bb d6 60 23 6e 71 85 48 53 a8 10 d2 85 0a 2a 0a 2e 18 31 82 60 0e 2d d6 8b e4 10 21 e2 a4 48 19 30 1f 5b 98 94 ae b3 85 54 f6 60 42 0e 41 f6 98 43 0e 0a 39 e4 d0 12 ff 6f e6 4d 77 26 b3 af 33 da 9d e1 cd cc 7b f3 e6 fd 7e bf ff d7 9b 5e 28 08 a7 00 40 06 02 12 80 24 e0 33 6d f4 38
Stream Path: DocInfo, File Type: data, Stream Size: 7099
General
Stream Path:DocInfo
File Type:data
Stream Size:7099
Entropy:7.95140729043
Base64 Encoded:True
Data ASCII:. ` X . . . . . a @ . . . . . X @ " \\ P . . . L @ . . . . P . . . # . 2 . a . . G . B , . . . 3 3 . 2 . 0 . 3 . . . 0 % 1 1 . . * 8 . . . . . . P . T . . . . . . . . . . Y & 0 % . 0 . \\ . . % } l . . . . R N . . . R . \\ . D . R . . H . . . . . . . $ V . . . . . > 8 . j 2 . P y $ P a 0 C & P C . . - . 0 . . ' . . . . . . . . . . . . . . . < . . . . ! . h L 2 . } k . . j . . . . d . . F . . $ 6 . . # . . , . . : U . . # A . O . . . . . 1 . ' Q . . . j . . . . F . . . s . . ( Q . F . . . . . . . . . . . * "
Data Raw:12 60 58 c0 c8 c8 80 0c 61 40 00 88 05 19 1a 58 40 22 5c 50 cc 0e c5 4c 40 cc 0a c4 8c 50 ac 01 e2 23 b4 32 bc 61 84 a8 47 06 42 2c 07 c0 e6 33 33 a4 32 14 30 14 33 08 b3 18 30 25 31 31 b4 ee 2a 38 81 d0 c9 c1 e0 cb 50 09 54 90 cf 90 c7 90 ce 90 05 a4 85 59 26 30 25 b1 30 98 5c b7 d9 25 7d 6c cb 19 16 b8 52 4e 06 0f 86 52 86 5c 86 44 a0 52 05 86 48 a0 a6 12 a0 e2 00 e6 24 56 86 98
Stream Path: DocOptions/_LinkDoc, File Type: data, Stream Size: 524
General
Stream Path:DocOptions/_LinkDoc
File Type:data
Stream Size:524
Entropy:4.8274436373
Base64 Encoded:False
Data ASCII:. . ` 1 ( . . ) . . a 1 ( . < . ) . . c 1 ( . t . ) . . . . . . . . . [ . . . . . . 1 . ] . . . . . X . . . . . . \\ . h . . . . D . . . . . . . . . . . . . . . . . P . . . . . t . . . X . . . . . . | . . . . . . . . . . . . . . . , . . . . . . . . . @ . . t . . . @ . . . . L . . . . . . t . . . . \\ . . . . . . . . . . . . . 2 1 ( . . . 0 . . . ) . . 8 1 ( . . . . . . . ) . . C 1 ( . . . D . M . ) . . F 1 ( . . . . . 7 . ) . . . . I 1 ( . . . . . R .
Data Raw:00 00 60 31 28 00 20 c7 29 00 20 00 61 31 28 00 3c c7 29 00 20 00 63 31 28 00 74 c7 29 00 0d 00 0a 00 0d 00 0a 00 5b 00 99 bd 84 c7 20 00 31 00 5d 00 20 00 20 00 04 c7 58 c7 20 00 90 c7 a8 ba 5c b8 68 c3 20 00 01 c8 44 c7 20 00 18 c2 20 00 c6 c5 94 b2 20 00 8c c1 ac b9 94 b2 20 00 50 b4 20 00 1c ac 20 00 74 c7 c1 c0 58 c7 20 00 90 c7 a8 ba 7c b9 20 00 b4 c5 b8 c6 ec b7 1c c1 20 00
Stream Path: FileHeader, File Type: Hangul (Korean) Word Processor File 3.0, Stream Size: 256
General
Stream Path:FileHeader
File Type:Hangul (Korean) Word Processor File 3.0
Stream Size:256
Entropy:0.782557248506
Base64 Encoded:False
Data ASCII:H W P D o c u m e n t F i l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:48 57 50 20 44 6f 63 75 6d 65 6e 74 20 46 69 6c 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 03 00 05 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: PrvImage, File Type: GIF image data, version 89a, 177 x 250, Stream Size: 1834
General
Stream Path:PrvImage
File Type:GIF image data, version 89a, 177 x 250
Stream Size:1834
Entropy:7.1212405796
Base64 Encoded:False
Data ASCII:G I F 8 9 a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x x x k k k ] ] ] P P P C C C 5 5 5 ( ( ( . . . . . . . . . . . . . . . . . . . . . . d ` . L H . 0 0 . . . . . . . . . . . . . . . . . . . . . ` . . H . . . . . . . . . . . . . . . . ` . . H . . 0 . . . . | . . p . . d . . X . . L . . @ . ` 0 . H . . . . . . . . . . . . . . . ` . . H . . 0 . . . . . . . . . . . . . . . . . . . . . ` d . H L . . . . . . . . . . . . . . . `
Data Raw:47 49 46 38 39 61 b1 00 fa 00 f7 00 00 00 00 00 80 00 00 00 80 00 80 80 00 00 00 80 80 00 80 00 80 80 c0 c0 c0 fe fe fe f1 f1 f1 e4 e4 e4 d6 d6 d6 c9 c9 c9 bb bb bb ae ae ae a1 a1 a1 93 93 93 86 86 86 78 78 78 6b 6b 6b 5d 5d 5d 50 50 50 43 43 43 35 35 35 28 28 28 1a 1a 1a 0d 0d 0d 01 01 01 f8 cc c8 f8 b0 b0 f8 98 98 f8 80 80 f8 64 60 f8 4c 48 f8 30 30 f8 18 18 f8 00 00 e0 00 00 c8
Stream Path: PrvText, File Type: data, Stream Size: 2044
General
Stream Path:PrvText
File Type:data
Stream Size:2044
Entropy:5.07779193597
Base64 Encoded:False
Data ASCII:8 . P . . . . . . . . . . . 8 . 8 . - . 1 . . 8 . ( . 1 . 9 . 8 . 8 . . . . 1 . . . . 1 . 9 . . . ) . . . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . Y . . 1 . 0 . . . . . . . . . . . . . . . . . . . . . . 1 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . 1 . 1 . . . . . . . . . . . . . . . . . . . . . . . . 1 . 1 . . . . . . . . . . . . . l . . . L . T . . 1 . 2 . . . . . . . . . . . . . . 7 1 . . . . . .
Data Raw:38 bb 50 ad 80 bd 20 00 e0 ac dc c2 20 00 1c c8 38 00 38 00 2d 00 31 00 20 00 38 d6 28 00 31 00 39 00 38 00 38 00 2e 00 20 00 31 00 2e 00 20 00 31 00 39 00 2e 00 29 00 0d 00 0a 00 0d 00 0a 00 5c d5 00 ae 20 00 de b9 a4 cd 95 bc 0d 00 0a 00 0d 00 0a 00 1c c8 11 ff a5 c7 20 00 20 00 1d cd 59 ce 20 00 31 00 30 00 0d 00 0a 00 0d 00 0a 00 1c c8 12 ff a5 c7 20 00 20 00 90 c7 a8 ba 20 00
Stream Path: Scripts/DefaultJScript, File Type: data, Stream Size: 136
General
Stream Path:Scripts/DefaultJScript
File Type:data
Stream Size:136
Entropy:6.5155919772
Base64 Encoded:False
Data ASCII:u . . . . @ . D O . . . . . 6 . C , H , . . . # . G B ! k . . 0 ~ . . . 6 * 7 . . . . = . M . . . . . . . . . . * Z : . . . . . # . . ? . . . . * ? . . T @ . . . . Y . . . . . . ~ X + m . . j 3 . . . . . ' m . [ v . | : . . . . j ) % C $ M . . . . . . 5 # . . . . . . . .
Data Raw:75 8e bb 0e 82 40 14 44 4f 8b 09 ff b0 a5 36 d0 43 2c 48 2c ac a4 b5 23 84 47 42 21 6b 14 a1 30 7e bb 0c 0b 36 2a 37 99 c9 cd dc 3d 93 4d 81 9e 9c 1b 86 03 96 82 07 17 2a 5a 3a ee ca f6 d2 99 23 03 d7 3f f7 18 9f cd 2a 3f d3 bf 54 40 a2 a4 a3 11 59 91 ad f6 cf ed a1 7e 58 2b 6d 17 c6 6a 33 a4 f2 ef f7 19 27 6d 03 5b 76 8e 7c 3a f7 d4 10 ea 6a 29 25 43 24 4d f9 cb f9 a4 cf bc 35 23
Stream Path: Scripts/JScriptVersion, File Type: data, Stream Size: 13
General
Stream Path:Scripts/JScriptVersion
File Type:data
Stream Size:13
Entropy:2.80739045088
Base64 Encoded:False
Data ASCII:c d . . . . . . . . . . .
Data Raw:63 64 80 00 00 f7 df 88 a9 08 00 00 00

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >