Analysis Report acceptable_use_policy.docm
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | JA3 fingerprint: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro line: |
Document contains an embedded VBA with functions possibly related to ADO stream file operations | Show sources |
Source: | Stream path 'VBA/ThisDocument' : |
Document contains an embedded VBA with functions possibly related to HTTP operations | Show sources |
Source: | Stream path 'VBA/ThisDocument' : |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | OLE indicator has summary info: |
Source: | OLE indicator application name: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting32 | Path Interception | Path Interception | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution3 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Scripting32 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol12 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Ingress Tool Transfer1 | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
60% | Virustotal | Browse | ||
48% | ReversingLabs | Script.Downloader.Obfuser | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
intergalacticaeronautic.space | 91.195.240.13 | true | false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.195.240.13 | unknown | Germany | 47846 | SEDO-ASDE | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 321433 |
Start date: | 22.11.2020 |
Start time: | 05:25:47 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | acceptable_use_policy.docm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Run name: | Without Instrumentation |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.winDOCM@1/8@1/1 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
91.195.240.13 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
intergalacticaeronautic.space | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
SEDO-ASDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 744948 |
Entropy (8bit): | 7.97918320978916 |
Encrypted: | false |
SSDEEP: | 12288:dw0QEKpz/X0Ud46KsXhbSPhSxIxTqwwptJ22/baZ2J/SBxgX:2UKpzMn6LB5xmTqwwLc2FSBiX |
MD5: | E7A283B2CCDE766B77C60644B7F72B2C |
SHA1: | 4D8A980624A17367D0B2D9CCB3943F384D01B220 |
SHA-256: | 206E88CFFEF3DEE1D444C7D9FBDB8F856006313CADC1039AEDD33A985C163D1A |
SHA-512: | 5C0B8237532DE1F6BEE720878B43715EFC851A97D652FA0E982A7AE20A19ABD38CA528326DEDB721916A43F695026FEB976712C5D29C47B4D19FD92B7FD85169 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 39472 |
Entropy (8bit): | 4.066178166502722 |
Encrypted: | false |
SSDEEP: | 768:+wXnxdZBHbJ5LhVgkABKEuzs3ouLORZkFzj6ShJ7VHzwNgNRIhfYXZBFQg/rV:jcZVB |
MD5: | 57D7AA4E6175483DDB8834C2364A477F |
SHA1: | FE8050F47CBC7C948FA0F1C3F59909B1F29B99B1 |
SHA-256: | 43A8B278C9CDC38CA5DA4158DE11859122EDB17EB77618ED0DB0824FFC5362AF |
SHA-512: | 9A7D6623A1C694D0EC3A9CB84E8F7731397CF8DB1FF9C7A01961F1412C1E1786AD478202DA978A96682F86FB8516009D78D4D1C9489CA7E7914324D2D8CCE296 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 663 |
Entropy (8bit): | 5.949125862393289 |
Encrypted: | false |
SSDEEP: | 12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF |
MD5: | ED3C1C40B68BA4F40DB15529D5443DEC |
SHA1: | 831AF99BB64A04617E0A42EA898756F9E0E0BCCA |
SHA-256: | 039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A |
SHA-512: | C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2148 |
Entropy (8bit): | 4.546337217435686 |
Encrypted: | false |
SSDEEP: | 48:8Uh/XT3In1tMhVsMtfQh2Uh/XT3In1tMhVsMtfQ/:86/XLIn1+fQh26/XLIn1+fQ/ |
MD5: | 2AA6C51FCC180F14AAD3C675F445A500 |
SHA1: | 3452588CDB5165420C200479F255C5B78BC298FE |
SHA-256: | 6A6508BD15C5AB3F9B6448C8A4E555C78758FDBEFD321A3FC90DDC4141D5D223 |
SHA-512: | 2FBF47B0B9A844C924F58B3A96897365565A22EA511EB624A4A4B420E2E57EA23FF8E52DD9301EDE8AF3D8F6D0FD5F3B915737D257E0401609589089DAA01C29 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 103 |
Entropy (8bit): | 4.420825796534245 |
Encrypted: | false |
SSDEEP: | 3:HPRwcMM9ScGFcMM9SmxWPRwcMM9Sv:HPRsRtRsB |
MD5: | F00316F5A9D15C15D275B9DE5D78CBDC |
SHA1: | 12DE6B187B39A5D2EFFEDFED5BDC82CA58387BA3 |
SHA-256: | 2636F92F51379294E3BE95E5D7622227B77583233D00C1F9CF686332FA537D46 |
SHA-512: | 22308C2BDDED6D8EC028C6A24121AECD15DA76D3EF26E6CA6429D6B30E4D01D7C8E72ECBE24B7331CB0B712E9D9D905772A41347F28C8C04275A5B796F8C9443 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.974352084549378 |
