Windows Analysis Report instruct_11.21.doc.docm

Overview

General Information

Sample Name:	instruct_11.21.doc.docm
Analysis ID:	520837
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Tags:	docmaldocsansiscvba
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Document contains an embedded VBA macro which may execute processes

Sigma detected: Suspicious MSHTA Process Patterns

Machine Learning detection for sample

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Internet Provider seen in connection with other malware

Document contains an embedded VBA macro which executes code when the document is opened / closed

Potential document exploit detected (performs DNS queries)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Document contains no OLE stream with summary information

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: instruct_11.21.doc.docm	Virustotal: Detection: 49%			Perma Link
Source: instruct_11.21.doc.docm	ReversingLabs: Detection: 43%

Antivirus detection for URL or domain

Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shoulderelliottd.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: instruct_11.21.doc.docm

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shoulderelliottd.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.144:80

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.144:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ZEISS-ASRU ZEISS-ASRU

Source: mshta.exe, 00000004.00000002.471762620.0000000006324000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.471762620.0000000006324000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000002.00000002.413158849.0000000001C10000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.413604612.0000000001E00000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000004.00000003.468746419.0000000005EF0000.00000004.00000040.sdmp	String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000002.00000002.413158849.0000000001C10000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.413604612.0000000001E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{243B81DF-B272-4B3E-92C5-997100EFB3D7}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: shoulderelliottd.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" L O Page: I of I I Word
Source: Screenshot number: 4	Screenshot OCR: Enable content" L O Page: I of I I Words: 116 I US I N@m 13 ;a 10096 G) FI G) ,, ' u .g',' lm

Document contains an embedded VBA macro which may execute processes

Source: instruct_11.21.doc.docm

OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad

Document contains an embedded VBA macro with suspicious strings

Source: instruct_11.21.doc.docm

OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell")

Document has an unknown application name

Source: instruct_11.21.doc.docm	OLE indicator application name: unknown
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: instruct_11.21.doc.docm

OLE, VBA macro line: Sub document_open()

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: instruct_11.21.doc.docm	OLE indicator has summary info: false
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document contains embedded VBA macros

Source: instruct_11.21.doc.docm

OLE indicator, VBA macros: true

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: instruct_11.21.doc.docm	Virustotal: Detection: 49%
Source: instruct_11.21.doc.docm	ReversingLabs: Detection: 43%

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$struct_11.21.doc.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD97C.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOCM@6/16@1/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: instruct_11.21.doc.docm	OLE document summary: title field not present or empty
Source: instruct_11.21.doc.docm	OLE document summary: edited time not present or 0
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: instruct_11.21.doc.docm

Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c

Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1176	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1176	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2684	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 308	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000003.00000003.412780793.000000000014C000.00000004.00000001.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.62.42.144	shoulderelliottd.com	Russian Federation		34464	ZEISS-ASRU	true

Contacted Domains

Name	IP	Active
shoulderelliottd.com	194.62.42.144	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: instruct_11.21.doc.docm	Virustotal: Detection: 49%			Perma Link
Source: instruct_11.21.doc.docm	ReversingLabs: Detection: 43%

Antivirus detection for URL or domain

Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shoulderelliottd.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: instruct_11.21.doc.docm

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shoulderelliottd.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.144:80

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.144:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ZEISS-ASRU ZEISS-ASRU

Source: mshta.exe, 00000004.00000002.471762620.0000000006324000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.471762620.0000000006324000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000002.00000002.413158849.0000000001C10000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.413604612.0000000001E00000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000004.00000003.468746419.0000000005EF0000.00000004.00000040.sdmp	String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000002.00000002.413158849.0000000001C10000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.413604612.0000000001E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000004.00000002.470284845.00000000037B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{243B81DF-B272-4B3E-92C5-997100EFB3D7}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: shoulderelliottd.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" L O Page: I of I I Word
Source: Screenshot number: 4	Screenshot OCR: Enable content" L O Page: I of I I Words: 116 I US I N@m 13 ;a 10096 G) FI G) ,, ' u .g',' lm

Document contains an embedded VBA macro which may execute processes

Source: instruct_11.21.doc.docm

OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad

Document contains an embedded VBA macro with suspicious strings

Source: instruct_11.21.doc.docm

OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell")

Document has an unknown application name

Source: instruct_11.21.doc.docm	OLE indicator application name: unknown
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: instruct_11.21.doc.docm

OLE, VBA macro line: Sub document_open()

