Windows Analysis Report
Chapter 4 Test 4A--2013-2014.doc

Overview

General Information

Sample name: Chapter 4 Test 4A--2013-2014.doc
(renamed file extension from doc (HS-439-27423) to doc)
Original sample name: Chapter 4 Test 4A--2013-2014.doc (HS-439-27423)
Analysis ID: 1428864
MD5: 56e35d09e7579ef1741ec069a6181ff1
SHA1: 079e55a9cf75724ae89dce3e324467acac21ab72
SHA256: bbe1a7e68ed8344e33aed458b3cd5e7e739311ae864b7154964e6d4527e444aa
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Document contains Microsoft Equation 3.0 OLE entries
Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Chapter 4 Test 4A--2013-2014.doc Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Word\Chapter 4 Test 4A--2013-2014.doc Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen
Document contains Microsoft Equation 3.0 OLE entries
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160885555/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160885643/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160890263/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160890468/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160890548/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160890606/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1160890641/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1286867940/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc Stream path 'ObjectPool/_1286868111/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160885555/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160885643/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160890263/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160890468/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160890548/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160890606/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1160890641/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1286867940/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr Stream path 'ObjectPool/_1286868111/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD083452-12AD-436F-8C6B-DC3A21245609}.tmp Jump to behavior
Document contains an ObjectPool stream indicating possible embedded files or OLE objects
Source: Chapter 4 Test 4A--2013-2014.doc OLE indicator, ObjectPool: true
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr OLE indicator, ObjectPool: true
Source: classification engine Classification label: mal56.winDOC@1/5@0/0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6A65.tmp Jump to behavior
Source: Chapter 4 Test 4A--2013-2014.doc OLE indicator, Word Document stream: true
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr OLE indicator, Word Document stream: true
Source: Chapter 4 Test 4A--2013-2014.doc OLE document summary: title field not present or empty
Source: Chapter 4 Test 4A--2013-2014.doc OLE document summary: author field not present or empty
Source: Chapter 4 Test 4A--2013-2014.doc OLE document summary: edited time not present or 0
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr OLE document summary: title field not present or empty
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr OLE document summary: author field not present or empty
Source: Chapter 4 Test 4A--2013-2014.doc.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Chapter 4 Test 4A--2013-2014.doc Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428864 Sample: Chapter 4 Test 4A--2013-201... Startdate: 19/04/2024 Architecture: WINDOWS Score: 56 10 Antivirus detection for dropped file 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 5 WINWORD.EXE 288 12 2->5         started        process3 file4 8 C:\Users\...\Chapter 4 Test 4A--2013-2014.doc, Composite 5->8 dropped
No contacted IP infos