Loading ...

Play interactive tourEdit tour

Analysis Report a.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188550
Start date:08.11.2019
Start time:14:08:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 15m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:a.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.expl.evad.winDOC@1/16@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 23.8% (good quality ratio 21.3%)
  • Quality average: 69.2%
  • Quality standard deviation: 30.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 13.107.4.50
  • Excluded domains from analysis (whitelisted): au.au-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, au.c-0001.c-msedge.net, apps.identrust.com
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Get2Downloader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting32Winlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingProcess Discovery2Remote File Copy1Data from Local SystemData Encrypted11Standard Cryptographic Protocol12
Replication Through Removable MediaExploitation for Client Execution23Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting32Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information11Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: a.docJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: a.docVirustotal: Detection: 25%Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: scheduler_a.dll.0.drJump to dropped file
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: microsoft-hub-us.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49221 -> 195.123.246.12:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49221 -> 195.123.246.12:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Found strings which match to known social media urlsShow sources
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: microsoft-hub-us.com
Urls found in memory or binary dataShow sources
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabHa
Source: WINWORD.EXE, 00000000.00000002.4420723982.036E0000.00000004.00000040.sdmpString found in binary or memory: http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdes
Source: WINWORD.EXE, 00000000.00000002.4420723982.036E0000.00000004.00000040.sdmpString found in binary or memory: http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdom
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: WINWORD.EXE, 00000000.00000002.4426286075.07CDE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000002.4426286075.07CDE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: WINWORD.EXE, 00000000.00000002.4417321772.017F8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE, 00000000.00000002.4415983891.004A3000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXEString found in binary or memory: https://microsoft-hub-us.com/vist
Source: WINWORD.EXE, 00000000.00000002.4429756634.10000000.00000040.00020000.sdmpString found in binary or memory: https://microsoft-hub-us.com/vist%dContent-Length:
Source: WINWORD.EXE, 00000000.00000002.4429427464.0A190000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: a.docOLE, VBA macro line: Public Declare PtrSafe Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Source: a.docOLE, VBA macro line: Public Declare Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Source: a.docOLE, VBA macro line: UserForm2.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm2.TextBox1.Tag + "%")
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: a.docStream path 'Macros/VBA/Module3' : found possibly 'ADODB.Stream' functions mode, position, open, read, write
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: a.docStream path 'Macros/VBA/Module3' : found possibly 'WScript.Shell' functions environment, specialfolders, exec, expandenvironmentstrings, environ
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to dropped file
Detected potential crypto functionShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_10003A6D0_2_10003A6D
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_100026FE0_2_100026FE
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_100148000_2_10014800
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1001F8200_2_1001F820
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1001C83F0_2_1001C83F
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_100048C80_2_100048C8
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000E0E90_2_1000E0E9
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000E9360_2_1000E936
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_100111F80_2_100111F8
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000A2000_2_1000A200
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000DB400_2_1000DB40
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000DBED0_2_1000DBED
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_100114270_2_10011427
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000E5010_2_1000E501
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000ED6B0_2_1000ED6B
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1001CEE90_2_1001CEE9
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: a.docOLE, VBA macro line: result = FMOD_Sys.tem_CreateStream(System, "../../examples/media/wave.mp3", FMOD_OPENONLY Or FMOD_ACCURATETIME, Sound)
Source: a.docOLE, VBA macro line: result = FMOD_Sys.tem_Close(System)
Source: a.docOLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macrosShow sources
Source: a.docOLE indicator, VBA macros: true
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll 8F7E023DC4DBCDC54EB908B7C1C752A0A1F29BB6521686376F968090549E653E
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: String function: 1000B7F0 appears 42 times
Sample file is different than original file name gathered from version infoShow sources
Source: a.docBinary or memory string: OriginalFilenameInitScope.dll. vs a.doc
Yara signature matchShow sources
Source: 00000000.00000002.4429756634.10000000.00000040.00020000.sdmp, type: MEMORYMatched rule: ReflectiveLoader description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score =
Source: 0.2.WINWORD.EXE.10000000.15.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score =
Source: 0.2.WINWORD.EXE.10000000.15.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score =
Classification labelShow sources
Source: classification engineClassification label: mal100.expl.evad.winDOC@1/16@2/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$a.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR93DA.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: a.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: a.docOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Sample is known by AntivirusShow sources
Source: a.docVirustotal: Detection: 25%
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.4420248832.03590000.00000002.00000001.sdmp
Document has a 'bytes' value indicative of goodwareShow sources
Source: a.docInitial sample: OLE document summary bytes = 81051
Document has a 'subject' value indicative of goodwareShow sources
Source: a.docInitial sample: OLE summary subject = JXhFkBu

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Document contains OLE streams with high entropy indicating encrypted embedded contentShow sources
Source: a.docStream path 'WordDocument' entropy: 7.93656214798 (max. 8.0)

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEAPI coverage: 9.8 %
Queries a list of all running processesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEBShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1001584F mov eax, dword ptr fs:[00000030h]0_2_1001584F
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_02EE0830 mov eax, dword ptr fs:[00000030h]0_2_02EE0830

