Play interactive tourEdit tour
Analysis Report COVID-19.doc
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious javascript / visual basic script found (invalid extension)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Document contains embedded VBA macros
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |