31.0.0 Red Diamond
IR
336961
CloudBasic
13:52:57
07/01/2021
Informacion_4-09757.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
4adc5e8e53a40fd14ff90e99e94e39cb
406d00f10a2298acfe192fb85e870d5e5d094263
1c29c870c5c27cec2f22790ecc87e0c1c1ae59bd4e5c8204ec9182524d68d68f
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4538A4CD-211A-44E2-8D58-9E77A8685DB1}.tmp
false
415FA7477DD74C9EBE83E5D6CCEB3772
25DCB4950FA783B96135CD7DD9B4767650823CD5
7BD09F56EE1526ABAD7B45333FF8E2AEE05C5AD4CD5767A4A3E04459C120362C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4F87BA3-97C0-4A14-814E-1968BCE52029}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
false
3D7220D81CAAB25C480E3FA0D671FF85
871F5E801F756C8D843BA3127C3E068786BFA796
F559D79058031A577A8C9E6F46A2959332CAE13AD81B04ADADA3A2D436FEEAE1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Informacion_4-09757.LNK
false
A947F1D4309EB5BA75486764C6B2A32C
3F79C1CDEE10E9E73F00F031EBA22049B2D9DAC7
30A466857DE5BF1E57E9704127AA3A0E4DEECB719F723004142EBC2049BF26B0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
26DC406546A7A8CEB0E40BCFC4E6D5E5
F01C29F6B6646EBAC52A7BB7988786E8180342E9
886577290588080692A02C8C80EE249A37A4CE6623D57E5F90F03C0EBB0D9280
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R35Y20JZF8WLXEKH5GYH.temp
false
14F063813E16DD0C7C71732BA038FEB5
F616F18CFDEE9FE06DAC2F93D33CC73A50E79F62
27B8A0FD2B4A50874EBCFA9D1F8B2DC9A66DDC450992E4D289CA9FDB1DB6A6DA
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
true
0BCAFFBDA4138F2EE2786CFD098C1DA9
3D6E52F126809C05E69F1D543B7F8D53435A8E17
5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF
C:\Users\user\Desktop\~$formacion_4-09757.doc
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
167.71.148.58
216.218.207.98
202.187.222.40
184.66.18.83
paulscomputing.com
true
216.218.207.98
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet