Edit tour

Windows Analysis Report
Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Overview

General Information

Sample Name:	Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc
Analysis ID:	581989
MD5:	08b06c35612aa766211a217f2dfafbd5
SHA1:	695e32fa43d9e2aee8a3cf49d69e495237818207
SHA256:	abcaacb83b6dab3f55e6db5f48928b562da2e2d87e67b4267342e1c05dfc89a8
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2548 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{05321645-6541-494A-9CAF-CDF206BEB341}.tmp

Jump to behavior

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

OLE indicator, ObjectPool: true

Source: ~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD8FF.tmp

Jump to behavior

Source: classification engine

Classification label: clean1.winDOC@1/8@0/0

Source: ~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$edit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Initial sample: OLE summary template = Professional Memo

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Initial sample: OLE summary lastprinted = 2022-02-23 17:25:00

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Initial sample: OLE document summary bytes = 46592

Source: Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	581989
Start date:	02.03.2022
Start time:	21:38:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.winDOC@1/8@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	3.3987793966196556
Encrypted:	false
SSDEEP:	768:NE0iyR3CjNE0iyR3CjNE0iyR3Cj4rO80+irO80+irO80+:ZiaCtiaCtiaCb+h+h+
MD5:	9BDE7B7F966C29FAA52AC8D4CCC0AB96
SHA1:	D54034F995E7156518E50A89FDAC129B33815E80
SHA-256:	DE2ED6A15DE0C6F0C210B37C61881B3A8708449388D74A745CE3837E4485A359
SHA-512:	170D9CFEF09156C523E16A0D9643251946247559DD87B98D7999E777E0D5AC45937F5EB4250B50C33D17E53B5300F640E368F631AC0A8D2859BD39B81896C89B
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{05321645-6541-494A-9CAF-CDF206BEB341}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8E68413022F2DE5B.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Thu Mar 3 04:39:15 2022, length=201216, window=hide
Category:	dropped
Size (bytes):	1389
Entropy (8bit):	4.536102341958585
Encrypted:	false
SSDEEP:	24:8pYiP/XTuzLIi4Z1dcN4D7eisObA2X1dcN4D1Dv3qGniQd7Qy:8ZP/XTkaZM07pbA2XM0EGiUj
MD5:	4A8E436E8DA07B9423E244E30F22737F
SHA1:	3D7DC70403C5DDE2FD09F443C34840C91970D67D
SHA-256:	442C96C6C5B7CF349545BD9408126B51ECE335B353033E42EE0A32D257FDC3B1
SHA-512:	4E587616EF7557FED1AAAD0D7CA814B613F578ABE841C0B482ABD350A3B2352014A5297B96DFE046C82D80F199184ACD9648FC177DF14581B65679C769A99BD3
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...?0.>...?0.>....,..............................e....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....cT., .CREDIT~1.DOC..........S...S...........................C.r.e.d.i.t. .R.e.f. .V.e.r.i.f.y. .-. .A.m.e.r.i.c.a.n. .S.t.a.t.e.s. .U.t.i.l.i.t.y. .S.e.r.v.i.c.e. .f.o.r. .N.a.t.i.o.n.a.l. .S.t.o.r.m.w.a.t.e.r. .T.r.u.s.t. .I.n.c...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc.p.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.r.e.d.i.t. .R.e.f. .V.e.r.i.f.y. .-. .A.m.e.r.i.c.a.n. .S.t.a.t.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	4.744400811065283
Encrypted:	false
SSDEEP:	6:bCCQSFAy7wFEQNA2vegFrSFAy7wFEQNA2veg1:bCiZwmQNA2lFYZwmQNA2l1
MD5:	5605F60055131D415A91AFE264ACA486
SHA1:	D8261663AB0AAFF1B267F01D2EC7192E39E23C48
SHA-256:	246A91524CF2D3FFDEDDE44C86519F9D8B00C9D90BA848CB50957BEFB8581F85
SHA-512:	4F85BA246DCDC4C9FB21D084716D19D19CA5807F7DD44906768512127D9AC675D4C5EF7C32F60971EF8AD96D8E590FA6586FAC005DD7D323898EA8C241B0570F
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.LNK=0..[doc]..Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
MD5:	6462452E1083FFF3724A32DC01771E8B
SHA1:	244116899824E727C5C399064F004C71D88F7254
SHA-256:	869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
SHA-512:	303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\Desktop\~$edit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
MD5:	6462452E1083FFF3724A32DC01771E8B
SHA1:	244116899824E727C5C399064F004C71D88F7254
SHA-256:	869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
SHA-512:	303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Professional Memo, Author: Robert A. Whritenour, Template: Professional Memo, Last Saved By: Harriet Morris-Molloy, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Last Printed: Wed Feb 23 17:25:00 2022, Create Time/Date: Wed Mar 2 19:46:00 2022, Last Saved Time/Date: Wed Mar 2 19:51:00 2022, Number of Pages: 1, Number of Words: 152, Number of Characters: 871, Security: 0
Entropy (8bit):	4.3820695248638515
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc
File size:	201216
MD5:	08b06c35612aa766211a217f2dfafbd5
SHA1:	695e32fa43d9e2aee8a3cf49d69e495237818207
SHA256:	abcaacb83b6dab3f55e6db5f48928b562da2e2d87e67b4267342e1c05dfc89a8
SHA512:	0ecdf562808452f7c7064cba78cbcdcd204b891113b1b38fc31152e81728a8de27070884e28a5ea2ea95e741fa903e6afbf8e01b9a452ff8a92642714a460120
SSDEEP:	1536:DuQQQQQgiaCtiaCtiaCb+h+h+nN18sHtjS4xrt:DuQQQQQtXAXAXb+h+h+Nmspx
File Content Preview:	........................>...............................................................b......................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	True
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1252
Title:	Professional Memo
Subject:
Author:	Robert A. Whritenour
Keywords:
Template:	Professional Memo
Last Saved By:	Harriet Morris-Molloy
Revion Number:	4
Total Edit Time:	360
Last Printed:	2022-02-23 17:25:00
Create Time:	2022-03-02 19:46:00
Last Saved Time:	2022-03-02 19:51:00
Number of Pages:	1
Number of Words:	152
Number of Characters:	871
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Bytes:	46592
Number of Lines:	7
Number of Paragraphs:	2
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 624

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	624
Entropy:	3.35289411236
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . L . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 4c 01 00 00 08 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 04 00 00 00 84 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 468

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	468
Entropy:	3.76809440063
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . T . . . . . . . ` . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P r o f e s s i o n a l M e m o . . . . . . . . . . . . . . . . . . . . . . . R o b e r t A
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a4 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 b4 00 00 00 04 00 00 00 c0 00 00 00 05 00 00 00 e0 00 00 00 07 00 00 00 ec 00 00 00 08 00 00 00 08 01 00 00 09 00 00 00 28 01 00 00 12 00 00 00 34 01 00 00

Stream Path: 1Table, File Type: dBase III DBT, version number 0, next free block index 3737106, Stream Size: 17958

General
Stream Path:	1Table
File Type:	dBase III DBT, version number 0, next free block index 3737106
Stream Size:	17958
Entropy:	5.15749056356
Base64 Encoded:	True
Data ASCII:	. . 9 . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	12 06 39 00 12 00 01 00 78 01 0f 00 07 00 00 00 00 00 00 00 00 00 04 00 08 00 00 00 08 00 00 00 08 00 00 00 08 00 00 00 08 00 00 00 08 00 00 00 0e 00 00 00 0e 00 00 00 0e 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Data, File Type: data, Stream Size: 17322

General
Stream Path:	Data
File Type:	data
Stream Size:	17322
Entropy:	7.27425978769
Base64 Encoded:	False
Data ASCII:	E C . . D . d . . . . . . . . . . . . . . . . . . . . . . ' . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . # . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . b . . . . B . . . . . % Q . . > . z . } v z ( * . . . . B . . . . . . D . . . . . . . . n . . . B . . . % Q . . > . z . } v z ( * . . . P N G . . . . . . . . I H D R . . . H . . . . . . . . . . . ' p . . . . s R G B . . . . . . . . . p H Y s . . . . . . . . .
Data Raw:	45 43 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 27 cd 0d 60 02 19 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 30 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 23 00 0b f0 0c 00 00 00 04 41 01 00 00 00 ff 01 00 00 08 00 00 00 10 f0 04 00 00 00 00 00 00 80 62 00 07 f0

