Loading ...

Play interactive tourEdit tour

Analysis Report Coronavirus_Informations.doc


General Information

Sample Name:Coronavirus_Informations.doc

Most interesting Screenshot:


Range:0 - 100


Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Sigma detected: MS Office Product Spawning Exe in User Dir
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)