Windows Analysis Report
ZDhoKQk8G6.docx

Overview

General Information

Sample Name:	ZDhoKQk8G6.docx
Analysis ID:	645905
MD5:	b64108b4dbb4cc0ceeca091289d3c3e6
SHA1:	ad1eb7107e76f8d75cdb2c3a8cc39179dd490ef0
SHA256:	52b48c4b2f4a63fc6611dea7e9146a440d41e306143788ea20c56c3ab292cf00
Tags:	docdocxFollina
Infos:

Detection

Follina CVE-2022-30190

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Contains an external reference to another file

Uses known network protocols on non-standard ports

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%			Perma Link
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49178 -> 117.48.146.246:8008

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49181

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN

Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:34 GMTContent-Type: text/plainContent-Length: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:35 GMTContent-Type: text/plainContent-Length: 0

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exp
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr, ~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htm
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htmyX
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040288153109.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040297422300.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040303449177.png

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Source: ZDhoKQk8G6.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ZDhoKQk8G6.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$hoKQk8G6.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F4E.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.expl.evad.winDOCX@1/22@0/1

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
117.48.146.246	unknown	China		4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	C86FDD1688DFA14188A34E2FA613D252	EE12F352A8EB013ACD680EAF77177F590D8E1799	92FE284561709E189C7A95D753BFFDFE5EA788C48E0AFC642FF8ACF4E886EB17
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A40B0AC-ACBB-463B-8DC0-568E01ED388D}.FSD	data	D97F2CC70A4379260D06D56554D15338	AA791DEB8BDE74815AD14F492E808E3BE2CA33DB	C16B2099208C3E92051AE581D68C48EACE6C2676FA3D0294C11CFFA4D1296B76
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	23C72AAF923FE6C7EA713BC3B6BABE8D	81BE16213DBADA2C88789E63AB577C51035F3D02	8B119C83E768575DBDAB4CA4C43A5036600340D9D73CA253A000D4EE91651620
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	5D8DC4451C809A7288A70F0310BAFB79	9BB56FEF0EC78307F10DCE7E9C75C353A8312CC5	4A7FDAD115C3C0982E5200F719C349B7F6C95415B35FF7ED9B18A4DFD6CFA143
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FD4A456-B142-48A7-8A26-7CC29A810637}.FSD	data	7453904A6FC41F31B5CF58B64E84E111	525EB1FFC638888B18CC1DF87D46B1B7B11E51C9	5E68DD6840E40B8DEC61403C1C786857E02A22A05C399B941B13CED14BFC3A4D
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	E435FF41580D4AF52534CED5213A06DE	D9D9501DB59405B4BD62FECC2C67AF0DA7B80AFE	8C91DC89D9CC105BB8B3BA9CA0A156FC559EAD5A5C8546D86D6F3BDFEB14ED1B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	7F4B47B5BE4DF743220DDA8F5595909A	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	7F4B47B5BE4DF743220DDA8F5595909A	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	7F4B47B5BE4DF743220DDA8F5595909A	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	7F4B47B5BE4DF743220DDA8F5595909A	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B14BFC0.png	PNG image data, 500 x 265, 8-bit/color RGBA, non-interlaced	DFC62C64626F11E01A29203C6BFAC296	E418EF6561DDC24CD62D47ED131713B922871363	2C71BFD99AD8A748954CC840174C3851386001F40312D2B8956019801357B2F1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F20135FB.png	PNG image data, 493 x 237, 8-bit/color RGBA, non-interlaced	C02C455F5D77DF5AE8B9F638C8EF8854	F3F8C9A5C20DABDD1FE99D05197F6D11BA9484AF	5E07AC7BFE2C65429ACDBD281C0E9B92F5A382E4FFF699741E8D085F7EAD17DE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp	Composite Document File V2 Document, Cannot read section info	47DE66F0D409B5DCA1C5A74F93197E3B	E2F2B6C4C25C531C9247509D900D09FAFFD7CCC3	BDBF2FA4C228CB0038E3D3D5D63BE3D445C1CF19774AC7F7BAB5B31CD3DECDBD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0F1199C9-FFD7-4240-8F04-53D52631A074}.tmp	data	32649384730B2D61C9E79D46DE589115	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp	data	985DDD0B25EBF55AE27458B1235FCEC6	5DB27EE086681CA58169ED02A82333A4CCC2466B	678804E2C39F405A132A2CFC4DAC2A4855F10A98137C28CE6D3ABEACB2C7CB7B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{4EBE4D7B-7080-4C78-9E4E-C39E5F92BCD0}	data	AB727153D355FCB89A4DD0F778DB5504	88523811C7F9B235D6FE4B601E4C9DDB8070A72F	56EF8D395A20E46295410DD854C67EE2AE49AFBDFF5F2D2EB27CA9A16481AA3C
C:\Users\user\AppData\Local\Temp\{6B16DF9D-3276-41E2-93CB-F148AEE50BE1}	data	8B61E4E8242D0961EA9025B656A013E6	0A9C2887993588A0BA822A3F2159F8615CD6482B	3D97D4A53F94F3D859C0488F5B3DB1C7177DC575485332BD693B3D6F7D53D98E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ZDhoKQk8G6.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Wed Jun 15 13:11:14 2022, length=449949, window=hide	32CF2F9FC38195E95F72206961AE587C	B9A93790175F263CA9264FE176C7A3939CE1E7C3	D0AE07AF5C7F3745B60A89DE69F01D6039DCB11BA2357D20B4D17688D21DEB7B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	0B27580E2EF503551637D1B2B325B07C	B861428A3D29FD19167867B18E7C5A6B1C052F9B	85D83675D7ADE632A4EE881D9F2C48C3B5AC1A4698800DB416BBACA7346FB2EB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
C:\Users\user\Desktop\~$hoKQk8G6.docx	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6

AV Detection

Multi AV Scanner detection for submitted file

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%			Perma Link
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49178 -> 117.48.146.246:8008

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49181

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN

Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:34 GMTContent-Type: text/plainContent-Length: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:35 GMTContent-Type: text/plainContent-Length: 0

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exp
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr, ~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htm
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htmyX
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040288153109.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040297422300.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040303449177.png

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Source: ZDhoKQk8G6.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ZDhoKQk8G6.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$hoKQk8G6.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F4E.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.expl.evad.winDOCX@1/22@0/1

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

ID:	645905
Product:	CloudBasic
Start time:	07:09:28
Start date:	15.06.2022
Sample:	ZDhoKQk8G6.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	b64108b4dbb4cc0ceeca091289d3c3e6
SHA1:	ad1eb7107e76f8d75cdb2c3a8cc39179dd490ef0
SHA256:	52b48c4b2f4a63fc6611dea7e9146a440d41e306143788ea20c56c3ab292cf00
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
ZDhoKQk8G6.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report ZDhoKQk8G6.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
ZDhoKQk8G6.docx