Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 23.0.0 |
Analysis ID: | 71214 |
Start date: | 06.08.2018 |
Start time: | 20:44:02 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | LyTaZHwHpG (renamed file extension from none to rtf) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.expl.winRTF@4/9@3/1 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 80 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample HTTP request are all non existing, likely the sample is no longer working |
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for submitted file | Show sources |
Source: LyTaZHwHpG.rtf | Avira: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: http://emifile.com/frak/obai/okbimnanna.exe | virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: LyTaZHwHpG.rtf | virustotal: | Perma Link | ||
Source: LyTaZHwHpG.rtf | metadefender: | Perma Link |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Process created: | Jump to behavior |
Office Equation Editor has been started | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: |
Software Vulnerabilities: |
---|
Potential downloader shellcode found | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_006913E6 |
Shellcode detected | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_006913E6 |
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Networking: |
---|
Domain name seen in connection with other malware | Show sources |
Source: Joe Sandbox View | Domain Name: |
Contains functionality to download and execute PE files | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_006913E6 |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_006913E6 |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: | Jump to behavior |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Posts data to webserver | Show sources |
Source: unknown | HTTP traffic detected: |
Tries to download non-existing http data (HTTP/1.1 404 Not Found) | Show sources |
Source: global traffic | HTTP traffic detected: |
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE, 00000001.00000002.21436071981.012E0000.00000004.sdmp | String found in binary or memory: | ||
Source: WINWORD.EXE, 00000001.00000002.21435221695.00394000.00000004.sdmp | String found in binary or memory: | ||
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmp | String found in binary or memory: | ||
Source: EQNEDT32.EXE, 00000002.00000002.21013342670.0066D000.00000004.sdmp | String found in binary or memory: | ||
Source: EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmp | String found in binary or memory: |
System Summary: |
---|
Reads the hosts file | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | File read: | Jump to behavior | ||
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | File read: | Jump to behavior |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: | Jump to behavior |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: | Jump to behavior |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: | Jump to behavior |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: | Jump to behavior |
Sample is known by Antivirus | Show sources |
Source: LyTaZHwHpG.rtf | virustotal: | ||
Source: LyTaZHwHpG.rtf | metadefender: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: |
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: | Jump to behavior |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: | Jump to behavior |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: | Jump to behavior |
Data Obfuscation: |
---|
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_00672B72 | |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_00672B32 | |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_00672A12 | |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_00672AF2 | |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_00672BD2 |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | Jump to behavior |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | System information queried: | Jump to behavior |
Contains functionality to read the PEB | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_006914DC |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp | Binary or memory string: | ||
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp | Binary or memory string: | ||
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Key value queried: | Jump to behavior |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
20:44:45 | API Interceptor | 1145x Sleep call for process: WINWORD.EXE modified |
20:44:46 | API Interceptor | 49x Sleep call for process: EQNEDT32.EXE modified |
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
68% | virustotal | Browse | ||
38% | metadefender | Browse | ||
100% | Avira | EXP/CVE-2017-11882.A |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
emifile.com | 00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02 | malicious | Browse |
| |
2012a9863ae231283c17e698d3129d5a235d79943d1c15ea9b19b5f67eccbd0d | malicious | Browse |
| ||
47c4ed8fc69f5da1951d8753671f5d0f4535ab2d10ecf63c828b903a1e820622 | malicious | Browse |
| ||
00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02 | malicious | Browse |
| ||
malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
FORTHNET-GRForthnetGR | 74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7a | malicious | Browse |
| |
malicious | Browse |
| |||
malicious | Browse |
| |||
e96b3252a14ba3d296c1a1a840e775f1001b6a9ff65480158af683d8362913e6 | malicious | Browse |
| ||
e235d52a27a59344ccf36bb7094f5b65c0675c9f15eb52bab501d5b7ece113a5 | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Screenshots |
---|
Startup |
---|
|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 1024 |
Entropy (8bit): | 0.8014421130618178 |
Encrypted: | false |
MD5: | C291CB986CC2308C7A00A35B985C152C |
SHA1: | 27D1FBE505A494D112821997556C8A37C9596BD0 |
SHA-256: | C5211158507806194B3E1463C95CA1B04547ED27595C25CDED74B9C98B5BC33B |
SHA-512: | 236E2C02E37E83B11D4D024DA8CA66605978410A35C8ACB145FB085528A6405FA5F154437A8B627180619662D225C322CD9331281A7006DD66BDD25815E3DC20 |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 2090 |
Entropy (8bit): | 4.5958112244124525 |
Encrypted: | false |
MD5: | BC2A2AD3FB6227B2F9815271A08EACAD |
SHA1: | 4F011997169E7D13747F411607AD3073082F3DEF |
