Windows Analysis Report instruct_11.21.doc.vir

Overview

General Information

Sample Name:	instruct_11.21.doc.vir (renamed file extension from vir to docm)
Analysis ID:	520837
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Tags:	docmaldocsansiscvba
Infos:
Most interesting Screenshot:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Sigma detected: Suspicious MSHTA Process Patterns

Document exploit detected (process start blacklist hit)

Machine Learning detection for sample

Document contains no OLE stream with summary information

Queries the volume information (name, serial number etc) of a device

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Internet Provider seen in connection with other malware

Creates a window with clipboard capturing capabilities

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Potential document exploit detected (performs DNS queries)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Perma Link

Antivirus detection for URL or domain

Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shoulderelliottd.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: instruct_11.21.doc.docm

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.62.42.144:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shoulderelliottd.com

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.62.42.144:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ZEISS-ASRU ZEISS-ASRU

Source: mshta.exe, 00000003.00000002.474416428.00000000065D0000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000003.00000002.474416428.00000000065D0000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000001.00000002.410504275.0000000001CC0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.411364891.0000000001DF0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000003.00000003.472292632.0000000005B00000.00000004.00000040.sdmp	String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000001.00000002.410504275.0000000001CC0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.411364891.0000000001DF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A92381E7-919A-4DD3-B53A-282AF29674DF}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: shoulderelliottd.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Document contains an embedded VBA macro which may execute processes

Source: instruct_11.21.doc.docm	OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function s, API IWshShell3.exec("c:\windows\explorer c:\users\public\powPowNext.hta")			Name: s

Document contains an embedded VBA macro with suspicious strings

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function s, String wscript: Set dowYouKarol = CreateObject("wscript.shell")			Name: s

Document contains no OLE stream with summary information

Source: instruct_11.21.doc.docm

OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document has an unknown application name

Source: instruct_11.21.doc.docm

OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Sub document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function document_open			Name: document_open

Document contains embedded VBA macros

Source: instruct_11.21.doc.docm

OLE indicator, VBA macros: true

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$struct_11.21.doc.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1EE.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.expl.winDOCM@6/16@1/1

Source: instruct_11.21.doc.docm	OLE document summary: title field not present or empty
Source: instruct_11.21.doc.docm	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: instruct_11.21.doc.docm

Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2032	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2032	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2712	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 2808	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000002.00000003.408701243.000000000029B000.00000004.00000001.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.62.42.144	shoulderelliottd.com	Russian Federation		34464	ZEISS-ASRU	true

Contacted Domains

Name	IP	Active
shoulderelliottd.com	194.62.42.144	true

ID:	520837
Product:	CloudBasic
Start time:	20:59:09
Start date:	12.11.2021
Sample:	instruct_11.21.doc.vir
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\warning[1]	GIF image data, version 89a, 36 x 38	124A9E7B6976F7570134B7034EE28D2B	E889BFC2A2E57491016B05DB966FC6297A174F55	5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\error[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B9BEC45642FF7A2588DC6CB4131EA833	4D150A53276C9B72457AE35320187A3C45F2F021	B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6D3C2DB.gif	GIF image data, version 89a, 774 x 198	76DA3E2154587DD3D69A81FCDB0C7364	0F23E27B3A456B22A11D3FBC3132397B0DDC9357	F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{21724630-2B33-445C-A10E-E71E570B535F}.tmp	data	BB7DF04E1B0A2570657527A7E108AE23	5188431849B4613152FD7BDBA6A3FF0A4FD6424B	C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{70B53CFD-265E-4516-AFB0-C6E692CB3FB3}.tmp	data	DEDC6320F5E8B7E7877C43BB5618EA55	2143954452A74AA00B077664B82544E1DAA51AC2	37EDEA11F289D8863015712C82ADF36A17584793B49D6222F70D4BD0B9DF8A8C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A92381E7-919A-4DD3-B53A-282AF29674DF}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jul 14 02:20:08 2009, mtime=Sat Nov 13 03:59:17 2021, atime=Sat Nov 13 03:59:17 2021, length=4096, window=hide	93F8A45E3472E5F7514DA0EF25F8F055	209FE7ABFBC89A7A8D6AF5F5779FC2804157E60B	512B4C0922646E72952A13EC8F58A27523092A544D76AB2DDA9A44B131632076
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	82F13A5A135511405BAA26408509C708	6ACBF5652F9A7735E8EF40DFA3B2511AB8CADD99	FE50645E8F45D4FDA888CA2CED1DFC0177DF03AE6F4AF64904B38FF61BE5FCAC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\instruct_11.21.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 13 03:59:11 2021, mtime=Sat Nov 13 03:59:11 2021, atime=Sat Nov 13 03:59:14 2021, length=33868, window=hide	E9B072419973F3B09018315D865DBBFD	D328641778DF7C68B26345E8E6F35E013FA0870B	E250AF50A9BCAA25F9D9E24B759D07C2933D5577A4058B638AD651594A6C8B16
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\powPowNext.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 13 03:59:17 2021, mtime=Sat Nov 13 03:59:17 2021, atime=Sat Nov 13 03:59:17 2021, length=3346, window=hide	56236162301D67A48C4F79FAB69C01E2	AB9D7274C770E2743BB5E8C6F536D4EB510740FC	F1F1206C4E20D2D50D79A988A1099FDBF12DAD8218E118CE6DA47682AAE7C413
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\Desktop\~$struct_11.21.doc.docm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\Public\~$wPowNext.hta	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\Public\~WRD0000.tmp	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE
C:\users\public\powPowNext.hta (copy)	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE

Windows Analysis Report instruct_11.21.doc.vir

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains