Windows Analysis Report
V3g2Pfu707.docx

Overview

General Information

Sample Name:	V3g2Pfu707.docx
Analysis ID:	647003
MD5:	b60cd79e2c14dbeefa22197f76fc3437
SHA1:	07a2811a3ea7a4a0c84e52cb5a48f1e712b55fd9
SHA256:	6ddab79a6d836f9c1ed9ab3bbe28a074c0c93bd87f55144ed62b23c0032715d1
Tags:	CVE-2022-30190docfollina
Infos:

Detection

Follina CVE-2022-30190

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Uses known network protocols on non-standard ports

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: V3g2Pfu707.docx

Virustotal: Detection: 33%

Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 101.33.231.81:62563

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49174 -> 101.33.231.81:62563

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49181

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 101.33.231.81:62563

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr, ~WRS{F19FE166-8B13-4DD0-BB8B-900FB9050402}.tmp.0.dr	String found in binary or memory: http://101.33.231.81:62563/exploit.html
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	String found in binary or memory: http://101.33.231.81:62563/exploit.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A4592DE-D21D-4642-AE77-FFCC3AAD3185}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: V3g2Pfu707.docx

Virustotal: Detection: 33%

Source: V3g2Pfu707.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\V3g2Pfu707.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$g2Pfu707.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR515A.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.expl.evad.winDOCX@1/21@0/1

