Windows Analysis Report
5YMh6S8QVr

Overview

General Information

Sample Name:	5YMh6S8QVr (renamed file extension from none to docx)
Analysis ID:	646982
MD5:	5a0d45f97ee4b248360b6b2e5eb4706a
SHA1:	e2a00e3489ede1ac935c78b99f92fdce0e74ed69
SHA256:	57b27abbe3d3c0c20cdc1b408ff6fa562ba5f04fa555cb3adb9dcb03e273b664
Tags:	194-34-232-147doc
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Detected CVE-2021-40444 exploit

Snort IDS alert for network traffic

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5YMh6S8QVr.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: 5YMh6S8QVr.docx	Virustotal: Detection: 50%			Perma Link
Source: 5YMh6S8QVr.docx	Metadefender: Detection: 31%			Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:http://194.34.232.147/side.html!x-usc:http://194.34.232.147/side.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 194.34.232.147:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 194.34.232.147:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 194.34.232.147:80 -> 192.168.2.22:49176

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147If-Modified-Since: Mon, 30 May 2022 20:51:09 GMTIf-None-Match: "1a76-5e040d0ca4940-gzip"Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 16 Jun 2022 11:30:45 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Mon, 30 May 2022 20:51:09 GMTETag: "1a76-5e040d0ca4940-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 289Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed d9 4d 4b c3 30 18 07 f0 fb 60 df 21 16 61 db c1 06 f4 a6 ad e2 db 60 20 32 9c 30 0f 82 a4 c9 b3 36 98 36 25 89 d4 7e 7b 93 81 03 6f 9e c4 c3 3f 04 9e bc 3e bf e4 fc 14 47 ca ca 30 f6 c4 9a d0 9a cb e9 a4 48 91 19 d1 d5 65 46 5d 96 56 2a ab c6 14 bd 74 ba 0f 71 c4 f9 f5 1f 34 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 9c ff eb b0 d8 06 dd 29 3b e4 c6 4a 11 b4 ed f2 c6 d1 8e 95 2c 6b fd 49 eb 55 38 e7 5a b1 f5 ed f6 4e 8b ba b3 3e 68 c9 b8 7f d7 3d db 59 27 89 f1 5e 38 d1 b2 d7 6c f5 fc f6 44 95 b3 83 a7 a5 75 4b 6d a8 94 c2 5c 49 16 37 36 64 48 86 b5 b3 75 3c 5b 3e da f0 a0 7d 20 95 b6 6e 7e dc 68 8e e7 ab fb 97 f9 2c de 94 39 7d d2 6c b1 d0 3c cf 7f db b7 fb af 78 be 19 63 fa f6 ec 94 b7 bd d7 b5 0f 1f 55 4a 16 1f 99 5d 4c 27 05 3f 94 8b d2 e4 bb 86 c4 f7 65 a6 2f c8 88 30 4c 76 1a 00 00 Data Ascii: MK0`!a` 2066%~{o?>G0HeF]V*tq48p8p8p);J,kIU8ZN>h=Y'^8lDuKm\I76dHu<[>} n~h,9}l<xcUJ]L'?e/0Lv
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 16 Jun 2022 11:30:49 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Mon, 30 May 2022 20:51:09 GMTETag: "1a76-5e040d0ca4940-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 289Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed d9 4d 4b c3 30 18 07 f0 fb 60 df 21 16 61 db c1 06 f4 a6 ad e2 db 60 20 32 9c 30 0f 82 a4 c9 b3 36 98 36 25 89 d4 7e 7b 93 81 03 6f 9e c4 c3 3f 04 9e bc 3e bf e4 fc 14 47 ca ca 30 f6 c4 9a d0 9a cb e9 a4 48 91 19 d1 d5 65 46 5d 96 56 2a ab c6 14 bd 74 ba 0f 71 c4 f9 f5 1f 34 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 9c ff eb b0 d8 06 dd 29 3b e4 c6 4a 11 b4 ed f2 c6 d1 8e 95 2c 6b fd 49 eb 55 38 e7 5a b1 f5 ed f6 4e 8b ba b3 3e 68 c9 b8 7f d7 3d db 59 27 89 f1 5e 38 d1 b2 d7 6c f5 fc f6 44 95 b3 83 a7 a5 75 4b 6d a8 94 c2 5c 49 16 37 36 64 48 86 b5 b3 75 3c 5b 3e da f0 a0 7d 20 95 b6 6e 7e dc 68 8e e7 ab fb 97 f9 2c de 94 39 7d d2 6c b1 d0 3c cf 7f db b7 fb af 78 be 19 63 fa f6 ec 94 b7 bd d7 b5 0f 1f 55 4a 16 1f 99 5d 4c 27 05 3f 94 8b d2 e4 bb 86 c4 f7 65 a6 2f c8 88 30 4c 76 1a 00 00 Data Ascii: MK0`!a` 2066%~{o?>G0HeF]V*tq48p8p8p);J,kIU8ZN>h=Y'^8lDuKm\I76dHu<[>} n~h,9}l<xcUJ]L'?e/0Lv

Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147

Source: ~WRS{77360496-4BBE-44C6-A84F-CB369D560D67}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html%
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html%x-usc:http://194.34.232.147/side.html
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F66410A8-679A-411F-AE8D-493633C1B9C5}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147If-Modified-Since: Mon, 30 May 2022 20:51:09 GMTIf-None-Match: "1a76-5e040d0ca4940-gzip"Connection: Keep-Alive

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 5YMh6S8QVr.docx	Virustotal: Detection: 50%
Source: 5YMh6S8QVr.docx	Metadefender: Detection: 31%

Source: 5YMh6S8QVr.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\5YMh6S8QVr.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Mh6S8QVr.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6882.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winDOCX@1/23@0/1

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5YMh6S8QVr.docx

Initial sample: OLE zip file path = word/media/image2.wmf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://194.34.232.147/side.html!x-usc:http://194.34.232.147/side.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.34.232.147	unknown	Germany		35913	DEDIPATH-LLCUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.34.232.147/side.html	true	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	5DA1085932C7628CBDC0FAAC010F061E	48447DDBF2D6C88D564F90DF5F1645E7E0BF6AEB	FB957A83FBEA9DE458AC520115581A6BC9A6C6EACC12ABE91C8ACBD40EDBD094
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8B3C239C-9F59-411F-BE0D-9B570716399E}.FSD	data	11C1C529D0C834AB8F9EB96863044E30	681A6029B7E617250ABCBBBED2EC142935C18F46	B1A230959B71B4B8776FD6260667DAA3188D6CF25FA13ECB214D31A6BAF32E4D
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	1F085DE74D358FF5A8A2BD5880F91C3B	EEE66A4B685E37D1A1EC88F957160D93BCE4F5DB	9C00AD097BBB299843459FC4D506153B93731C526FBFB889381406795CAF1075
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	08A9D3299E3EFE5FA48341CB0EAA4DE8	C89ACE8E155558EEBD47B5D221E331EA6C33B78D	53CD44BB963E066DD644E9680906C9C807AD59C24A7F942A9951E9E1CBE69228
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{72C85F14-C2D2-4B94-9EC6-F5828455F792}.FSD	data	5E8A60A1A25571F52092360EFF4D8D65	CE28B9992B13EA3DA9935E3262950E97614B5E11	8C10C3D391E414F91508CC063B0A0D4383D438A532EA812B0D10B2F45CC462CF
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	4527D001AD62B86AAF56B48D884E17FD	2942632907C67FC9E50CAD913EDEAF8FC6AF6E80	4CBC90753C161B4936757869FF7AAF66936381104D20EAD8A6A2E568C96686A8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm	HTML document, ASCII text, with CRLF line terminators	EA3FE2CB4B8E3C7AFA0C773A28742AA8	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\side[1].htm	HTML document, ASCII text, with CRLF line terminators	EA3FE2CB4B8E3C7AFA0C773A28742AA8	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm	HTML document, ASCII text, with CRLF line terminators	EA3FE2CB4B8E3C7AFA0C773A28742AA8	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm	HTML document, ASCII text, with CRLF line terminators	EA3FE2CB4B8E3C7AFA0C773A28742AA8	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\792606B4.dat	Targa image data - Map - RLE 5 x 65536 x 0 "\004"	07FFEFF17A8A1A1209AB3C2690D569D4	37CB513FABDDCDBBAA2E7296B31A4BC9832E1B01	57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAD8C441.