TrID: |
|
File name: | acceptable_use_policy.docm |
File size: | 785211 |
MD5: | d651d3331b60eeeb49eb0fdc17b7b1df |
SHA1: | bb816e1502b0baaa77742fde8c25bbc42c717674 |
SHA256: | a0a9eca457bd72df44a7ff398b5b4469bb4d1057fd43d7906c948b99f7be51ca |
SHA512: | 48ab987baa051f3c95c205ff3c65f0f77389f92a74791e44195c655c4e84523112ac9e060a31679994c47e6677c7f7bde6d84521684ed3cdee86c1df16270ed6 |
SSDEEP: | 12288:Jnw0QEKpz/X0Ud46KsXhbSPhSxIxTqwwptJ22/baZ2J/SBxgegx:JwUKpzMn6LB5xmTqwwLc2FSBi5x |
File Content Preview: | PK..........!.?9..............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e6a2a2acbcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/321433/sample/acceptable_use_policy.docm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Title: | |
Subject: | |
Author: | |
Keywords: | |
Template: | |
Last Saved By: | |
Revion Number: | 10 |
Total Edit Time: | 7 |
Create Time: | 2019-10-23T16:40:00Z |
Last Saved Time: | 2020-06-04T00:49:00Z |
Number of Pages: | 7 |
Number of Words: | 1990 |
Number of Characters: | 11349 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Number of Lines: | 94 |
Number of Paragraphs: | 26 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0000 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 3038 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 3038 |
Data ASCII: | . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . > I M + # $ M . G . . H . . . . y . . . . $ @ . . + . 6 = . . . . . . . . . . . . . . . . . . . . . . q 2 . P . . H K . . . . / + 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . q 2 . P . . H K . . . . / + 8 . . > I M + # $ M . G . . H . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 04 00 01 00 00 16 06 00 00 e4 00 00 00 62 02 00 00 92 06 00 00 a0 06 00 00 d8 09 00 00 00 00 00 00 01 00 00 00 4d 9e bb bb 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 c3 3e 49 4d 2b 23 24 4d ad 47 8a 0d 48 a3 bf 9c 2e 79 0d df 0e bd 24 40 b7 c5 2b ee 36 3d 86 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Shell(l, |
o.Close |
o.Write |
VB_Name |
VB_Creatable |
VB_Exposed |
r.Status |
ActiveDocument.Path |
"GET", |
o.SaveToFile |
CreateObject("Microsoft.XMLHTTP") |
String |
Object |
o.Type |
CreateObject("ADODB.Stream") |
VB_Customizable |
r.send |
o.Open |
"https://intergalacticaeronautic.space/lsass.exe" |
Document_Open() |
r.Open |
VB_TemplateDerived |
"ThisDocument" |
False |
"\lsass.exe" |
Attribute |
Private |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
r.responseBody |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 366 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 366 |
Entropy: | 5.32151305526 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 4 5 8 7 1 3 E 5 - 7 7 D A - 4 E C 6 - 9 0 7 7 - 0 1 1 A C 2 4 A 7 C 1 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 9 B B 0 6 7 E 0 A 7 E 0 A 7 E 0 A 7 E 0 A " . . D P B = " 7 2 7 0 C D 9 6 8 7 9 7 8 7 9 7 8 7 " . . G C = " 2 B 2 9 9 4 5 1 4 C 5 2 4 C 5 2 B 3 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 |
Data Raw: | 49 44 3d 22 7b 34 35 38 37 31 33 45 35 2d 37 37 44 41 2d 34 45 43 36 2d 39 30 37 37 2d 30 31 31 41 43 32 34 41 37 43 31 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 41 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 41 |
Entropy: | 3.07738448508 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2765 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2765 |
Entropy: | 4.23158328116 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . |
Data Raw: | cc 61 af 00 00 01 00 ff 09 0c 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1752 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 1752 |
Entropy: | 4.25450094175 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . N . . . x | . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . |
Data Raw: | 93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 102 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 102 |
Entropy: | 2.15571505385 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . p . . . . . . . |
Data Raw: | 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 f9 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00 |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 796 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 796 |