Stream Path: ObjectPool/_1064645219/\x1CompObj, File Type: data, Stream Size: 102

General
Stream Path:	ObjectPool/_1064645219/\x1CompObj
File Type:	data
Stream Size:	102
Entropy:	3.62482561758
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A d o b e P h o t o s h o p I m a g e . . . . . A d o b e P h o t o D e l u x e I m a g e . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 41 64 6f 62 65 20 50 68 6f 74 6f 73 68 6f 70 20 49 6d 61 67 65 00 18 00 00 00 41 64 6f 62 65 20 50 68 6f 74 6f 44 65 6c 75 78 65 20 49 6d 61 67 65 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1064645219/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1064645219/\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.568995593589
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1064645219/\x3ObjInfo, File Type: data, Stream Size: 4

General
Stream Path:	ObjectPool/_1064645219/\x3ObjInfo
File Type:	data
Stream Size:	4
Entropy:	0.811278124459
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

Stream Path: ObjectPool/_1064645219/CONTENTS, File Type: Adobe Photoshop Image, 1352 x 471, RGB, 3x 8-bit channels, Stream Size: 150157

General
Stream Path:	ObjectPool/_1064645219/CONTENTS
File Type:	Adobe Photoshop Image, 1352 x 471, RGB, 3x 8-bit channels
Stream Size:	150157
Entropy:	3.43936161306
Base64 Encoded:	False
Data ASCII:	8 B P S . . . . . . . . . . . . . . . . . H . . . . . . . . . . . \| 8 B I M . . . . . . . . . H . . . . . . . H . . . . . . 8 B I M . . . . . . . . . . . . . . . . 8 B I M ' . . . . . . . . . . . . . . . . . 8 B I M . . . . . . . H . / f f . . . l f f . . . . . . . . . / f f . . . . . . . . . . . . . . . 2 . . . . . Z . . . . . . . . . . . 5 . . . . . - . . . . . . . . . . 8 B I M . . . . . . . . . . 8 B I M . . . . . . . . . . P H U T . 5 . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	38 42 50 53 00 01 00 00 00 00 00 00 00 03 00 00 01 d7 00 00 05 48 00 08 00 03 00 00 00 00 00 00 01 7c 38 42 49 4d 03 ed 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 00 00 01 00 01 38 42 49 4d 03 f3 00 00 00 00 00 08 00 00 00 00 00 00 00 01 38 42 49 4d 27 10 00 00 00 00 00 0a 00 01 00 00 00 00 00 00 00 02 38 42 49 4d 03 f5 00 00 00 00 00 48 00 2f 66 66 00 01 00 6c 66 66 00 06

Stream Path: WordDocument, File Type: data, Stream Size: 7732

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	7732
Entropy:	3.97814084136
Base64 Encoded:	True
Data ASCII:	. . . . ) . . . . . . 2 . . . . . . . . . . . . . . . . / . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . 4 h . . 4 h . . . . . . . . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . " . . . . . . . " . . . . . . . " . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . & " . . . . . . & " . . . . . . & " . . 8 . . . ^ " . . , .
Data Raw:	ec a5 c1 00 29 00 09 04 00 00 f8 32 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 2f 0c 00 00 0e 00 62 6a 62 6a f4 a0 f4 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 1e 00 00 96 ca 34 68 96 ca 34 68 ff 03 00 00 00 00 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Target ID:	0
Start time:	21:39:15
Start date:	02/03/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f750000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FD4A9FF0-45D4-4B29-B275-F3D0609FB7FF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{05321645-6541-494A-9CAF-CDF206BEB341}.tmp

C:\Users\user\AppData\Local\Temp\~DF8E68413022F2DE5B.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$edit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 624

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 468

General

Stream Path: 1Table, File Type: dBase III DBT, version number 0, next free block index 3737106, Stream Size: 17958

General

Stream Path: Data, File Type: data, Stream Size: 17322

General

Stream Path: ObjectPool/_1064645219/\x1CompObj, File Type: data, Stream Size: 102

General

Stream Path: ObjectPool/_1064645219/\x1Ole, File Type: data, Stream Size: 20

General

Stream Path: ObjectPool/_1064645219/\x3ObjInfo, File Type: data, Stream Size: 4

General

Windows Analysis Report
Credit Ref Verify - American States Utility Service for National Stormwater Trust Inc.doc