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 224x224, frames 3	98B5273E3C1D3B27777A1A17E51478A5	AA6854BA61CEADCCC58F3DC01680D94205B83671	3953378734D19ABC3AAC6F760C713A10300517C40DD605C7D7518995914205AA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C330AFBF.wmf	ms-windows metafont .wmf	C4E6B3035AC3828D375E5479E8485D0D	624B2E68B669293CE5EF5EDA4EFCFDE97FFEA84A	591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp	Composite Document File V2 Document, Cannot read section info	09143DB5A71D2128B003B2AE1D67725E	EF415275963EC769FE28F527F4BFF3786E382074	D1BA339319AB2C08E94E50C2E4564C2BB6B62F4050A4ED9907C26D62478A2E0E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77360496-4BBE-44C6-A84F-CB369D560D67}.tmp	data	D50E7225C855D7301F2C33659817042D	9888F7AF06EEB7CF4D6EC5D07B2B3F07E1353652	9CF291E21A85224F9A7E9A43C82F864A5EFE6F51DD9124553A2CBEDDC7F6D0A4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F66410A8-679A-411F-AE8D-493633C1B9C5}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{65E7A17D-2AE7-4AB8-9085-3A66B84444F9}	data	FFD46519FA0CC2BAB75D9ADD678461E2	3D4CF009840FAA9792B7DB0F8055C83A7A004BC8	EEE52A2320047E0C74D606A5B0E9205CBE6399AF09A94F81C5E4EC7BE277A70C
C:\Users\user\AppData\Local\Temp\{C0957A5D-776B-4E29-8D63-71F89716F478}	data	6148415D8ACB2269EEB5B4047FD77CD2	9D0C2C09EAB11413904368E10610091452C674AD	5248168284CDEFA8DF7694A1D40F3272A8DF1037097D66E99E8153866129597E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\5YMh6S8QVr.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jun 16 19:30:05 2022, mtime=Thu Jun 16 19:30:05 2022, atime=Thu Jun 16 19:30:16 2022, length=24152, window=hide	DDB9BAB4CC337F3A2C4D5C17BD3F56A4	1A72699906E116884A57D4BB518EE2EB0E3889ED	FD5F3A81DBB885BBAF9069A978B461DDEE5B949D5464B1A3A706449D132C1045
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	F580E428B27FE8CDD2DFDF11416A59D1	1FA19247725D97E2F4C8E6BE9326A53486547D8C	C4378270A2A9AF816B3CD1F288530B2ED493637B539EA32BC032D1264885F961
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$Mh6S8QVr.docx	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5YMh6S8QVr.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: 5YMh6S8QVr.docx	Virustotal: Detection: 50%			Perma Link
Source: 5YMh6S8QVr.docx	Metadefender: Detection: 31%			Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:http://194.34.232.147/side.html!x-usc:http://194.34.232.147/side.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 194.34.232.147:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 194.34.232.147:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 194.34.232.147:80 -> 192.168.2.22:49176

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147If-Modified-Since: Mon, 30 May 2022 20:51:09 GMTIf-None-Match: "1a76-5e040d0ca4940-gzip"Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 16 Jun 2022 11:30:45 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Mon, 30 May 2022 20:51:09 GMTETag: "1a76-5e040d0ca4940-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 289Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed d9 4d 4b c3 30 18 07 f0 fb 60 df 21 16 61 db c1 06 f4 a6 ad e2 db 60 20 32 9c 30 0f 82 a4 c9 b3 36 98 36 25 89 d4 7e 7b 93 81 03 6f 9e c4 c3 3f 04 9e bc 3e bf e4 fc 14 47 ca ca 30 f6 c4 9a d0 9a cb e9 a4 48 91 19 d1 d5 65 46 5d 96 56 2a ab c6 14 bd 74 ba 0f 71 c4 f9 f5 1f 34 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 9c ff eb b0 d8 06 dd 29 3b e4 c6 4a 11 b4 ed f2 c6 d1 8e 95 2c 6b fd 49 eb 55 38 e7 5a b1 f5 ed f6 4e 8b ba b3 3e 68 c9 b8 7f d7 3d db 59 27 89 f1 5e 38 d1 b2 d7 6c f5 fc f6 44 95 b3 83 a7 a5 75 4b 6d a8 94 c2 5c 49 16 37 36 64 48 86 b5 b3 75 3c 5b 3e da f0 a0 7d 20 95 b6 6e 7e dc 68 8e e7 ab fb 97 f9 2c de 94 39 7d d2 6c b1 d0 3c cf 7f db b7 fb af 78 be 19 63 fa f6 ec 94 b7 bd d7 b5 0f 1f 55 4a 16 1f 99 5d 4c 27 05 3f 94 8b d2 e4 bb 86 c4 f7 65 a6 2f c8 88 30 4c 76 1a 00 00 Data Ascii: MK0`!a` 2066%~{o?>G0HeF]V*tq48p8p8p);J,kIU8ZN>h=Y'^8lDuKm\I76dHu<[>} n~h,9}l<xcUJ]L'?e/0Lv
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 16 Jun 2022 11:30:49 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Mon, 30 May 2022 20:51:09 GMTETag: "1a76-5e040d0ca4940-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 289Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed d9 4d 4b c3 30 18 07 f0 fb 60 df 21 16 61 db c1 06 f4 a6 ad e2 db 60 20 32 9c 30 0f 82 a4 c9 b3 36 98 36 25 89 d4 7e 7b 93 81 03 6f 9e c4 c3 3f 04 9e bc 3e bf e4 fc 14 47 ca ca 30 f6 c4 9a d0 9a cb e9 a4 48 91 19 d1 d5 65 46 5d 96 56 2a ab c6 14 bd 74 ba 0f 71 c4 f9 f5 1f 34 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 1c 38 70 e0 c0 81 03 07 0e 9c ff eb b0 d8 06 dd 29 3b e4 c6 4a 11 b4 ed f2 c6 d1 8e 95 2c 6b fd 49 eb 55 38 e7 5a b1 f5 ed f6 4e 8b ba b3 3e 68 c9 b8 7f d7 3d db 59 27 89 f1 5e 38 d1 b2 d7 6c f5 fc f6 44 95 b3 83 a7 a5 75 4b 6d a8 94 c2 5c 49 16 37 36 64 48 86 b5 b3 75 3c 5b 3e da f0 a0 7d 20 95 b6 6e 7e dc 68 8e e7 ab fb 97 f9 2c de 94 39 7d d2 6c b1 d0 3c cf 7f db b7 fb af 78 be 19 63 fa f6 ec 94 b7 bd d7 b5 0f 1f 55 4a 16 1f 99 5d 4c 27 05 3f 94 8b d2 e4 bb 86 c4 f7 65 a6 2f c8 88 30 4c 76 1a 00 00 Data Ascii: MK0`!a` 2066%~{o?>G0HeF]V*tq48p8p8p);J,kIU8ZN>h=Y'^8lDuKm\I76dHu<[>} n~h,9}l<xcUJ]L'?e/0Lv

Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.34.232.147

Source: ~WRS{77360496-4BBE-44C6-A84F-CB369D560D67}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html%
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.html%x-usc:http://194.34.232.147/side.html
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	String found in binary or memory: http://194.34.232.147/side.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F66410A8-679A-411F-AE8D-493633C1B9C5}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /side.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 194.34.232.147If-Modified-Since: Mon, 30 May 2022 20:51:09 GMTIf-None-Match: "1a76-5e040d0ca4940-gzip"Connection: Keep-Alive

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 5YMh6S8QVr.docx	Virustotal: Detection: 50%
Source: 5YMh6S8QVr.docx	Metadefender: Detection: 31%

Source: 5YMh6S8QVr.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\5YMh6S8QVr.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Mh6S8QVr.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6882.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winDOCX@1/23@0/1

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5YMh6S8QVr.docx

Initial sample: OLE zip file path = word/media/image2.wmf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://194.34.232.147/side.html!x-usc:http://194.34.232.147/side.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

ID:	646982
Product:	CloudBasic
Start time:	13:29:37
Start date:	16.06.2022
Sample:	5YMh6S8QVr
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5a0d45f97ee4b248360b6b2e5eb4706a
SHA1:	e2a00e3489ede1ac935c78b99f92fdce0e74ed69
SHA256:	57b27abbe3d3c0c20cdc1b408ff6fa562ba5f04fa555cb3adb9dcb03e273b664
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
5YMh6S8QVr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report 5YMh6S8QVr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
5YMh6S8QVr