Play interactive tour
Edit tourAnalysis Report v22Pc0qA.doc.part
Overview
General Information
| Sample Name: | v22Pc0qA.doc.part (renamed file extension from part to doc) |
| Analysis ID: | 347028 |
| MD5: | 7a7d325948481b0557b035249bf5c96a |
| SHA1: | 0529727ffad8388fc94155d1652ca65189cda5df |
| SHA256: | 47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919 |
Most interesting Screenshot:  | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops certificate files (DER)
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Startup |
|---|
|