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detectedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000000.00000002.4416220516.00690000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000000.00000002.4416220516.00690000.00000002.00000001.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000002.4416220516.00690000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXECode function: 0_2_1000B63A cpuid 0_2_1000B63A

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
a.doc25%VirustotalBrowse
a.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.WINWORD.EXE.10000000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
microsoft-hub-us.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
https://microsoft-hub-us.com/vist%dContent-Length:0%Avira URL Cloudsafe
http://schemas.openformatrg/package/2006/r0%URL Reputationsafe
https://microsoft-hub-us.com/vist0%Avira URL Cloudsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://schemas.openformatrg/package/2006/content-t0%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%VirustotalBrowse
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://schemas.open0%VirustotalBrowse
http://schemas.open0%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4429756634.10000000.00000040.00020000.sdmpReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedunknown
  • 0x34904:$s1: ReflectiveLoader

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.WINWORD.EXE.10000000.15.raw.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedunknown
  • 0x34904:$s1: ReflectiveLoader
0.2.WINWORD.EXE.10000000.15.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedunknown
  • 0x34904:$s1: ReflectiveLoader

Sigma Overview


System Summary:

barindex
Sigma detected: Get2DownloaderShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3676, TargetFilename: C:\Users\user~1\AppData\Local\Temp\oleObject1.bin

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
195.123.246.12contract.docGet hashmaliciousBrowse
    contract1.docGet hashmaliciousBrowse
      contract.docGet hashmaliciousBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        microsoft-hub-us.comcontract.docGet hashmaliciousBrowse
        • 195.123.246.12
        contract1.docGet hashmaliciousBrowse
        • 195.123.246.12
        contract.docGet hashmaliciousBrowse
        • 195.123.246.12

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        unknownhttp://pingclock.netGet hashmaliciousBrowse
        • 172.241.69.28
        contract.docGet hashmaliciousBrowse
        • 195.123.246.12
        Office 365.pdfGet hashmaliciousBrowse
        • 3.3.0.2
        contract1.docGet hashmaliciousBrowse
        • 195.123.246.12
        Anuncio importante.docGet hashmaliciousBrowse
        • 212.128.109.12
        http://oresponsive.org/gloGet hashmaliciousBrowse
        • 107.180.27.164
        http://oresponsive.org/glo/Get hashmaliciousBrowse
        • 107.180.27.164
        EU-Business-Register.pdfGet hashmaliciousBrowse
        • 3.3.0.2
        http://sway.office.com/BsuVUD9jt7VbimYo?ref=LinkGet hashmaliciousBrowse
        • 162.213.255.167
        contract.docGet hashmaliciousBrowse
        • 195.123.246.12
        https://www.dropbox.com/s/mn1nl4z2yzvvw3t/SCAN_923718231F.pdf.z?dl=1Get hashmaliciousBrowse
        • 162.125.69.1
        http://sway.office.com/wGBUfc27x6ScnjAz?ref=LinkGet hashmaliciousBrowse
        • 162.213.255.167
        Datos factura.docGet hashmaliciousBrowse
        • 186.109.28.142
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113
        TPJ8g5bFKR.exeGet hashmaliciousBrowse
        • 149.154.67.19
        615325271858819955980651.docGet hashmaliciousBrowse
        • 185.158.249.113

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        05af1f5ca1b87cc9cc9b25185115607dcontract.docGet hashmaliciousBrowse
        • 195.123.246.12
        contract1.docGet hashmaliciousBrowse
        • 195.123.246.12
        contract.docGet hashmaliciousBrowse
        • 195.123.246.12
        Datos factura.docGet hashmaliciousBrowse
        • 195.123.246.12
        Resume.docGet hashmaliciousBrowse
        • 195.123.246.12
        Resume.docGet hashmaliciousBrowse
        • 195.123.246.12
        canadapost_invoice (1466).docGet hashmaliciousBrowse
        • 195.123.246.12
        DATI 2019.docGet hashmaliciousBrowse
        • 195.123.246.12
        Resume.docGet hashmaliciousBrowse
        • 195.123.246.12
        Resume.docGet hashmaliciousBrowse
        • 195.123.246.12
        DOCUMENTO 06.docGet hashmaliciousBrowse
        • 195.123.246.12
        BHD0Pi7B.docGet hashmaliciousBrowse
        • 195.123.246.12
        DAT[1].docGet hashmaliciousBrowse
        • 195.123.246.12
        86982_Nov2019.docGet hashmaliciousBrowse
        • 195.123.246.12
        50399YC_50399.docmGet hashmaliciousBrowse
        • 195.123.246.12
        14 queja noviembre.docGet hashmaliciousBrowse
        • 195.123.246.12
        11_2019 invoice for Service.docGet hashmaliciousBrowse
        • 195.123.246.12
        Documento.docGet hashmaliciousBrowse
        • 195.123.246.12
        info 29102019 WF777.docGet hashmaliciousBrowse
        • 195.123.246.12
        info 29102019 WF777.docGet hashmaliciousBrowse
        • 195.123.246.12

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllcontract.docGet hashmaliciousBrowse
          contract1.docGet hashmaliciousBrowse
            contract.docGet hashmaliciousBrowse

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.