Windows
Analysis Report
Contract agreement.docx
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 2188 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | File opened: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 877007 |
Start date and time: | 2023-05-28 14:15:36 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | Contract agreement.docx |
Detection: | CLEAN |
Classification: | clean0.winDOCX@1/13@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BB8ABC6.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 12033 |
Entropy (8bit): | 7.814046314403372 |
Encrypted: | false |
SSDEEP: | 192:Yo6IjAHr7WP4702cGwLM3nYQYHtbi+YssYWs5/OryMSHgg4QvuG6Td3V2Sa6Vti:WbHr7Wk09inYfHtbi+YuOGMygg4V5dE3 |
MD5: | 1982F2115020E93B3AAF65C919E5E7B1 |
SHA1: | 8E4AF970E33E083E62FB1D9FA709C59E876FDB23 |
SHA-256: | B310B9D089845E82397A55AF32151F3A20B7B20AE6634C84C3B03B0267DAE9F9 |
SHA-512: | 269BDA663C90B7454F942615ACC283CC4D0DAF292E1BAA430593ADE534B8007AF430FFB66ACE0AABFDB2B9C4F6A880703FA12B82112D45AB86757CF54A5C81FF |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93279D0F.jpeg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16041 |
Entropy (8bit): | 7.908036013679057 |
Encrypted: | false |
SSDEEP: | 384:UJiwuzBzGFGiGn0Lo5x06rJJFQc/eDlLyT6iQp:UyzBMTGn0uRJJmc2hLs6iQp |
MD5: | 532ECCFDAB55D04C4A1F0C74DCE69AC0 |
SHA1: | 082C285DF47E0FA97DE967F8FF44DF12962384DC |
SHA-256: | CB024CFF62003E835785C68BCA97A29818DFF1FE58F46C91D5B6BF889752F951 |
SHA-512: | D9A4150EF19A6CA2B3A73E6FE0625C5F1C56B4D6365BBD2816A12D8EFF7F448D69855B9B1413BF07594A93757915FAC43D8566ABBF5DAEECB5FC87EAA5627D66 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\980DF3C4.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 123518 |
Entropy (8bit): | 7.994272940906965 |
Encrypted: | true |
SSDEEP: | 3072:/NuCUlIjWXRhoC0Sf9bHpUHgl7Ms7EWyljC/o6fvD:/rE9Z4gRMNW1/r |
MD5: | 6432EC45A44A1CE70C6D31D7910B3D8B |
SHA1: | 8BC88D78CB0231AFC15BE30E292A0663411C8624 |
SHA-256: | 60AB53BD284207BE4197833C4F8B1632F860BA0183C52C9B8E0608BCED63BB14 |
SHA-512: | 4F536E910627D7D6BF4D9D2F43E08BF5E85536C2FA55B531640D589C323B25C74EA9BA79781799036DF014B2C5CEFF6AA9DBFB4844FF6FF2F7D2C248970890B6 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E287E699.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1872 |
Entropy (8bit): | 7.820973115519834 |
Encrypted: | false |
SSDEEP: | 48:rZD2m8v+zT16rTGv6bYOx4cicaV2fs6QV4oJX:NDjzTYrRYupvaEs6roJX |
MD5: | 3DDCCDFCD959C07AB9A2F7778923DFB9 |
SHA1: | D6D40BC9AEF8DB200A9612B7D5794E3CE3FAACE1 |
SHA-256: | E701C4434517707206E3DAD5D1E84249B423F0C932B79F1CE71E434B227D6240 |
SHA-512: | D8BC7418C461B81FBC20D7D3BCDFC4EB22E76CEAD6391049D6363DD4909EC2770BE024BF73395097090C514C245C91730C01B5BDA886BB6B6FB8B4085B7C3C9D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{60BF3DE8-1CA3-42CB-B6CA-E671C80F0F56}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 1.4200733097516376 |
Encrypted: | false |
SSDEEP: | 6:rl912N0xVN+CFQXeDXw9XfA9XfA9XCw9XfA9XfA9XCw9XCw9XCB9Xh9Xh9X:rl3lTpFQgXIwwCIwwCICICb77 |
MD5: | 2ED4F5AEFC83840D2981F9ADC2F6460D |
SHA1: | 8AE268AC0E0B730B7973FF0485E689B52E483FC6 |
SHA-256: | A34946B2D938BD91DDB4B6E06B495F575BED87EEC17764C9EDD5D0A7DF5995C6 |
