Windows Analysis Report
dl18aYTBo5

Overview

General Information

Sample Name:	dl18aYTBo5 (renamed file extension from none to docx)
Analysis ID:	686004
MD5:	b91615355a11f5bb8b7c381a8bc4485a
SHA1:	7950b1730e05a2dcdd19f1a98a697798a9edbf77
SHA256:	3fdd30eb0961c98259d58327745ec253588b1553d9822d613d45d076c4b07ec1
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dl18aYTBo5.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: dl18aYTBo5.docx	Metadefender: Detection: 20%			Perma Link
Source: dl18aYTBo5.docx	ReversingLabs: Detection: 27%

Exploits

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: https://raw.githubusercontent.com/drgreenthumb93/cve-2022-30190-follina/main/bad.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.2

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: raw.githubusercontent.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FASTLYUS FASTLYUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.199.108.133 185.199.108.133

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeCache-Control: no-cacheContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 0Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'Accept-Ranges: bytesDate: Thu, 18 Aug 2022 01:51:10 GMTVia: 1.1 varnishX-Served-By: cache-mxp6935-MXPX-Cache: MISSX-Cache-Hits: 0X-Timer: S1660787471.831212,VS0,VE9Access-Control-Allow-Origin: *X-Fastly-Request-ID: 0038ae362210300c11e8b16daefe6a458ddf6fd4Expires: Thu, 18 Aug 2022 01:56:10 GMTVary: Authorization,Accept-Encodingtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeCache-Control: no-cacheContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 0Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'Accept-Ranges: bytesDate: Thu, 18 Aug 2022 01:51:16 GMTVia: 1.1 varnishX-Served-By: cache-mxp6942-MXPX-Cache: MISSX-Cache-Hits: 0X-Timer: S1660787477.934296,VS0,VE9Access-Control-Allow-Origin: *X-Fastly-Request-ID: 86ac34f2a7f5281d6f97d13ae2197222c90618afExpires: Thu, 18 Aug 2022 01:56:16 GMTVary: Authorization,Accept-Encodingtransfer-encoding: chunked

Source: ~WRS{FEC6DCA0-7354-46DE-A8FC-629874E35853}.tmp.0.dr

String found in binary or memory: https://raw.githubusercontent.com/drgreenthumb93/CVE-2022-30190-follina/main/bad.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{40655C52-0542-4D1D-95A6-44AB7A44DEAF}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: raw.githubusercontent.com

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: dl18aYTBo5.docx	Metadefender: Detection: 20%
Source: dl18aYTBo5.docx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: dl18aYTBo5.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\dl18aYTBo5.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$18aYTBo5.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR4E00.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.expl.evad.winDOCX@1/15@1/1

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://raw.githubusercontent.com/drgreenthumb93/cve-2022-30190-follina/main/bad.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.108.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	true

