Analysis Report Giam Gia Dien dich Covid-19.docx
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: |
Source: | Memory has grown: |
Source: | File created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: |
Source: | Static file information: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Extra Window Memory Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Extra Window Memory Injection1 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | Virustotal | Browse | ||
37% | ReversingLabs | Document-Word.Trojan.MacroLess |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 406072 |
Start date: | 06.05.2021 |
Start time: | 17:48:35 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Giam Gia Dien dich Covid-19.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal48.winDOCX@1/11@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 463122 |
Entropy (8bit): | 7.941005620963689 |
Encrypted: | false |
SSDEEP: | 12288:guWH4ewApn1KVgYW4MuQPMMvoIcqSKNOOTH/L1PVd:DWOu0VDWV+hqSKNZH/p |
MD5: | 8DC6D650D41EF0AEE460EA408CFFB095 |
SHA1: | 519D87A644B924FF2843E56E76516000C1C58D03 |
SHA-256: | 3E6B27C4EF54DAEDBEB5364CC83CD0B311145D22F6FFCAB803846116E2E89FC3 |
SHA-512: | 6D23FC0478F6869198180FF70B6AEBDE815FD3133FFBDB3A853D618884E95FB5B01AE11CC4F9490AF88BBA261130A11A2CF677FC087C1354B32726C56239799E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 179149 |
Entropy (8bit): | 7.498989359361687 |
Encrypted: | false |
SSDEEP: | 3072:InZv8DVPECilPPurliFX4zeqyFswxmLNv/Ovlf6r:IiDVcCixmkdywg4k |
MD5: | CCF44CB88060891D72824C85263B8593 |
SHA1: | E3F073A33F58ED9A8D30FE5B40C1562B63525549 |
SHA-256: | A4CF4B260533B8C2E0BB48CC238E3911814C9D2A66D717F027FE7ED84F3E6CD6 |
SHA-512: | 0C1EB2059BBEEA8544A8383222E629C9BB6DF033814EB67E8BCA1049220454C91546A1B20B2808676E34573225204A120C359B2B6888818AEE6F8EEAAA86BEAD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 397176 |
Entropy (8bit): | 7.917524851464137 |
Encrypted: | false |
SSDEEP: | 12288:z3cKJJb9zQkrtlQ3pWcESs5tKvE1kylf6+Aa:tJVHOWcCtThlfaa |
MD5: | A932FCE967C7DC635C60325088BE2BC5 |
SHA1: | 7AED834D295BDD62F487DE5834A1CD118434E669 |
SHA-256: | 7EA75C8EC7C814267F116DE05F0C56E7228E6BECF1F245B8FFEC78C6520E3D85 |
SHA-512: | ADF8F7F5A96699562AEC022883E706543BD676C530455AC0B0852A276E486E09F1EB5D3F7BFAF57966AB531C068D573E0AF5AAF983C71FCC172975703F57DCC5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3144 |
Entropy (8bit): | 3.311868019564163 |
Encrypted: | false |
SSDEEP: | 48:I4lUlRNkJahZeIpcagcanTCcyf5kdadahAaaWTXPe:/mvNkJa2IpcagcanTCcG5kdadahAaao2 |
MD5: | A979A38409D7EDE79660F1B6E872B754 |
SHA1: | 6739A730BB31DA293A469FD0F76B70381DFE2EC7 |
SHA-256: | FD656B998E0D1EEF0F952FE422EE943EB30B32F1770646254E9511033E0DBA3C |
SHA-512: | 3E54498415D129D784C812C0759BB1C8D231117264C0E5AB9858344F867F28DF9F02FCC0F54D305A3501B9329DB33E4127F757E9A033047D91A1B4816DCA4E30 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.3586208805849453 |
Encrypted: | false |
SSDEEP: | 3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbO:IiiiiiiiiifdLloZQc8++lsJe1Mzh |
MD5: | 7CFD3634C8D02EF244D1B820D25997A8 |
SHA1: | FA12C6DAA2C16BD453746A6499866A5FDF02FB98 |
SHA-256: | F73B40163166405E70CE534C02409A96983CFDE4F30F121C2495B09152DB34E2 |
SHA-512: | 80E008560E0383F43AE10E47E44E178E2F1AD9379BD0CCC08DB75DB9F9A13125DF65F98A4D7E2D2528C10BA7D1724EA7E43EA72522DB5F73D9A5EF899DE4557D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.46639096299572214 |
Encrypted: | false |
SSDEEP: | 3:9l99lDKllllzNPJQ7ZlhQteolllzN+t7ZlhQtu:Q//nQ7ZUtDl/Et7ZUtu |
MD5: | 838749859FE611E154A7D4CB5ADB0766 |
SHA1: | 75A019A743744CBACBACC59A9D2EEA908A22F888 |
SHA-256: | 74DC12DFF6C772D97A23E60457906F00B353C090AAAF051B630B14C2A2680E49 |
SHA-512: | BD6A531C1A308BD9517B1B41E5D219639B2DB0161215D73A57BD2E61A1F61FED85D83BF5A38FADA47C03896D51F98A948AFC72DE6DC7770A4BF089E2BDA33E06 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2208 |
Entropy (8bit): | 4.59498168731805 |
Encrypted: | false |
SSDEEP: | 24:8JH/XTm6GreVYePiDv3qodM7dD2JH/XTm6GreVYePiDv3qodM7dV:81/XTFGqKWRoQh21/XTFGqKWRoQ/ |
MD5: | FBF42810DD794888C3A101311B2AE83B |
SHA1: | 3827C541DA4F3BA3DAA2C0E1293089EA3D9B8527 |
SHA-256: | F4089CD28CC56808CBB1BF24A7D2E909F55E99AA7F1DE81756F3DDA02899E135 |
SHA-512: | EA227B4506386C440A129346CAD5B6B10B7502140F33963E3C7B04190A1F21FE0653A8D58565269D434EFCD07EF3C7C6884B4028F9F600C943E084C78D2B25F4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 121 |
Entropy (8bit): | 4.542396251693991 |
Encrypted: | false |
SSDEEP: | 3:HpWsaKtX9icA4o6yhsaKtX9icA4omxWpWsaKtX9icA4ov:HpZaKtX9/faKtX9/aZaKtX9/y |
MD5: | A6A003D8A638AAD4B0740F87E1B11870 |
SHA1: | 892CB43317BE13499D66ECA7E4A23FC4582B773E |
SHA-256: | D2652ED72E15F5B44F02F36965CCEC9D59ADAB83EB71841B930741268FD7250D |
SHA-512: | A51C9327D4D1C48FD77B2F9FF9F4A124C709E06ADA54054C32DC859E1B71E78FF7B736BD714BD8F857A5BC180820E35F3B972629CE06760CDC407D187D5828A2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.986899031192039 |
TrID: |
|
File name: | Giam Gia Dien dich Covid-19.docx |
File size: | 3831871 |
MD5: | 3a5ea4602985f1db670f166e111aefd2 |
SHA1: | 165975dd8d3965068f3dc0a2c5b512e5e6a9de1f |
SHA256: | 3d63156060c7568b2c3065820f698fdadb6e48910ec82593a61c306c13f5692c |
SHA512: | cae1180e5a8cc0dae9d4c9c78d4fe2a6c12e229c8ce8db2eb581dee86348aa367176fd48f27e8b34a6308a8f00699b50d6190b32e5b06d64c5432bbbdb54e8ae |
SSDEEP: | 98304:JoycO1vLPTvgX9l3N6+lsNy93RcY0W7/iJg8:Joqvz8XL3N6gsU9aY0Wcd |
File Content Preview: | PK..........!....F............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e6a2a2a4b4b4a4 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 17:49:34 |
Start date: | 06/05/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fa70000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|