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49181

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.33.231.81	unknown	China		132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	6904AB7DE9425713FAD0A11309750D7C	35141FFA3C07A5303AD32824CBD297816211A3D7	295E03A904581A4EB96842A2134FC6A26F126B6E3241A3DDE113733E925EA575
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{95873921-7BBD-4EBD-8008-620874EEAE52}.FSD	data	3BF0E4123ADB4A2FCCB85908E1CB24D1	F47D6079F6DC2D17589ED5D436D14E29C2965227	120522FAFFF9C768FB5B3FA42A1CCA5E96A9BC880AEE5AB776C285EAF6471E9F
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	AFA0867887D275F27B3FA70C0F942FC0	3C7AF5E31DDC45D61D43561837B02ED26B13430E	C57A04A07989D8CD43974C5A181B13B22A7D6EF1DCC8793671EF658233EB1FD6
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	B57D30725B2A79ECC6744451F452D8D2	E8E52504FE81E162411239F1A737DCA3232F700C	2A1CB4708DB0A4AE9BF3DF4FCC5301BB0B43863E91F5565A3B0441841934CB19
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{55CA3E23-CD6A-4540-AFBA-3E4A75CEA258}.FSD	data	E0D373C595CA45292224DA7DDF83E5E7	1F89FDBCB9D1D102A6598B1852F7FF0C2DB5F0E0	25436C64113984DC90AF1D89B8F41EF40858241EF66E7BD2C3AD71C71D8E2010
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	1A06AA9F916046C17E5DA867F5AB3408	173C5E0069A81E2808BD8FE29FCF01A7B19F6944	74D692C4ED606EDDD9870A8DC9D087FCEE25D02400933E62C45E6A354576FE17
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	4C00910BAF865F5D0D7F37F77816B375	ADA759E7A00B362553580A89269201257BD6F9E0	32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	4C00910BAF865F5D0D7F37F77816B375	ADA759E7A00B362553580A89269201257BD6F9E0	32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	4C00910BAF865F5D0D7F37F77816B375	ADA759E7A00B362553580A89269201257BD6F9E0	32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83357E0C.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 581x1278, frames 3	D7773EE5D4BDFEE97EB233BC5C35C0AA	51FFFFC7973C3F4EF6B0B153D66293C1CB8195E7	F6D0AC498CDE70CFBE4F7DF6B86772BC5CFD43F835D09E0C9570D94801917332
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F1DC677.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1268x951, frames 3	90BE6B795828441DF1C995671289E431	7368012CA949A57238DC158C0FEF24A2EFCEB359	4A6A787D4BCE57A66828EB9F0F76A6FCAC265A97E6D091AFA150AAD19885C05B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp	Composite Document File V2 Document, Cannot read section info	C1EFD08AF15B2646E7E58B4ED1DA37D8	716F3C64BC8EA1044AB10F2771A59A782868DB1F	1AF69959BF135AA7497CB75BC54929B742E8E6AB162CD9162AEB306537D65C2E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A4592DE-D21D-4642-AE77-FFCC3AAD3185}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F19FE166-8B13-4DD0-BB8B-900FB9050402}.tmp	data	20E3896F9ACE5C8E16F06D39C7E6192F	3DC106A18E328D474631281AED5B33C3AC0CA9AA	DA442265AF95FD57EA0F40A2B15A5E89D9710124219B3CE1CE02B769BAA36A8A
C:\Users\user\AppData\Local\Temp\mso563B.tmp	GIF image data, version 89a, 15 x 15	ED3C1C40B68BA4F40DB15529D5443DEC	831AF99BB64A04617E0A42EA898756F9E0E0BCCA	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
C:\Users\user\AppData\Local\Temp\{918117C9-F5EE-4EA7-AC8B-621A6E7B7534}	data	4E336F926B821EB3BC7357B677623E4B	53212F37EB180DBCD825A0D95F02FA21C5A00354	E432B8B0C8E2378220326628A8E944A71760BE408E13E3AE873E051275E55B5E
C:\Users\user\AppData\Local\Temp\{C46AD554-98E1-4325-9E00-58DC273C73AD}	data	84E60871A4908F5C2C5744274A0DD3C2	274CFF227D6AD39DA4B2B806E88E6DDD35D87D1B	E81789A9C4F526731E91F97DBDD6EBCC1387BB060BF4AF538D7DE342293358FD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\V3g2Pfu707.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:51 2022, mtime=Tue Mar 8 15:45:51 2022, atime=Thu Jun 16 20:14:10 2022, length=520148, window=hide	7A418A293D958E6DFFD2A70C1ED5FA6E	235B0D1BC3D75694FF133A96FD5B2A939447F173	3628ED0E577657AF12609A617151C16C60A1C30869248D5A9E5EB0D5ADAC7375
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	32FE8550A0CCE9FFAAF8160013BCD613	D7BC50E67446A06F67C6C11C4A3BF7440C823DB7	D6EEA210607E6CFB420E71EADC5363DE3B85D402064F000B53427B9F24A82C5C
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
C:\Users\user\Desktop\~$g2Pfu707.docx	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E

AV Detection

Multi AV Scanner detection for submitted file

Source: V3g2Pfu707.docx

Virustotal: Detection: 33%

Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 101.33.231.81:62563

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49174 -> 101.33.231.81:62563

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49181

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 101.33.231.81:62563

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr, ~WRS{F19FE166-8B13-4DD0-BB8B-900FB9050402}.tmp.0.dr	String found in binary or memory: http://101.33.231.81:62563/exploit.html
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	String found in binary or memory: http://101.33.231.81:62563/exploit.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A4592DE-D21D-4642-AE77-FFCC3AAD3185}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: V3g2Pfu707.docx

Virustotal: Detection: 33%

Source: V3g2Pfu707.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\V3g2Pfu707.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$g2Pfu707.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR515A.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.expl.evad.winDOCX@1/21@0/1

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49181

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	647003
Product:	CloudBasic
Start time:	14:13:24
Start date:	16.06.2022
Sample:	V3g2Pfu707.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	b60cd79e2c14dbeefa22197f76fc3437
SHA1:	07a2811a3ea7a4a0c84e52cb5a48f1e712b55fd9
SHA256:	6ddab79a6d836f9c1ed9ab3bbe28a074c0c93bd87f55144ed62b23c0032715d1
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
V3g2Pfu707.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report V3g2Pfu707.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
V3g2Pfu707.docx