Loading ...

Play interactive tourEdit tour

Windows Analysis Report Users-Progress-072021-1.doc

Overview

General Information

Sample Name:Users-Progress-072021-1.doc
Analysis ID:446523
MD5:d60b6a8310373c9b84e6760c24185535
SHA1:6b1da5e0ecda14512369a7201982a6bc13b33700
SHA256:ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded macro with GUI obfuscation
Machine Learning detection for sample
Opens network shares
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1984 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Users-Progress-072021-1.docSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x322c:$e3: Enable editing
  • 0x328c:$e3: Enable editing
  • 0x32d5:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: Users-Progress-072021-1.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47DFF116-6281-436E-ADD1-2266A057AE87}.tmpJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable editing" at the top in the yellow bar, and then click 'Enable content' ii: ^ Introducing
Source: Screenshot number: 8Screenshot OCR: Enable content' ii: ^ Introducing Windows 11 Wncjow$ 11 brings you ckjsec to what you We ",
Source: Document image extraction number: 0Screenshot OCR: Enable editing" at the top in the yellow bar, and then click "Enable content" Introducing Windows
Source: Document image extraction number: 0Screenshot OCR: Enable content" Introducing Windows 11 Windows 11 brings you closer to what you love ,,[,"d Life
Source: Document image extraction number: 1Screenshot OCR: Enable editing" at the top in the yellow bar, and then click 'Enable content' Introducing Windows
Source: Document image extraction number: 1Screenshot OCR: Enable content' Introducing Windows 11 W'ncXym; 7 t)rngs you c:\crm :O wm: you tow-' ", S;
Document contains an embedded VBA macro which may execute processesShow sources
Source: Users-Progress-072021-1.docOLE, VBA macro line: Private Declare PtrSafe Function U0R2xawbzZ Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: Users-Progress-072021-1.docOLE, VBA macro line: Private Declare PtrSafe Function U0R2xawbzZ Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Source: Users-Progress-072021-1.docOLE, VBA macro line: If InStr(1, GLzwfs((3 * 2 + 6)), CStr(fUw6wOUdgh.OSLanguage)) > (8 * 8 - 64) Then Call me2XKr
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function zH0Xx, String .oslanguage: If InStr(1, GLzwfs((3 * 2 + 6)), CStr(fUw6wOUdgh.OSLanguage)) > (8 * 8 - 64) Then
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: Users-Progress-072021-1.docStream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions mode, position, open, read, write
Document contains an embedded VBA with functions possibly related to HTTP operationsShow sources
Source: Users-Progress-072021-1.docStream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, status, open, send
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: Users-Progress-072021-1.docStream path 'Macros/VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, regread, run
Document contains an embedded macro with GUI obfuscationShow sources
Source: Users-Progress-072021-1.docStream path 'ObjectPool/_1687197129/\x1Ole10Native' : Found suspicious string activexobject in non macro stream
Source: Users-Progress-072021-1.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open
Source: Users-Progress-072021-1.docOLE indicator, VBA macros: true
Source: Users-Progress-072021-1.doc, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: classification engineClassification label: mal84.spyw.expl.evad.winDOC@1/14@0/0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ers-Progress-072021-1.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC957.tmpJump to behavior
Source: Users-Progress-072021-1.docOLE indicator, Word Document stream: true
Source: Users-Progress-072021-1.docOLE document summary: title field not present or empty
Source: Users-Progress-072021-1.docOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: Users-Progress-072021-1.docStatic file information: File size 2499072 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: Users-Progress-072021-1.docStream path 'Data' entropy: 7.98840647288 (max. 8.0)

Stealing of Sensitive Information:

barindex
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\NHPKIZU*\MAILSLOT\NET\NETLOGON
Opens network sharesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\NHPKIZU*\MAILSLOT\NET\NETLOGON

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting62Path InterceptionPath InterceptionMasquerading1OS Credential DumpingNetwork Share Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting62Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.