Contacted Domains

Name	IP	Active
raw.githubusercontent.com	185.199.108.133	true

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	AED282D47E74B35A963FA967845BEB55	95860C99A86CE925F3FF2847643FEB9D07601E09	87636D9B14847B13BBCD785071FE01D09428F7E8ABA072BB06225830BCEFA3C4
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DD8BC438-10B7-4304-B5F6-7629BCF1BBBD}.FSD	data	26F11022DF18562138B60C6F037921A8	5B8B9FCD71EFBB596D32EAB2E5450B6A09F42A3E	C7DE62732C7A4D01C61155AC93E2CDF8FF277BA66C5E997AFC68C4836B6C1876
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	7B90472AF641B5E703E37F1B849117D6	DBF52B00012494E56117FEF0F777FD7D0945C8EB	7D461C93DFC0C71280E3F2B14C11345DE5BD87C7170C4A7F01F2155335D7543B
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	0DDF9A2970B1B258F8A6DC09F10A59EB	1AC71AA6E71D102B35173A2C1861F4AD58DC521D	9FFBE5DEB13327493B169738A498D95E872AD88E850FE8F54E182892E684D09E
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4BE7BDD4-FFEC-446A-AFDD-8DCC2CB50000}.FSD	data	46C2BB20992B8CE2496F7552C6C2B4E2	FC1D835CCA254539EB6DB0E3A86EA21DED1F1CB1	EDDBA564DA065E559E253D85566ACEAD75B7B789DE900EAB15311CA8D3E52A08
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	198CFA2CB15C47E79B48D717F4D03634	1B74293BCEDC94E8965A4536DA7AD0C3AC309852	9EEBDC29A70138CC5616F631F3141303C6DFBF34812D7805A0D573264D9ED6C0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp	Composite Document File V2 Document, Cannot read section info	49805345EC222F9C40DE34EA93D3D9D4	43722C84F1BF1C76DA46EE10E388348CD90FC1CA	2253D7B0AA718135507AE366237E893ADAD147B44C39B130007A9A3486FE2C14
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{40655C52-0542-4D1D-95A6-44AB7A44DEAF}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FEC6DCA0-7354-46DE-A8FC-629874E35853}.tmp	data	16983C4674C4429553475D2AE88B4044	749397398EF28AACA48E2F1295EFCDCF49C8804E	2F1D2137E1F5F181D6295D7ADE057DDEB50F43FA5B5C99E8E9559E2AD8FA3B56
C:\Users\user\AppData\Local\Temp\{1F19ED29-251F-4468-B6E5-D4261622E15F}	data	C321B22B28157B83D97EC320A2279932	0218F9A13568E812E90219318BB8869426985F95	E6CC4B63B5471AA996CAEEFE102323A54DA38F5340FDC20E3B60B0D20F346350
C:\Users\user\AppData\Local\Temp\{8C1DA29E-F25D-4DB9-A9FE-FB8A44BD2C4F}	data	732D631679C87125581E7C89CFF8C256	0EBF386158D24CEF051FA7E1A088C98B56795738	50CD773653EA7A75E511AA6CB16273AB4D520D2FCA90F821002439FB4086C5CE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dl18aYTBo5.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 09:50:59 2022, mtime=Thu Aug 18 09:50:59 2022, atime=Thu Aug 18 09:51:09 2022, length=10190, window=hide	43684316804655277257094B01BEEE4E	502183CF7142C836D557AFCC92A9E7A6604D68E8	1D7F597BEA5ADAE9E47C8F3064B5EDA0FEFC1FDA0751D0198E7E060638AE6735
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	78743467AD7B7A7C4AEA7B26F05F0159	1EE278AFB6EAE05D6BAD394AC28A4AC85E36A994	ABD0F630011CFCF4BA855FFF7AF8C5644D09A8F1A424F1EC8D3C0186ECCB6582
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	7CFA404FD881AF8DF49EA584FE153C61	32D9BF92626B77999E5E44780BF24130F3D23D66	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
C:\Users\user\Desktop\~$18aYTBo5.docx	data	7CFA404FD881AF8DF49EA584FE153C61	32D9BF92626B77999E5E44780BF24130F3D23D66	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dl18aYTBo5.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: dl18aYTBo5.docx	Metadefender: Detection: 20%			Perma Link
Source: dl18aYTBo5.docx	ReversingLabs: Detection: 27%

Exploits

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: https://raw.githubusercontent.com/drgreenthumb93/cve-2022-30190-follina/main/bad.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.2

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 185.199.108.133:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: raw.githubusercontent.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 185.199.108.133:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FASTLYUS FASTLYUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.199.108.133 185.199.108.133

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeCache-Control: no-cacheContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 0Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'Accept-Ranges: bytesDate: Thu, 18 Aug 2022 01:51:10 GMTVia: 1.1 varnishX-Served-By: cache-mxp6935-MXPX-Cache: MISSX-Cache-Hits: 0X-Timer: S1660787471.831212,VS0,VE9Access-Control-Allow-Origin: *X-Fastly-Request-ID: 0038ae362210300c11e8b16daefe6a458ddf6fd4Expires: Thu, 18 Aug 2022 01:56:10 GMTVary: Authorization,Accept-Encodingtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeCache-Control: no-cacheContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 0Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'Accept-Ranges: bytesDate: Thu, 18 Aug 2022 01:51:16 GMTVia: 1.1 varnishX-Served-By: cache-mxp6942-MXPX-Cache: MISSX-Cache-Hits: 0X-Timer: S1660787477.934296,VS0,VE9Access-Control-Allow-Origin: *X-Fastly-Request-ID: 86ac34f2a7f5281d6f97d13ae2197222c90618afExpires: Thu, 18 Aug 2022 01:56:16 GMTVary: Authorization,Accept-Encodingtransfer-encoding: chunked

Source: ~WRS{FEC6DCA0-7354-46DE-A8FC-629874E35853}.tmp.0.dr

String found in binary or memory: https://raw.githubusercontent.com/drgreenthumb93/CVE-2022-30190-follina/main/bad.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{40655C52-0542-4D1D-95A6-44AB7A44DEAF}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: raw.githubusercontent.com

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: dl18aYTBo5.docx	Metadefender: Detection: 20%
Source: dl18aYTBo5.docx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: dl18aYTBo5.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\dl18aYTBo5.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$18aYTBo5.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR4E00.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.expl.evad.winDOCX@1/15@1/1

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://raw.githubusercontent.com/drgreenthumb93/cve-2022-30190-follina/main/bad.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	686004
Product:	CloudBasic
Start time:	03:50:20
Start date:	18.08.2022
Sample:	dl18aYTBo5
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	b91615355a11f5bb8b7c381a8bc4485a
SHA1:	7950b1730e05a2dcdd19f1a98a697798a9edbf77
SHA256:	3fdd30eb0961c98259d58327745ec253588b1553d9822d613d45d076c4b07ec1
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
dl18aYTBo5

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report dl18aYTBo5

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
dl18aYTBo5