31.0.0 Emerald
IR
344065
CloudBasic
23:13:00
25/01/2021
Order.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
1a0ae833990a558910254e9bebfaeeaf
c6f348043fb590f9638ed792a331695475b79af1
5648715fe9ed7418d2d2b101a4ae8f4bb814ac68e422f78641595b37a83eb84e
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07A78F5-D643-47FF-B622-0CF30ED55516}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3975822-A796-4096-8B6B-C6BCF64E2588}.tmp
false
8F83FE1F31DE39C1D9B5770AAADEBA0D
D632C1ACE854A9EFBA1697ECEDD6A0067FBC669F
8A187529AE64BE7E8C62581F1F097ECF184DA59FD4855374C921B4900819305C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Order.LNK
false
8836D1455A5B492BAEA935C695F6DB1E
69E780622524B28E7CBF1BE3CB9B65366D865CD2
E620D0EBDD84A6F402D68CC06D32A32DE6F671344C930760A44C68DCE0895E39
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
DE7882B51ABEB0B80147A66F2A1CF8F5
296A148DF07BA72D9EB084647648A37312E2752A
FD766F931C987F5357FC874686E351CFDF3FBF40322D815A20729A10B48FD32E
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y1B2TNFFMYFTDZJ3L541.temp
false
DBB6F2ED4406C0905F6BE3DF522FF8AB
9502BDB76928232D12FD17D00F2B22DE60A94BFD
D449741722E4DEA768A2F8896628AC5F2136791B4F61626FAFDBDFF43D4AC37A
C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll
true
46F0A7BA7416C01A1A3D349024CFEB91
B2D3446F52EDED67773DD54F6A4B720D60F9A094
0299170ABAED37E0A89FEF77CBBD1921E7891A5BCA94A9F1B650C5370DCF3400
C:\Users\user\Desktop\~$Order.doc
true
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
104.21.88.166
172.217.6.174
190.55.186.229
shop.nowfal.dev
true
104.21.88.166
nightlifemumbai.club
true
172.217.6.174
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet