Analysis Report acceptable_use_policy.docm

Overview

General Information

Sample Name: acceptable_use_policy.docm
Analysis ID: 321436
MD5: d651d3331b60eeeb49eb0fdc17b7b1df
SHA1: bb816e1502b0baaa77742fde8c25bbc42c717674
SHA256: a0a9eca457bd72df44a7ff398b5b4469bb4d1057fd43d7906c948b99f7be51ca

Most interesting Screenshot:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Machine Learning detection for sample
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: acceptable_use_policy.docm Virustotal: Detection: 59% Perma Link
Source: acceptable_use_policy.docm ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: acceptable_use_policy.docm Joe Sandbox ML: detected

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: winword.exe Memory has grown: Private usage: 5MB later: 40MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: intergalacticaeronautic.space
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.195.240.13:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.195.240.13:443

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.13 91.195.240.13
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{68A3A7DA-6F93-4194-97B0-E6749671AC21}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: intergalacticaeronautic.space
Source: ~WRS{EC050284-DAE8-4269-85E5-42AB58328FB4}.tmp.0.dr String found in binary or memory: http://www.sans.org/security-resources/glossary-of-terms/
Source: vbaProject.bin String found in binary or memory: https://intergalacticaeronautic.space/lsass.exe
Source: vbaProject.bin String found in binary or memory: https://intergalacticaeronautic.space/win32.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: acceptable_use_policy.docm OLE, VBA macro line: z = Shell(l, 0)
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: acceptable_use_policy.docm Stream path 'VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Document contains an embedded VBA with functions possibly related to HTTP operations
Source: acceptable_use_policy.docm Stream path 'VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: acceptable_use_policy.docm OLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macros
Source: acceptable_use_policy.docm OLE indicator, VBA macros: true
Document contains no OLE stream with summary information
Source: acceptable_use_policy.docm OLE indicator has summary info: false
Document has an unknown application name
Source: acceptable_use_policy.docm OLE indicator application name: unknown
Source: classification engine Classification label: mal64.winDOCM@1/8@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ceptable_use_policy.docm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC283.tmp Jump to behavior
Source: acceptable_use_policy.docm OLE document summary: title field not present or empty
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: acceptable_use_policy.docm Virustotal: Detection: 59%
Source: acceptable_use_policy.docm ReversingLabs: Detection: 48%
Source: Window Recorder Window detected: More than 3 window changes detected
Source: acceptable_use_policy.docm Initial sample: OLE zip file path = word/_rels/header1.xml.rels
Source: acceptable_use_policy.docm Initial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321436 Sample: acceptable_use_policy.docm Startdate: 22/11/2020 Architecture: WINDOWS Score: 64 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Document contains an embedded VBA with functions possibly related to ADO stream file operations 2->14 16 2 other signatures 2->16 5 WINWORD.EXE 13 28 2->5         started        process3 dnsIp4 8 intergalacticaeronautic.space 91.195.240.13, 443, 49167 SEDO-ASDE Germany 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.13
unknown Germany
47846 SEDO-ASDE false

Contacted Domains

Name IP Active
intergalacticaeronautic.space 91.195.240.13 true