31.0.0 Emerald
IR
347028
CloudBasic
23:17:26
01/02/2021
v22Pc0qA.doc.part
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
7a7d325948481b0557b035249bf5c96a
0529727ffad8388fc94155d1652ca65189cda5df
47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919
Microsoft Word document (32009/1) 54.23%
true
false
false
false
96
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E92176B0889CC1BB97114BEB2F3C1728
AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
D4AE187B4574036C2D76B6DF8A8C1A30
B06F409FA14BAB33CBAF4A37811B8740B624D9E5
A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
01C96E3016D3AF70BA00DE7E8D2BF065
7378216B20D79AAA888718D6D67F75ECBBD23844
E27DB22B829833E8A173F72416126E5EAAD77F6DE965CC1520F0D90D869D9F5B
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
A5FD641BC4A0D1A78D07A1E8D23DAD78
09E7EAF079726D1EC00E3FF658B4D3394D532A70
18B28B1A452FF7B8A1AA0AE23BFA62F7F48D76F61514791F7E255AC47195FC6E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{438FF120-FFD8-4816-B513-C2DC6937B540}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AA0F645-B329-43DD-B4C5-CD1B0F0382FA}.tmp
false
4304A5424E9C13882063E026F3C316EE
58F488B15562AFFDE61710ADEEAF74FAC1BCD538
71F6D0539A61B2460763F125A844BB5AA0601F8E1B5CC38A1562F62D25E0A9EA
C:\Users\user\AppData\Local\Temp\Cab788B.tmp
false
E92176B0889CC1BB97114BEB2F3C1728
AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\Tar788C.tmp
false
64FEDADE4387A8B92C120B21EC61E394
15A2673209A41CCA2BC3ADE90537FE676010A962
BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
false
B75724FCB4E76EBF63DBCDF7612FC119
7C17F2418772BAAED48E5506F1F8AC846FBBFA30
584E3002D3D0FAE1CE129F6ACAA0C46A7AB2BCE8AE3B36F98703F1C0B56F232B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
D9D81D211C7D3FE392C07C615275BBC8
D0AFA7424E42C91595D6AF3178CEB8118A742FC4
8CA00953A5C409D8B6B2344A7DCD452A1A25A1F94E1034B2504919FFD123A8EB
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v22Pc0qA.doc.LNK
false
5446B895630089FCED67C28088FADEC7
BCC01829E557F5E5FBFD25BB80EA101900974D77
4780B9075645E765B879672F5489FB8E4739B56EA16AF51D7BB70CC14A58FAD1
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VS2UV89W85XGVX955105.temp
false
3F4EF43F42C0D4B94BFE3ECAB2F814FC
1395EAC13F983A7320D7761424C9EDA4B3B71CB2
AF180C76A745AF34EF2BBBC596E3AC3A0D9C83E98AB86DA4CE685B7AAE4ED436
C:\Users\user\Desktop\~$2Pc0qA.doc.doc
false
4A5DFFE330E8BBBF59615CB0C71B87BE
7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
194.209.195.106
35.208.182.43
177.12.163.108
103.205.64.138
35.208.153.170
70.32.23.44
isatechnology.com
true
35.208.182.43
physio-svdh.ch
true
194.209.195.106
transfersuvan.com
true
0.0.0.0
ownitconsignment.com
true
70.32.23.44
hotelshivansh.com
true
103.205.64.138
b2bcom.com.br
true
177.12.163.108
cairocad.com
true
35.208.153.170
arquivopop.com.br
true
unknown
www.isatechnology.com
true
unknown
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)