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: instruct_11.21.doc.docm	OLE indicator has summary info: false
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document contains embedded VBA macros

Source: instruct_11.21.doc.docm

OLE indicator, VBA macros: true

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: instruct_11.21.doc.docm	Virustotal: Detection: 49%
Source: instruct_11.21.doc.docm	ReversingLabs: Detection: 43%

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$struct_11.21.doc.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD97C.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOCM@6/16@1/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: mshta.exe, 00000004.00000002.470135401.00000000035D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: instruct_11.21.doc.docm	OLE document summary: title field not present or empty
Source: instruct_11.21.doc.docm	OLE document summary: edited time not present or 0
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: instruct_11.21.doc.docm

Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c

Source: ~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1176	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1176	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2684	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 308	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000003.00000003.412780793.000000000014C000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	520837
Product:	CloudBasic
Start time:	21:18:33
Start date:	12.11.2021
Sample:	instruct_11.21.doc.docm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\warning[1]	GIF image data, version 89a, 36 x 38	124A9E7B6976F7570134B7034EE28D2B	E889BFC2A2E57491016B05DB966FC6297A174F55	5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\error[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B9BEC45642FF7A2588DC6CB4131EA833	4D150A53276C9B72457AE35320187A3C45F2F021	B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B185F38B.gif	GIF image data, version 89a, 774 x 198	76DA3E2154587DD3D69A81FCDB0C7364	0F23E27B3A456B22A11D3FBC3132397B0DDC9357	F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{54E91E67-388A-4A0C-84FA-B0F79F296DD3}.tmp	Composite Document File V2 Document, Cannot read section info	323E9246AFCBA8C21E774047CC81C04F	8FAF9515396E488653F701D1772C385C031F0D2D	2D583EDB0A65E385529729AE3A9F8B53F0341C69E6303AEC354DCB7DD5C91D60
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{243B81DF-B272-4B3E-92C5-997100EFB3D7}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{801FE4EE-0936-4464-ADE9-FBC9646826E4}.tmp	data	DEDC6320F5E8B7E7877C43BB5618EA55	2143954452A74AA00B077664B82544E1DAA51AC2	37EDEA11F289D8863015712C82ADF36A17584793B49D6222F70D4BD0B9DF8A8C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jul 14 02:20:08 2009, mtime=Sat Nov 13 04:19:19 2021, atime=Sat Nov 13 04:19:19 2021, length=4096, window=hide	F2942107F46F0AC879802626FD3CF96C	A3131CA267F9CE36063D36F7CE19A5E6D6446931	FFB5DDDF55F64BC01442B745B4EC622449E65E58F1BD451D7D4D6A71E89C817B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	82F13A5A135511405BAA26408509C708	6ACBF5652F9A7735E8EF40DFA3B2511AB8CADD99	FE50645E8F45D4FDA888CA2CED1DFC0177DF03AE6F4AF64904B38FF61BE5FCAC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\instruct_11.21.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Sat Nov 13 04:19:15 2021, length=34817, window=hide	C871D7E92C9CF7FA6C9CBA6677348C54	431F808CEAFF80A5DD981D7BE212A3399CE46B7D	F6DF5B82021060D1D7BFCE30171B88FE24CFEF1B3A59F7715310EDAAC69C3BF1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\powPowNext.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 13 04:19:19 2021, mtime=Sat Nov 13 04:19:19 2021, atime=Sat Nov 13 04:19:19 2021, length=3346, window=hide	1C058852EC0794DE5D513871B5E22A82	D52C52370A82FE6680663E1328D6291C5568EDD2	90EF71EF566B1DC32FD57272EBE33AD6D5B03185F70FA03665D159E904D4BDBC
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	6525B5171CE36A6D7EDB3E4DFD5CB579	70AFC3864539BCF8F1C4CD336F6096534A6268FA	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
C:\Users\user\Desktop\~$struct_11.21.doc.docm	data	6525B5171CE36A6D7EDB3E4DFD5CB579	70AFC3864539BCF8F1C4CD336F6096534A6268FA	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
C:\Users\Public\~$wPowNext.hta	data	6525B5171CE36A6D7EDB3E4DFD5CB579	70AFC3864539BCF8F1C4CD336F6096534A6268FA	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
C:\Users\Public\~WRD0000.tmp	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE
C:\users\public\powPowNext.hta (copy)	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE

Windows Analysis Report instruct_11.21.doc.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains