31.0.0 Red Diamond
IR
336504
CloudBasic
08:56:44
06/01/2021
PACK.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
d114fc2644da49f16a6be05bb0db6b08
6b5b6a9a5291b1b564ad3005c392ff1756ceef9e
d9687c1ca0f341d62cf664cdfe3c9741f1f48df25129df53df9ae81979e89a5d
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E1AD59AA-72A2-4470-89E8-B7D87A58E0E0}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
false
3B7B4F5326139F48EFA0AAE509E2FE58
209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PACK.LNK
false
2D2A6D8C00D1CB6D276F088C4124950C
B13063D206F4E4D4F19789D2927E65A1A9CB3B9E
DB5CF6C4209C2A1B72348015674F8B6C69699776BA22E4F358C19D4812BB8135
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
127D6DD53F384B77260068267C530A20
86CFA18B82407790368C214C0F5D80E83E6D3EDA
96B1EA781C03A4DFD83AA8D2507B7C9AB4E8D0FFDB5D05F0FB69BCC6CAD388FB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRJ1D8NWH1YIJYW9A2NJ.temp
false
D3E84FCC21BB8F4F71EFA66C1EC1EEF3
64984C8EE50A840C188A71014F5EFFAA76EE8B25
ADE4450E0AC3D6CB3364B709A4038EB5F52F1D7C1F472CF800501670A8E38CF9
C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll
true
009380116F3429BA6F236D199F418B98
292360D762524AD98FADDB735BB58AB3DABA5327
323F6431FB274E90DC003E567C54CB5E2327E9408F903E49CC6F3E840BF9BCF6
C:\Users\user\Desktop\~$PACK.doc
true
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
176.53.69.151
5.2.136.90
petafilm.com
true
176.53.69.151
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet