Edit tour
Windows
Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document exploit detected (drops PE files)
Document contains OLE streams which likely are hidden ActiveX objects
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Document contains OLE streams with names of living off the land binaries
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Uses ipconfig to lookup or modify the Windows network settings
PE file contains section with special chars
Sample uses process hollowing technique
Office process drops PE file
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality for execution timing, often used to detect debuggers
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Office Equation Editor has been started
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w7x64
- WINWORD.EXE (PID: 3000 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- EQNEDT32.EXE (PID: 3060 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - cmd.exe (PID: 2708 cmdline:
CmD.exe /C %tmp%\Cli ent.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98) - Client.exe (PID: 316 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Client. exe A C MD5: B4F00BB75BFD5C4E2C9D0CD6070E8E54) - notepad.exe (PID: 2188 cmdline:
C:\Windows \SysWOW64\ notepad.ex e /Process id:{2BA893 A4-E786-4A E6-9111-35 06DE199247 } MD5: A4F6DF0E33E644E802C8798ED94D80EA) - explorer.exe (PID: 1860 cmdline:
C:\Windows \Explorer. EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA) - ipconfig.exe (PID: 1800 cmdline:
C:\Windows \SysWOW64\ ipconfig.e xe MD5: CABB20E171770FF64614A54C1F31C033) - cmd.exe (PID: 1740 cmdline:
/c del "C: \Windows\S ysWOW64\no tepad.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
- cleanup
{"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_RTF_Embedded_OLE_PE | Detects a suspicious string often used in PE files in a hex encoded object stream | Florian Roth |
| |
INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
rtf_cve2017_11882_ole | Attempts to identify the exploit CVE 2017 11882 | John Davison |
| |
EXP_potential_CVE_2017_11882 | unknown | ReversingLabs |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Click to see the 54 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Click to see the 47 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.2266.235.200.17049171802031449 08/08/22-18:39:45.738853 |
SID: | 2031449 |
Source Port: | 49171 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22104.167.67.17549172802031449 08/08/22-18:40:04.832440 |
SID: | 2031449 |
Source Port: | 49172 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.2266.235.200.17049171802031453 08/08/22-18:39:45.738853 |
SID: | 2031453 |
Source Port: | 49171 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22104.167.67.17549172802031453 08/08/22-18:40:04.832440 |
SID: | 2031453 |
Source Port: | 49172 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.2266.235.200.17049171802031412 08/08/22-18:39:45.738853 |
SID: | 2031412 |
Source Port: | 49171 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22104.167.67.17549172802031412 08/08/22-18:40:04.832440 |
SID: | 2031412 |
Source Port: | 49172 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Exploits |
---|
Source: | Static RTF information: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Stream path '_1721489049/\x1CompObj' : |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Software Vulnerabilities |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | Code function: | 9_2_00407B44 | |
Source: | Code function: | 9_2_00407B1C | |
Source: | Code function: | 9_2_0040E47A |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Networking |
---|
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |