Windows Analysis Report
TranQuangDai.docx

Overview

General Information

Sample Name:	TranQuangDai.docx
Analysis ID:	643237
MD5:	019203409d35842d93b46de7db4038bb
SHA1:	29d38d998e0a17af1d11cdef3b74855a54727c51
SHA256:	719a07f46b6fce1615a7b4bd1ed3e4d2cb86d7275ae37d3325ff2e9db64e2185
Tags:	docFollina
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Potential document exploit detected (performs DNS queries)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: TranQuangDai.docx

Virustotal: Detection: 35%

Perma Link

Exploits

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: https://updatebkav.cf:8080/loadingupdate.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 203.171.20.127:8080

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: updatebkav.cf

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 203.171.20.127:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN

Source: unknown

DNS traffic detected: queries for: updatebkav.cf

Source: E0968A1E3A40D2582E7FD463BAEB59CD.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: E0968A1E3A40D2582E7FD463BAEB59CD.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 10BDC45B4A27319429BBC4F08A4E8A100.0.dr	String found in binary or memory: http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{85969BA5-FFE2-49D8-8035-5335F80B18B2}.tmp

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cie\305\233lak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: TranQuangDai.docx

Virustotal: Detection: 35%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR55BD.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: classification engine

Classification label: mal64.expl.evad.winDOCX@1/18@5/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$anQuangDai.docx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://updatebkav.cf:8080/loadingupdate.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.171.20.127	updatebkav.cf	Viet Nam		45903	CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN	true

Contacted Domains

Name	IP	Active
updatebkav.cf	203.171.20.127	true
crt.sectigo.com	91.199.212.52	true
zerossl.crt.sectigo.com	unknown	unknown

ID:	643237
Product:	CloudBasic
Start time:	12:29:09
Start date:	10.06.2022
Sample:	TranQuangDai.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	019203409d35842d93b46de7db4038bb
SHA1:	29d38d998e0a17af1d11cdef3b74855a54727c51
SHA256:	719a07f46b6fce1615a7b4bd1ed3e4d2cb86d7275ae37d3325ff2e9db64e2185
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10BDC45B4A27319429BBC4F08A4E8A10	data	58AA23107C8D5AEDEABD0D5E32578592	C81A8BD1F9CF6D84C525F378CA1D3F8C30770E34	21ACC1DBD6944F9AC18C782CB5C328D6C2821C6B63731FA3B8987F5625DE8A0D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61476 bytes, 1 file	308336E7F515478969B24C13DED11EDE	8FB0CF42B77DBBEF224A1E5FC38ABC2486320775	889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD	data	285EC909C4AB0D2D57F5086B225799AA	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10BDC45B4A27319429BBC4F08A4E8A10	data	A5162B06A57E1A75AFDB99E6E9B030F9	391D0CC9FBAFB5AFB6F1695F856A04463714C32D	6723ECD357B9C4A1BD778813101B5D75B38EA2D5BA7CF26EFA99AA3A94AD4BA4
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	79271FC18E9D98C7B6CF69D071D5D386	F9418F8AE8EE812C408460A744BD562128D8B19A	26901B4F3D4579094C3EAF8D660D063F69CC1E5865A683BE057A845C0AE60A3A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD	data	C17851BEFCA9E6074A9B01BF2FE2758A	32912DF732B81700D08CB09ACC12011E4DD11117	623D1D2609E5BBB7DC3550F3555EE93071FDF3408A07AFE68A9E9146D8DEA9DE
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	BB201D24BCD911B558798EF4E896E53E	A1C0CC1A22CAD094172BBB11B110ECE18539C149	67BDD2ACAD14AFEE9255D9AAAD23881C92CEB16B0CCDCA35F791238C62728EA9
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{44059877-72AB-4C9A-8258-B3A4CC3F341F}.FSD	data	AB44FFF7BF1C2DB50258BD34D73B1D33	9BC1594A4695C258AC619C227868E1F3B29ABC40	A212B866F947F733AA9155E0D7A9319091D8FF77BD2DCF8EC6D919C083C6C1DA
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	A2889FCE211DCE454F72E9BBCA1AAD01	75DDB76D280A8265A1C5B41E8AA353E03065B4AA	47DA3237C346F4B1FF2080B35D47278899EEDE24C0C308365BB7B247E80331EF
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	93869240F89F8262F56D82B3AA838813	792481088735319D53745197BFDB2AE1F2126E69	E03D3F7D3E53A47192209B56CF97B5FD34ED162CCB0B39B8981B7FF2904BC389
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A1B857E3-B132-4673-AC9F-79338C2FA8BB}.FSD	data	7067DE2227A0E1E343E8794FF8E9C26D	A521477E1D8B3044EE715AE8AF5318BE1A3DB8A4	0B882C3D62593931E88BAFAF6F83939DA022B4119BDA4FA2A124D14FB1E0AC5C
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	C4B20A4CFF14220E07A0D5A8C15D5297	FB828980F413F52F01436EC58D0DD2096FF737A1	1557E7C03C3406E5BB17231B13998FDCE4B2425D42E80099671FA7AECF263BDD
C:\Users\user\AppData\Local\Temp\Cab68B2.tmp	Microsoft Cabinet archive data, 61476 bytes, 1 file	308336E7F515478969B24C13DED11EDE	8FB0CF42B77DBBEF224A1E5FC38ABC2486320775	889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
C:\Users\user\AppData\Local\Temp\Tar68B3.tmp	data	2D8A5090656DE9FB55DD0F3BA20F9299	A08BB2FC731F6A72B095C266C44EA66F2C4ACA72	44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E
C:\Users\user\AppData\Local\Temp\{2BA8F08F-11BD-48DD-91CA-8557D0F641F7}	data	C384C1B38E0DB040DCDD2E1839741E58	5655ACDAABB1BFBC79B0C80C4629F75995B52A2F	2D333B9A32B67C7E956841A004A3861F2D80E6E259976193BED7AB592D65427B
C:\Users\user\AppData\Local\Temp\{6D5470AD-7571-4443-B52C-CEA4592715E2}	data	DC6B59DDDA35A24153CF83164A9C0765	453F97E448FDB79F928FC41C75F235B462D41781	F9C8880D546DE62D0A3F3511DA7C0C6DB21F02B1727062BA9DB87842127223CE
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
C:\Users\user\Desktop\~$anQuangDai.docx	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E

Windows Analysis Report
TranQuangDai.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report TranQuangDai.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
TranQuangDai.docx