Entropy: | 3.84331960003 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 01 00 01 00 14 00 00 00 c1 06 00 00 00 00 00 00 61 0a 00 00 00 00 00 00 e1 07 00 00 00 00 00 00 b9 07 00 00 00 00 00 00 91 05 00 00 00 00 00 00 09 08 00 00 00 00 00 00 a1 08 00 00 00 00 00 00 49 08 00 00 00 00 00 00 99 0a 00 00 00 00 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 103 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 103 |
Entropy: | 2.08761800893 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 04 60 00 00 00 07 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00 |
Stream Path: VBA/dir, File Type: shared library, Stream Size: 520 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | shared library |
Stream Size: | 520 |
Entropy: | 6.28781093451 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . t . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . . |
Data Raw: | 01 04 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 74 c4 60 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 22, 2020 05:26:35.400079966 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.421724081 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.421921015 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.438941956 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.460361958 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.473778009 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.473817110 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.473855972 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.473896980 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.473954916 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.474001884 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.474016905 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.490066051 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.511388063 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.512128115 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.512283087 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.747023106 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:26:35.768531084 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.770025015 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:26:35.770287991 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:27:05.767843962 CET | 443 | 49167 | 91.195.240.13 | 192.168.2.22 |
Nov 22, 2020 05:27:05.768265009 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:35.265744925 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:35.576322079 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:36.184886932 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:37.386272907 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:39.788851023 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:44.593875885 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
Nov 22, 2020 05:28:54.204447985 CET | 49167 | 443 | 192.168.2.22 | 91.195.240.13 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 22, 2020 05:26:35.339055061 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Nov 22, 2020 05:26:35.383471966 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 22, 2020 05:26:35.339055061 CET | 192.168.2.22 | 8.8.8.8 | 0x887e | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 22, 2020 05:26:35.383471966 CET | 8.8.8.8 | 192.168.2.22 | 0x887e | No error (0) | 91.195.240.13 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Nov 22, 2020 05:26:35.473896980 CET | 91.195.240.13 | 443 | 192.168.2.22 | 49167 | CN=intergalacticaeronautic.space CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US | Mon Jun 29 02:00:00 CEST 2020 Mon Nov 27 13:46:10 CET 2017 Fri Nov 10 01:00:00 CET 2006 | Wed Jun 30 14:00:00 CEST 2021 Sat Nov 27 13:46:10 CET 2027 Mon Nov 10 01:00:00 CET 2031 | 771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0 | 7dcce5b76c8b17472d024758970a406b |
CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US | Mon Nov 27 13:46:10 CET 2017 | Sat Nov 27 13:46:10 CET 2027 | |||||||
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US | Fri Nov 10 01:00:00 CET 2006 | Mon Nov 10 01:00:00 CET 2031 |
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 05:26:33 |
Start date: | 22/11/2020 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fe80000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|