Loading ...

Play interactive tourEdit tour

Windows Analysis Report sample.doc.vir

Overview

General Information

Sample Name:sample.doc.vir (renamed file extension from vir to doc)
Analysis ID:528758
MD5:6be56f977b6692fb6ce5f94e110664e3
SHA1:f4d5ce35c656e0f156a2ced453a964faabef09fb
SHA256:ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519
Tags:docxvir
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MalDoc
Multi AV Scanner detection for submitted file
Sigma detected: Office product drops script at suspicious location
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Yara detected Powershell download and execute
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains OLE streams with names of living off the land binaries
Sigma detected: Change PowerShell Policies to a Unsecure Level
Document contains an embedded VBA with base64 encoded strings
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware