Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	390946
Start time:	23:00:33
Joe Sandbox Product:	Cloud
Start date:	19.10.2017
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	World War 3.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal52.evad.expl.winDOCX@3/18@1/1
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 174 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, officeclicktorun.exe, OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	52	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

Exploits:

Document embeddeds flash objects

Show sources

Source: World War 3.docx

Stream path 'Contents' : fUfU....FWS ....x......p.....D...........<rdf:RDF

Microsof Office program loads Macromedia Flash Player

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_305.ocx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global mouse hook

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Windows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: blackpartshare.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.15:49170 -> 185.86.150.244:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.15:49170 -> 185.86.150.244:80

Networking:

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CB22A90-66BB-40C8-BE22-B81C6AAC1750}.tmp

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,305Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: blackpartshare.comConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: blackpartshare.com

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/user/appdata/local/microsoft/office/winword.exe_rules.xml
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/user/appdata/local/microsoft/office/winword.exe_rules.xmlepitch3601440w:bott
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docx
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docx1
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/user/desktop/world%20war%203.docxck
Source: MSOSQM.EXE	String found in binary or memory: file:///c:/windows/performance/winsat/datastore/2011-08-17%2009.00.52.786%20formal.assessment%20(rec
Source: MSOSQM.EXE	String found in binary or memory: file://c:
Source: WINWORD.EXE	String found in binary or memory: http://
Source: WINWORD.EXE	String found in binary or memory: http://blackpartshare.com/crossdomain.xml
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/stat/images/onedriveupsell.png
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsellskydrivesignupupsellimagehtt
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsellliveprofileservicehttps:
Source: WINWORD.EXE	String found in binary or memory: http://odc.
Source: WINWORD.EXE	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE	String found in binary or memory: http://weather.service.msn.com/data.aspxdocx7
Source: WINWORD.EXE	String found in binary or memory: https://
Source: WINWORD.EXE	String found in binary or memory: https://api.aadrm.com/-
Source: WINWORD.EXE	String found in binary or memory: https://apis.live.net/v5.0/nenr
Source: WINWORD.EXE	String found in binary or memory: https://broadcast.
Source: WINWORD.EXE	String found in binary or memory: https://contacts.
Source: WINWORD.EXE	String found in binary or memory: https://directory.services.
Source: WINWORD.EXE	String found in binary or memory: https://excelcs.
Source: WINWORD.EXE	String found in binary or memory: https://excelps.
Source: WINWORD.EXE	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE	String found in binary or memory: https://login.
Source: WINWORD.EXE	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorize$5
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorize55
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeadalclientidexceld3590ed6-52b3-4102-aeff-aad2292ab0
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeh5
Source: WINWORD.EXE	String found in binary or memory: https://nexus.
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.comom/config15//m
Source: WINWORD.EXE	String found in binary or memory: https://ocws.
Source: WINWORD.EXE	String found in binary or memory: https://odc.
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.comenableoutlookinclientstorefalseenableoutlookinclientstoreonpremfalsegloba
Source: WINWORD.EXE	String found in binary or memory: https://ols.
Source: WINWORD.EXE	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptions/ww
Source: WINWORD.EXE	String found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.jsonmbi_ssl_shortssl.
Source: WINWORD.EXE	String found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.jsonz#
Source: WINWORD.EXE	String found in binary or memory: https://pptcs.
Source: WINWORD.EXE	String found in binary or memory: https://pptps.
Source: WINWORD.EXE	String found in binary or memory: https://pptss.
Source: WINWORD.EXE	String found in binary or memory: https://pptwrs.
Source: WINWORD.EXE	String found in binary or memory: https://profile.
Source: WINWORD.EXE	String found in binary or memory: https://roaming.
Source: WINWORD.EXE	String found in binary or memory: https://signup.
Source: WINWORD.EXE	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE	String found in binary or memory: https://ssl.bing.com/dict/img/bingdict_e2c.pngv
Source: WINWORD.EXE	String found in binary or memory: https://wordcs.
Source: WINWORD.EXE	String found in binary or memory: https://wordps.

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

System Summary:

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRun

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office 15\Root\Office15\MSVCR100.dll

Document has a 'vbamacros' value indicative for goodware

Show sources

Source: World War 3.docx

Initial sample: OLE indicators vbamacros = False

Classification label

Show sources

Source: classification engine

Classification label: mal52.evad.expl.winDOCX@3/18@1/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rld War 3.docx

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRDB9A.tmp

Document contains summary information with irregular field values

Show sources

Source: World War 3.docx	OLE document summary: title field not present or empty
Source: World War 3.docx	OLE document summary: author field not present or empty
Source: World War 3.docx	OLE document summary: edited time not present or 0

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE 'C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE' /n 'C:\Users\user\Desktop\World War 3.docx
Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3BDFAD3-F276-49e9-9B17-C474F48F0764}\InProcServer32

Document contains no OLE stream with summary information

Show sources

Source: World War 3.docx

OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: World War 3.docx

OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: World War 3.docx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	Process information set: NOOPENFILEERRORBOX

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Network Connect: 185.86.150.244 80

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
23:00:26	API Interceptor	11x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
23:00:32	API Interceptor	2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7_2

WINWORD.EXE (PID: 2744 cmdline: 'C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE' /n 'C:\Users\user\Desktop\World War 3.docx MD5: FEC5FFC0B51C78D9376A74CD2855D479)

MSOSQM.EXE (PID: 2004 cmdline: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE MD5: 04D5CDDFC37410CF388AD731E655E277)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Word8.0\ShockwaveFlashObjects.exd
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	555F23D4232F34B8D4A1F8EB9631E5C601A76A89
SHA-256:	579FBD0C9B7C3EB85E61D14D7A9097C8F033FF3691DC0E93AEFBACAE35CC4302
SHA-512:	F2EB8AFE68C44A315BF6B7B52423AAE7C76D5A0F92E9695E079DFD430D899808313AFC4B00C02331769F5D323EB7B439D5A57823C4F76D9CDC48419EEA3A2E08
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\15.0\msosqmcached.dat
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	BA35F189BC3AD6FF2BB3A5BF583257D5FC4ECBFD
SHA-256:	F981ED368CCB4652B0FF2EDAA105927B7CAFD38AA561A3443CD123F30F2A18DA
SHA-512:	A13470F0B0BB277D7A8A7DB9F701F7D6272ACFC5AA9D72EBD1386477067E6E06F79BA5F725606E609025972798E2084B8C605EEAB64C34C40FE70CCAA1C30757
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2744_1.etl
File Type:	MS Windows icon resource
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	524FB467E8D47C6C2CCC1700CD6FE967F4E9D9B9
SHA-256:	B450E9EB54FCE6554951A872A782A891D12C7102E051D1F35C531F785541FCAA
SHA-512:	F1E577BD2ED20C862F6DCE369BEF159FFA62D5731F064EF3F9B6A9BD8964C06C6F9AAAFC9AA9E1AFD1E07F42493F8438570208C53EEBEBB0E36895704611935A
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2744_2.etl
File Type:	MS Windows icon resource
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	6D10788CAFCFE60F06DA029EC6C9B0BF1C0E580A
SHA-256:	C9AA796E630AF8328CA4642C9F54B69F928E837EC7A360F13A4661EB2B09B9C1
SHA-512:	ACF6C1CBD761F17FA592B7C2C51D1FF8E91766200496DBA0C19EA0542EECB4584276BE3F8C785AF35E2F1B4CEE673049081ECBC80258217D146147D28655686A
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2744_3.etl
File Type:	MS Windows icon resource
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	99282013A2732D37882DB5631EFB4DB9EB89CFD8
SHA-256:	46233E27F5166BF9505B6078785C1ED66C047B8CB8EF649A3BEE28B4EC0EC134
SHA-512:	1322D404B22FB237B62C81026A1739FACCCB09C34D2B4C6C60912409C3CB70CFE18DF3F7AA24B48A043B95887ED3CD403E07A8A662018572714826F478B7B696
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2744_4.etl
File Type:	MS Windows icon resource
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	1D1FD14EA70109CAA99140599D86873DBEB8DF27
SHA-256:	F7E3F5659C8BBEF66746D77AD0FCF0E888C6819F7925EF43FA4046E5EB96F75E
SHA-512:	334B93EC63EE0658DFF663C2178AE10B4BF4E1B13A244D5E59E0B3A0B0657B38352687A0332C97B92B41CA5D4D82DCF0BB63324BFE21C6BEEE4D15F3E2518492
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2744_5.etl
File Type:	MS Windows icon resource
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	D18CD1D2BBCF959C480854CDC6DA442E5FF8FAB8
SHA-256:	41189840EAD11B3058FC6D25B1C5F9848CE2A1B6B76C93AC325DFEDE4092CA5C
SHA-512:	1BFCEA3F2AB357E60367F903280182B176053BB7F54ED166A47D340BE5DE95CF001E2F527EF50F457F8F0034381E0CA561E388E95B30923554B47554203857C1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Office\OTele\{712B9EEE-C21C-48FA-93E2-C23E5FB41FC9} - 2744 - OTele.dat
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	F2DC236626B178E038D32112625A1D0BD121FB68
SHA-256:	1041169A4B6199237D75DE411589E78140C17448CC73EBC31F45814F4E4ECB0F
SHA-512:	45F414F12FF91CCA41A9D267007A4420B6A9A0A0D4633D2112F4723F87DD8CB724BDD2AE41EE48739A07C4F4495B90C99AAD6EA0E1C7C375D3666B851876D695
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398393A4.png
File Type:	PNG image, 6 x 6, 8-bit/color RGB, non-interlaced
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	47CB1D88A9E4BEC0BBBC8AE9FF7E610A02832381
SHA-256:	D7AE1CAB96FA70C41B833BFE8F8DD14F95A88E9FCBAA903C23CF49ECF7911813
SHA-512:	3C6FDA891B6C77D8F248357474D2FCDAB2781705793CCC588FA79E486A8682072C23550EBB2B6F4E74D025D4306CA5FA2DB4F68C8D284566E55AD7E5B68B72A0
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C385D755.wmf
File Type:	ms-windows metafont .wmf
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	48611F283A37A1C2DD3D583EB08743718E55E139
SHA-256:	DE24333CD68A45D99B1324CF2B73DBBC17F80B44EE73BB78FEF52BEE5788A5F0
SHA-512:	616D4C4D72987BE8FA0CC5C92DB68E7C1948B0D911722F45A7D7FDC757C7313A6F34D65D54D555005A29847F9747E70DCAE28BCF5E4AC3B80C519FEF1B2FA8B5
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5926CD70-A408-486E-A016-7DBC14E6985F}.tmp
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	A4A89D3748E348800210FEBBA2F1FD1D3A3940C2
SHA-256:	4EB6744AA182FEAA6B006E7190E06D5C8030E1C74B7AE6A8FC00BDDDBE72177A
SHA-512:	702255ED12D55DA24A0376AB52A86625D0DE55191671D9BAB9D23311C756DCD6D9736A04F949175B337BB97FB5AB3A411C4E3ACA2812ADC51484FC91A07263D1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CB22A90-66BB-40C8-BE22-B81C6AAC1750}.tmp
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	F66C6F70E5ACFB68B4BA47C6A8CA60BD3896FC60
SHA-256:	A5DB199E0AC0AE967FF35332B1261D9E11AC7D4FA30CC9253CE20FEE0E381C00
SHA-512:	D102E268FF5793EFFA6A086D835285FF6B3D09AEBC7FE252CD1D52434002FF9754996D19CBAD383D228292D623F6643C07DD15BB0C6896BBE7EE512303C5DA4F
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\World War 3.LNK
File Type:	MS Windows shortcut
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	8DC51BB87DF0C055BD4AB0B9FEDAE9E1D4CBA2EB
SHA-256:	2590EDF93C11E227ED91E4D0E5E96FFA8E11F738A921AAB22501681C10D193A4
SHA-512:	79FA208ADD5691CE9FCC4935D6580102FAEE2B75F54DA0133C41A6EF70E725A3F37E4E1B06B0724B5C53934866B9116B2095D1E5A8A52F3DBC9CED8CC871F8F2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:	ASCII text, with CRLF line terminators
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	A86E076C0A155855E5B7A4BCEFCB5F5CD881F984
SHA-256:	9CA15AFD91A68BAB48C7BD6162595278FF65BC14C6C26F3E02EAEABC9210D2E1
SHA-512:	40A3F6DD673B9A3CFEC4A1FB441F4D16F7FC68CAC1C402671ECE25CE383228A59C29DC53E6C3D3C0AAFA741F4876E422BDDA6078CC07305279BDE3625B14C917
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	11A7E1C980822FED85CA3A5149FF609EEF8A02A8
SHA-256:	5CA0ADFB328F0AAE713B0246B722EB0BD9B66F22A128CB0F5613B38715E93BB3
SHA-512:	8DEF38AB647E7FF5F8965502F98CF1489B7A9D4FB08B4BEDD283FC4C9815470A81BD7BF7E78C93476BC13E033A6C5D3104C49C436729FEA3D8D23302A6542C09
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	low

C:\Users\user\Desktop\~$rld War 3.docx
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	11A7E1C980822FED85CA3A5149FF609EEF8A02A8
SHA-256:	5CA0ADFB328F0AAE713B0246B722EB0BD9B66F22A128CB0F5613B38715E93BB3
SHA-512:	8DEF38AB647E7FF5F8965502F98CF1489B7A9D4FB08B4BEDD283FC4C9815470A81BD7BF7E78C93476BC13E033A6C5D3104C49C436729FEA3D8D23302A6542C09
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
blackpartshare.com	185.86.150.244	true	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
185.86.150.244	Latvia		52173	MAKONIXLV	true

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
TrID:	Word Microsoft Office Open XML Format document (41004/1) 91.10% ZIP compressed archive (4004/1) 8.90%
File name:	World War 3.docx
File size:	18777
MD5:	0e0f7e17b8926d9bfd43a320d703e41b
SHA1:	7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3
SHA256:	25f983961eef6751e53a72c96d35448f8b413edf727501d0990f763b8c5e900b
SHA512:	53b4a239b4267ced397bda1d013da8e841d23b368a49ef30c72cb788e6c2cbc4f314566f206d84a32ad4a0c3a88f0e9ae3f1ab539084ed35d959d5e0b3c6157f
File Content Preview:	PK..........!..@.W............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "word/activeX/activeX1.bin"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Streams

