Loading ...

Play interactive tourEdit tour

Windows Analysis Report order_07.21.doc

Overview

General Information

Sample Name:order_07.21.doc
Analysis ID:452438
MD5:401b19c454075d52bd832725f3c22cfe
SHA1:088f76c184a0cba673abc41bd5582e4e21672fdd
SHA256:6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3
Infos:

Most interesting Screenshot:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Register DLL with spoofed extension
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification