Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:390946
Start time:23:00:33
Joe Sandbox Product:Cloud
Start date:19.10.2017
Overall analysis duration:0h 10m 26s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:World War 3.docx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal52.evad.expl.winDOCX@3/18@1/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .docx
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 174
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, officeclicktorun.exe, OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKey calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold520 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Exploits:

barindex
Document embeddeds flash objectsShow sources
Source: World War 3.docxStream path 'Contents' : fUfU....FWS ....x......p.....D...........<rdf:RDF
Microsof Office program loads Macromedia Flash PlayerShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global mouse hookShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEWindows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: blackpartshare.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.15:49170 -> 185.86.150.244:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.15:49170 -> 185.86.150.244:80

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CB22A90-66BB-40C8-BE22-B81C6AAC1750}.tmp
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,305Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: blackpartshare.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: blackpartshare.com
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/appdata/local/microsoft/office/winword.exe_rules.xml
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/appdata/local/microsoft/office/winword.exe_rules.xmlepitch3601440w:bott
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docx
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docx1
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docxck
Source: MSOSQM.EXEString found in binary or memory: file:///c:/windows/performance/winsat/datastore/2011-08-17%2009.00.52.786%20formal.assessment%20(rec
Source: MSOSQM.EXEString found in binary or memory: file://c:
Source: WINWORD.EXEString found in binary or memory: http://
Source: WINWORD.EXEString found in binary or memory: http://blackpartshare.com/crossdomain.xml
Source: WINWORD.EXEString found in binary or memory: http://cdn.odc.officeapps.live.com/odc/stat/images/onedriveupsell.png
Source: WINWORD.EXEString found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsell
Source: WINWORD.EXEString found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsellskydrivesignupupsellimagehtt
Source: WINWORD.EXEString found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell
Source: WINWORD.EXEString found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsellliveprofileservicehttps:
Source: WINWORD.EXEString found in binary or memory: http://odc.
Source: WINWORD.EXEString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXEString found in binary or memory: http://weather.service.msn.com/data.aspxdocx7
Source: WINWORD.EXEString found in binary or memory: https://
Source: WINWORD.EXEString found in binary or memory: https://api.aadrm.com/-
Source: WINWORD.EXEString found in binary or memory: https://apis.live.net/v5.0/nenr
Source: WINWORD.EXEString found in binary or memory: https://broadcast.
Source: WINWORD.EXEString found in binary or memory: https://contacts.
Source: WINWORD.EXEString found in binary or memory: https://directory.services.
Source: WINWORD.EXEString found in binary or memory: https://excelcs.
Source: WINWORD.EXEString found in binary or memory: https://excelps.
Source: WINWORD.EXEString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXEString found in binary or memory: https://login.
Source: WINWORD.EXEString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXEString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXEString found in binary or memory: https://login.windows.net/common/oauth2/authorize$5
Source: WINWORD.EXEString found in binary or memory: https://login.windows.net/common/oauth2/authorize55
Source: WINWORD.EXEString found in binary or memory: https://login.windows.net/common/oauth2/authorizeadalclientidexceld3590ed6-52b3-4102-aeff-aad2292ab0
Source: WINWORD.EXEString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh5
Source: WINWORD.EXEString found in binary or memory: https://nexus.
Source: WINWORD.EXEString found in binary or memory: https://nexus.officeapps.live.comom/config15//m
Source: WINWORD.EXEString found in binary or memory: https://ocws.
Source: WINWORD.EXEString found in binary or memory: https://odc.
Source: WINWORD.EXEString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXEString found in binary or memory: https://officeapps.live.comenableoutlookinclientstorefalseenableoutlookinclientstoreonpremfalsegloba
Source: WINWORD.EXEString found in binary or memory: https://ols.
Source: WINWORD.EXEString found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptions/ww
Source: WINWORD.EXEString found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.jsonmbi_ssl_shortssl.
Source: WINWORD.EXEString found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.jsonz#
Source: WINWORD.EXEString found in binary or memory: https://pptcs.
Source: WINWORD.EXEString found in binary or memory: https://pptps.
Source: WINWORD.EXEString found in binary or memory: https://pptss.
Source: WINWORD.EXEString found in binary or memory: https://pptwrs.
Source: WINWORD.EXEString found in binary or memory: https://profile.
Source: WINWORD.EXEString found in binary or memory: https://roaming.
Source: WINWORD.EXEString found in binary or memory: https://signup.
Source: WINWORD.EXEString found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXEString found in binary or memory: https://ssl.bing.com/dict/img/bingdict_e2c.pngv
Source: WINWORD.EXEString found in binary or memory: https://wordcs.
Source: WINWORD.EXEString found in binary or memory: https://wordps.
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,305Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: blackpartshare.comConnection: Keep-Alive

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRun
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office 15\Root\Office15\MSVCR100.dll
Document has a 'vbamacros' value indicative for goodwareShow sources
Source: World War 3.docxInitial sample: OLE indicators vbamacros = False
Classification labelShow sources
Source: classification engineClassification label: mal52.evad.expl.winDOCX@3/18@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rld War 3.docx
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRDB9A.tmp
Document contains summary information with irregular field valuesShow sources
Source: World War 3.docxOLE document summary: title field not present or empty
Source: World War 3.docxOLE document summary: author field not present or empty
Source: World War 3.docxOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE 'C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE' /n 'C:\Users\user\Desktop\World War 3.docx
Source: unknownProcess created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3BDFAD3-F276-49e9-9B17-C474F48F0764}\InProcServer32
Document contains no OLE stream with summary informationShow sources
Source: World War 3.docxOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: World War 3.docxOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: World War 3.docxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXEProcess information set: NOOPENFILEERRORBOX
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXENetwork Connect: 185.86.150.244 80

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 390946 Sample:  World War 3.docx Startdate:  19/10/2017 Architecture:  WINDOWS Score:  52 1 WINWORD.EXE 17 55 main->1      started     13221sig Microsof Office program loads Macromedia Flash Player 6061sig System process connects to network (likely due to code injection or exploit) d1e386216 blackpartshare.com 185.86.150.244, 80 MAKONIXLV Latvia d1e385658 blackpartshare.com 1->13221sig 1->6061sig 1->d1e386216 1->d1e385658 10 MSOSQM.EXE 10 1->10      started     process1 dnsIp1 signatures1 process10 fileCreated1 fileCreated10

Simulations

Behavior and APIs

TimeTypeDescription
23:00:26API Interceptor11x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
23:00:32API Interceptor2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot