Windows Analysis Report
Payment copy_2911022.docx.doc

Overview

General Information

Sample Name: Payment copy_2911022.docx.doc
Analysis ID: 770660
MD5: cd3dbd5f1d468da826581361b619b393
SHA1: 9d5fc2d99aec7c8c18d8af7267b4a31801fda770
SHA256: 1c6189f068ee3870e1d41511bd55c02cef9d98a816a963a26f95ff0b6becea1f
Tags: docdocx
Infos:

Detection

CVE-2021-40444
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected CVE-2021-40444 exploit
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Payment copy_2911022.docx.doc Avira: detected
Multi AV Scanner detection for submitted file
Source: Payment copy_2911022.docx.doc ReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.doc Virustotal: Detection: 46% Perma Link

Exploits
barindex
Detected CVE-2021-40444 exploit
Source: document.xml.rels Extracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49183 version: TLS 1.2
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Source: global traffic DNS query: name: pzsrblog.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: ~WRS{2DAED936-6AE5-4EA6-A2A6-98457564935D}.tmp.0.dr String found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXr
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr String found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrA
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr String found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrAx-usc:https://pzsrblog.com/wp-content/up
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr String found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXryX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D442B920-91E2-4DCA-989E-AADAC9D5BA07}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: pzsrblog.com
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49183 version: TLS 1.2
Yara signature match
Source: document.xml.rels, type: SAMPLE Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: Payment copy_2911022.docx.doc ReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.doc Virustotal: Detection: 46%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: Payment copy_2911022.docx.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\Payment copy_2911022.docx.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$yment copy_2911022.docx.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5BC5.tmp Jump to behavior
Source: classification engine Classification label: mal68.expl.evad.winDOC@1/20@7/1
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Payment copy_2911022.docx.doc Initial sample: OLE zip file path = word/media/image1.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: document.xml.rels Extracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 770660 Sample: Payment copy_2911022.docx.doc Startdate: 20/12/2022 Architecture: WINDOWS Score: 68 9 pzsrblog.com 2->9 13 Detected CVE-2021-40444 exploit 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Contains an external reference to another file 2->19 6 WINWORD.EXE 304 68 2->6         started        signatures3 process4 dnsIp5 11 pzsrblog.com 118.27.125.229, 443, 49175, 49176 INTERQGMOInternetIncJP Japan 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
118.27.125.229
 pzsrblog.com Japan 7506 INTERQGMOInternetIncJP true

Contacted Domains

Name IP Active
pzsrblog.com 118.27.125.229 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXr false
  • Avira URL Cloud: safe
 unknown