Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to detect sleep reduction / modifications
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: System File Execution Location Anomaly
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match