Stream Path: Contents, File Type: data, Stream Size: 4201

General
Stream Path:	Contents
File Type:	data
Stream Size:	4201
Entropy:	7.1669842622
Base64 Encoded:	True
Data ASCII:	f U f U . . . . F W S . . . . x . . . . . . p . . . . . D . . . . . . . . . . . < r d f : R D F x m l n s : r d f = ' h t t p : / / w w w . w 3 . o r g / 1 9 9 9 / 0 2 / 2 2 - r d f - s y n t a x - n s # ' > < r d f : D e s c r i p t i o n r d f : a b o u t = ' ' x m l n s : d c = ' h t t p : / / p u r l . o r g / d c / e l e m e n t s / 1 . 1 ' > < d c : f o r m a t > a p p l i c a t i o n / x - s h o c k w a v e - f l a s h < / d c : f o r m a t > < d c : t i t l e > A p a c h e F l e x A p p
Data Raw:	66 55 66 55 f1 0e 00 00 46 57 53 20 f1 0e 00 00 78 00 07 d0 00 00 17 70 00 00 1e 01 00 44 11 19 00 00 00 7f 13 e6 01 00 00 3c 72 64 66 3a 52 44 46 20 78 6d 6c 6e 73 3a 72 64 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 30 32 2f 32 32 2d 72 64 66 2d 73 79 6e 74 61 78 2d 6e 73 23 27 3e 3c 72 64 66 3a 44 65 73 63 72 69 70 74 69 6f 6e 20 72 64 66 3a 61

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Okt 19, 2017 23:01:27.934609890 MESZ	49902	53	192.168.1.15	8.8.8.8
Okt 19, 2017 23:01:28.075634956 MESZ	53	49902	8.8.8.8	192.168.1.15
Okt 19, 2017 23:01:28.090759993 MESZ	49170	80	192.168.1.15	185.86.150.244
Okt 19, 2017 23:01:28.090812922 MESZ	80	49170	185.86.150.244	192.168.1.15
Okt 19, 2017 23:01:28.090879917 MESZ	49170	80	192.168.1.15	185.86.150.244
Okt 19, 2017 23:01:28.091742039 MESZ	49170	80	192.168.1.15	185.86.150.244
Okt 19, 2017 23:01:28.091769934 MESZ	80	49170	185.86.150.244	192.168.1.15
Okt 19, 2017 23:03:40.415976048 MESZ	80	49170	185.86.150.244	192.168.1.15
Okt 19, 2017 23:03:40.416136026 MESZ	49170	80	192.168.1.15	185.86.150.244
Okt 19, 2017 23:03:40.418162107 MESZ	49170	80	192.168.1.15	185.86.150.244
Okt 19, 2017 23:03:40.418207884 MESZ	80	49170	185.86.150.244	192.168.1.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Okt 19, 2017 23:01:27.934609890 MESZ	49902	53	192.168.1.15	8.8.8.8
Okt 19, 2017 23:01:28.075634956 MESZ	53	49902	8.8.8.8	192.168.1.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Okt 19, 2017 23:01:27.934609890 MESZ	192.168.1.15	8.8.8.8	0xe859	Standard query (0)	blackpartshare.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Okt 19, 2017 23:01:28.075634956 MESZ	8.8.8.8	192.168.1.15	0xe859	No error (0)	blackpartshare.com		185.86.150.244	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

blackpartshare.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Okt 19, 2017 23:01:28.091742039 MESZ	49170	80	192.168.1.15	185.86.150.244	GET /crossdomain.xml HTTP/1.1 Accept: / Accept-Language: en-US x-flash-version: 16,0,0,305 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: blackpartshare.com Connection: Keep-Alive	3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2744 Parent PID: 4036

General

Start time:	23:00:20
Start date:	19/10/2017
Path:	C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE' /n 'C:\Users\user\Desktop\World War 3.docx
Imagebase:	0x77190000
File size:	1923232 bytes
MD5 hash:	FEC5FFC0B51C78D9376A74CD2855D479
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MSOSQM.EXE PID: 2004 Parent PID: 2744

General

Start time:	23:05:27
Start date:	19/10/2017
Path:	C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Imagebase:	0x752e0000
File size:	550576 bytes
MD5 hash:	04D5CDDFC37410CF388AD731E655E277
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

Exploits:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File "word/activeX/activeX1.bin"

Indicators

Streams

Stream Path: Contents, File Type: data, Stream Size: 4201

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 2744 Parent PID: 4036

General

Chronological Activities

Analysis Process: MSOSQM.EXE PID: 2004 Parent PID: 2744

General

Chronological Activities

Disassembly

Code Analysis