SHA-256: | 05569E32E22B2ED552686ADDCE60BC956EE28E16D2D346BCA86BD8D55592E2B9 |
SHA-512: | 2330B9ECAC5D976FABB053B5F1F6C8AD5109366CBE96EA889597D4FA0329CFC2019025429786F87D7343855EEE4AFCDB4546E5EC069623F2D921E7F81BAB5B7A |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 108 |
Entropy (8bit): | 3.8714173073911313 |
Encrypted: | false |
MD5: | 8CDE36CF5638571FA37D087C6126149C |
SHA1: | 04B2645DA56BC6D9CE852534EBF0DB34D5CB1C4D |
SHA-256: | DE81BB66D1D4AF22617A355A5C555C901BC7274F2198E86EE79B924D8F9C727A |
SHA-512: | 5BA773BBBA8232A1EA55922FAD0CF468F834B7F0B3E655DE09CB3F63F5277C1B8F03C830662144D4F450F5A69E1B775424BBEF3958AB6EC77B655DA5ABEA2238 |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 162 |
Entropy (8bit): | 1.982280142788856 |
Encrypted: | false |
MD5: | FF291ADF1F74826EE3AA31EA36ADEC1C |
SHA1: | 9E647BCB57789C91D08C9B02D73ECD048239B5C5 |
SHA-256: | 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 |
SHA-512: | A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2 |
Malicious: | false |
Reputation: | high, very likely benign file |
Process: | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Size (bytes): | 148 |
Entropy (8bit): | 4.515410037922913 |
Encrypted: | false |
MD5: | FDCD8762752BE7B51EC497E20AD60E2A |
SHA1: | 147C334CAFF625261DE4DE7306BB19A58B2C83D4 |
SHA-256: | 751BC9E91796BBFD9878AFB8BA545AE8AF7D23223F139CB39BE273E6DE35B2F2 |
SHA-512: | 0E1E1B88F443166B525DCC3DED736E4BCD26BB69C612624AF6FE5F205587897E9758F575640F6D6445F8CEF92614AE5088C7674B2AB4B8274B974247122F8604 |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Size (bytes): | 75 |
Entropy (8bit): | 4.363651071172254 |
Encrypted: | false |
MD5: | 7C7C4DDC6268D5C823829D15AC9C3AB9 |
SHA1: | 0C636ABB363AB7EB399989C3E97B434606841618 |
SHA-256: | 5B6A705AB1DA8BBE95760B9DD45C31CA90413C30423B3A381FAEE20A0936605C |
SHA-512: | 9A88EB01369E982CB39AFC7684E2C1956CD0500C9AB04448027198F1D6B9EA7A360B03381FAA062777D1768C483F1760A38561F8F44FA65DE9D5A46A64A539BF |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 162 |
Entropy (8bit): | 1.982280142788856 |
Encrypted: | false |
MD5: | FF291ADF1F74826EE3AA31EA36ADEC1C |
SHA1: | 9E647BCB57789C91D08C9B02D73ECD048239B5C5 |
SHA-256: | 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 |
SHA-512: | A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2 |
Malicious: | false |
Reputation: | high, very likely benign file |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Size (bytes): | 116 |
Entropy (8bit): | 4.053374040827533 |
Encrypted: | false |
MD5: | EA489A9B2EB86200107B6C73309ED321 |
SHA1: | 9995E95B9728235C65307922CDA7C3EE81C5F2C8 |
SHA-256: | 1C29BDB043A17189A3566ED6147474D90B02ECB328469C1AC847D631B9C7D0A7 |
SHA-512: | B502FBDD1AF55223F26441A28FAE48579C9B17A7BB65775892806ED89ADC0900580A26C83D96756A8712C8489364C22F818C3D29792CC7EF7150DAF6F9548F3F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
emifile.com | 178.128.90.174 | true | false | 4%, virustotal, Browse | low |
Contacted URLs |
---|
Name | Process |
---|---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
178.128.90.174 | Greece | 1241 | FORTHNET-GRForthnetGR | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.2192086982578436 |
TrID: |
|
File name: | LyTaZHwHpG.rtf |
File size: | 9388 |
MD5: | 15a43d4c8ae9592ee06a410c58311e35 |
SHA1: | 8e1ab5ddc917da3689818af3ae61d646f6a6bcab |
SHA256: | da29f37ec139b87d9dcee92156af4882a1c7312e8ad54ca0912c360d4ea2f362 |
SHA512: | a8d73d5ea36a3269e1428a6b9ce26855fd8e2fc1fbfb4048499bcdd33ccde0818ccbcffedd82eba8a39585263f775ef8cca08b03dbbd3ca0eecffc4199277895 |
File Content Preview: | {\rtf{\object\objhtml\objupdate\objw3118\objh1589{\*\objdata 359c4439020000001600000049666c6359686b4375743948465639587a7a31457600000000000000000000120000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001000000010000 |
File Icon |
---|
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 6, 2018 20:44:40.464725018 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:41.461369038 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:42.465666056 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:43.803042889 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Aug 6, 2018 20:44:43.817900896 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.065350056 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.065531015 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.066184998 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.313595057 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.764895916 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.764967918 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765023947 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765105009 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.765124083 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765182018 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765284061 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765285969 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.765331984 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765377045 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765419006 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.765448093 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.765460014 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:44.766760111 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:44.891741991 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013067961 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013103962 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013111115 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013129950 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013205051 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013298035 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013313055 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013339996 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013453960 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013627052 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013655901 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013679981 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013704062 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013725996 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013734102 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013782024 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013807058 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013834000 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013851881 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013875008 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013876915 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.013900042 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.013971090 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.260566950 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260597944 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260632992 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.260684967 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260718107 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260740042 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.260740995 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260763884 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260787964 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260812044 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260890007 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.260890007 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260915041 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260937929 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260960102 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.260981083 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261001110 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261013031 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261038065 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261053085 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261073112 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261076927 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261095047 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261100054 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261125088 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261146069 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261168957 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261204004 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261225939 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261228085 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261250973 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261272907 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261295080 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261317015 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261327982 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261374950 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261400938 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261418104 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261450052 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261545897 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261549950 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261575937 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261600018 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261621952 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261643887 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261646032 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.261670113 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261693001 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.261737108 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.508428097 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508459091 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508486032 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508506060 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508574009 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.508650064 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508764982 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.508824110 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:45.508886099 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:45.806274891 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Aug 6, 2018 20:44:45.894550085 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
Aug 6, 2018 20:44:46.401756048 CEST | 80 | 49163 | 178.128.90.174 | 192.168.2.2 |
Aug 6, 2018 20:44:46.401817083 CEST | 49163 | 80 | 192.168.2.2 | 178.128.90.174 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 6, 2018 20:44:40.464725018 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:41.461369038 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:42.465666056 CEST | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Aug 6, 2018 20:44:43.803042889 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Aug 6, 2018 20:44:44.891741991 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Aug 6, 2018 20:44:45.806274891 CEST | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Aug 6, 2018 20:44:44.891819000 CEST | 192.168.2.2 | 8.8.8.8 | cffd | (Port unreachable) | Destination Unreachable |
Aug 6, 2018 20:44:45.806355000 CEST | 192.168.2.2 | 8.8.8.8 | cffd | (Port unreachable) | Destination Unreachable |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 6, 2018 20:44:40.464725018 CEST | 192.168.2.2 | 8.8.8.8 | 0x614a | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 6, 2018 20:44:41.461369038 CEST | 192.168.2.2 | 8.8.8.8 | 0x614a | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 6, 2018 20:44:42.465666056 CEST | 192.168.2.2 | 8.8.8.8 | 0x614a | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 6, 2018 20:44:43.803042889 CEST | 8.8.8.8 | 192.168.2.2 | 0x614a | No error (0) | 178.128.90.174 | A (IP address) | IN (0x0001) | ||
Aug 6, 2018 20:44:44.891741991 CEST | 8.8.8.8 | 192.168.2.2 | 0x614a | No error (0) | 178.128.90.174 | A (IP address) | IN (0x0001) | ||
Aug 6, 2018 20:44:45.806274891 CEST | 8.8.8.8 | 192.168.2.2 | 0x614a | No error (0) | 178.128.90.174 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.2 | 49163 | 178.128.90.174 | 80 | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 6, 2018 20:44:44.066184998 CEST | 0 | OUT | |
Aug 6, 2018 20:44:44.764895916 CEST | 2 | IN |