31.0.0 Red Diamond
IR
332936
CloudBasic
22:12:13
21/12/2020
GT-9333 Medical report COVID-19.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
a111ce91bd895c36fa2573483ddba7ef
d4ef1a6f54d64ec0398fac3a2f3e2694d7ed8cb5
f2ebfaec6ca0aeaf9fca020147398f74d7500b6be6259fc2eb4bb2e968e0cafe
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{78474F9B-DE8E-4300-98F0-AE5841A8170E}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8389C138-A4A2-4116-9DB9-6D688B84E1DE}.tmp
false
69C7BA30BCDE3F02A6A6E67AF626A405
C645BE475B8D182CFE8F4B45D15BD04D0C8CE916
4784D522200674BBFB7691E4B11DD7B165C50A13B6F317E9B60324425433702A
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
false
1C36AD7F044053F1199A8FF860E7E245
7CB4A64E9C077582D87AA52AFA67BDCEF33CCF49
BC72E1DC3EB86781419640CEE5AB0DAE16B5B4C71E8429F2E6954D2B2760A594
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\GT-9333 Medical report COVID-19.LNK
false
BB933C011697B1828578FE39DAF18FB1
9DF64ECDF234058D2BAE2149EB03A37A1B13F967
280E7105475D5BD73F0A426B8A7C2564C60704586B72622545A5741162C3BCBD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
E675D2BB4E10919CC2B25DEA7E5BCAB0
CFC91419F3061FAF9AD996E223372873573D4AB8
D0214A686B330A75FDDB09844588642CD3B6A4DFBE50575192CA60A9B51B15E4
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5EXUK8NUVGJWY1Z9OMU.temp
false
A5FFB19B3323ED00CD99D236209D022B
B7C40FD2BE05AB0BCDADDF5B76CA8CB3B6011BAD
3F3FA46DBB7D0C093AA0367B29D74B36CDC9DADCD3A9CBD1F56D01EBE70CC7BA
C:\Users\user\Desktop\~$-9333 Medical report COVID-19.doc
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll
true
6ED0E9AA2A905308FA2CEB8D6446302F
8959D4E97BAF338AF03BF7F79B963AAB3FEC35E1
A206269CBFFB5344C77F6B885A04AD00CF1679E9ACE928A3E6DE041001263E96
35.208.182.43
78.188.225.105
50.116.111.59
186.64.117.145
197.87.160.216
191.6.208.18
isatechnology.com
true
35.208.182.43
arquivopop.com.br
true
191.6.208.18
transfersuvan.com
true
186.64.117.145
www.isatechnology.com
true
unknown
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)