Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Drops PE files to the windows directory (C:\Windows)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP