Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Source: |
File opened: |
Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) |
Source: |
Section loaded: |
Jump to behavior |
Document exploit detected (process start blacklist hit) |
Source: |
Process created: |
Potential document exploit detected (performs DNS queries with low reputation score) |
Source: |
DNS query: |
Potential document exploit detected (performs DNS queries) |
Source: |
DNS query: |
Networking: |
---|
Office document connecting to suspicious TLD |
Source: |
DNS traffic detected: |
Outdated Microsoft Office dropper detected |
Source: |
DNS query: |
Performs DNS queries to domains with low reputation |
Source: |
DNS query: |
Tries to resolve domain names, but no domain seems valid (expired dropper behavior) |
Source: |
DNS traffic detected: |
Source: |
File created: |
Jump to behavior |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) |
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
Contains functionality to create processes via WMI |
Found Excel 4.0 Macro with suspicious formulas |
Source: |
Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet |
Source: |
Initial sample: |
Excel documents contains an embedded macro which executes code when the document is opened |
Source: |
Binary string: |
Source: |
Classification label: |
Source: |
File created: |
Jump to behavior |
Source: |
File created: |
Jump to behavior |
Source: |
WMI Queries: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Window detected: |
Source: |
Initial sample: |
||
Source: |
Initial sample: |
||
Source: |
Initial sample: |
Source: |
Key opened: |
Jump to behavior |
Source: |
File opened: |
Jump to behavior |
Persistence and Installation Behavior: |
---|
Creates processes via WMI |
Source: |
WMI Queries: |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep time: |
Jump to behavior |
Source: |
Key value queried: |
Jump to behavior |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|
Private |
---|
IP |
---|
192.168.2.255 |
Name | IP | Active |
---|---|---|
xherzog24pv.xyz | unknown | unknown |