SHA-512: | 618E5F60F3DA577B52ACDA47F1334CDDF8E3D89DF0A59611461D3D4D42212A355159DFACC14E37E713D3E1F5BA47771417E7354E23067E396E1420CD60E59FB0 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9D5B7132-C829-4FE2-85DD-9FE723688C9F}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 3.9761180206469766 |
Encrypted: | false |
SSDEEP: | 384:plmL56u5fvg+e9Dsi3nI9Vp2SdkBg4GvGLuHUNLCLpecS8kPz:PKSTb |
MD5: | A060B65BBA744CE5658560E8C225A469 |
SHA1: | 296865DC3F3170AEE4DB1DAFC1BD00E1243E41CF |
SHA-256: | A09917E33EDB7496696D6EDF38C56106B422BD70F637C935FF0A66656B940086 |
SHA-512: | A497618616CE8C7FE66568D7E0043D120AE58CEE2B5B71150D29D7CEAB6894CB699FC69E98B523800CB62BBC92F5FAC69BBEE915A5D5E1D47F5C454BF5577CF2 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7F1C78C-1140-4E43-A415-F39DE2B8E989}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 663 |
Entropy (8bit): | 5.949125862393289 |
Encrypted: | false |
SSDEEP: | 12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF |
MD5: | ED3C1C40B68BA4F40DB15529D5443DEC |
SHA1: | 831AF99BB64A04617E0A42EA898756F9E0E0BCCA |
SHA-256: | 039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A |
SHA-512: | C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1059 |
Entropy (8bit): | 4.56374243763475 |
Encrypted: | false |
SSDEEP: | 12:8M806jgXg/XAlCPCHaXZKBfB/YM+X+WTWwKQHu8juicvbE63D48QHu2NDtZ3Yil3:8m0/XTpKh2hBWfQlNeBQ7Dv3qo4yA7yJ |
MD5: | 9513D565031D67DBA8B2EBFE29BBA858 |
SHA1: | 70DF1BD639F4907EB53012464120AE739D291AB6 |
SHA-256: | 7A3760F8C3D3FC643BB0CA750770573A9F5F79EC27396394A916A7AB567E6306 |
SHA-512: | B1FD312F39DA121F7193B9E6A21D57487E651DDAD5610CF39DBD7C83B0B1495A359E9887D37278A3FEF2E7E0AE27972A6545C608696452EB889FE39E88055B6A |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 88 |
Entropy (8bit): | 4.579734358584997 |
Encrypted: | false |
SSDEEP: | 3:bDuMJl+EUGjrjRUmxWt7GjrjRUv:bCYjrYCjrE |
MD5: | 554CBE79C94D699500455BDA9F6515D4 |
SHA1: | 6A6E03D18EE83FB86C23BA306CC6D2D141B01912 |
SHA-256: | 483C9CA9FBCD4BD95FBA5F6CB0415261D9D1C83D391B0C955C5AB5EAEBBD47CD |
SHA-512: | 7C7F871FE7DBB87D330B12F6174F129AB7E2A54AE51E7EA50B236AB8175D9660B1A060DFC1A7216C45688676E6130DA06CBA9F83224F623D551D67F7387C9DD7 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:Qn:Qn |
MD5: | F3B25701FE362EC84616A93A45CE9998 |
SHA1: | D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB |
SHA-256: | B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
SHA-512: | 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.954541983842944 |
TrID: |
|
File name: | Contract agreement.docx |
File size: | 178975 |
MD5: | 494ad369620d8b28dea9cc0d60b8f865 |
SHA1: | 57c451f3c0af780141d663940d58c201cda2cf36 |
SHA256: | 2390662435e396fea8f64f5d5cbf71f70e7c191b6568437a1b1f794846f316da |
SHA512: | f91a2a536d161880aca47b18970aea6d795ff0c345cfa26401a936b9ecddf500100fbd0460b82fe5f75dbf4296e1cfdbb2c690bc07a0345c51009094c21ded82 |
SSDEEP: | 3072:2lNuCUlIjWXRhoC0Sf9bHpUHgl7Ms7EWyljC/o6fv5MTT3hegIHTulufd2o:2lrE9Z4gRMNW1/Q7hegIHTPd2o |
TLSH: | 080412EDE850EC17EAE34A758E44D6F5BBB8251282806DD367C0EF7C467094783069DE |
File Content Preview: | PK..........!.6...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
Icon Hash: | 65e6a3a3afb7bdbf |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 14:16:56 |
Start date: | 28/05/2023 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f2c0000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |