Edit tour

Windows Analysis Report
novo-documento.docx

Overview

General Information

Sample name:	novo-documento.docx
Analysis ID:	1544428
MD5:	2eaf72274decb5fd60cd4bf4f8308d68
SHA1:	4d3ddbc2f9496e22cdc2758968a1fcf224442664
SHA256:	ca0e53f66b3a20d95182922abd28764b089b7aa1ef1bf29e78513540370d4a87
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Contains an external reference to another file

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with an array starting with MZ (possibly a PE file)

Document contains an embedded VBA with many large arrays containing integers whith all have value ranges 0 to 255 (possibly executable binary code)

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office process drops PE file

Office viewer loads remote template

Sigma detected: File With Uncommon Extension Created By An Office Application

Contains long sleeps (>= 3 min)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

PE file contains sections with non-standard names

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3384 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3384, TargetFilename: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3384, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\auxiliary2.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\template[1].htm	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E285351.htm	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: auxiliary2.dll.0.dr

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2768B60E-3C68-4B69-99B7-8B8DF4C8D143}.tmp

Jump to behavior

Source: ~WRD0000.tmp.0.dr, 97618287.png.0.dr, image3.png	String found in binary or memory: http://ns.attribution.com/ads/1.0/
Source: grupocgd.azureedge.net.url.0.dr	String found in binary or memory: https://grupocgd.azureedge.net/
Source: template.dotm.url.0.dr	String found in binary or memory: https://grupocgd.azureedge.net/template.dotm

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: template[1].htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)
Source: template[1].htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function GetCurrentProcess Lib "kernel32" () As LongPtr
Source: template[1].htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function IsWow64Process Lib "kernel32" (ByVal hProcess As LongPtr, ByRef Wow64Process As Boolean) As Boolean
Source: 4E285351.htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)
Source: 4E285351.htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function GetCurrentProcess Lib "kernel32" () As LongPtr
Source: 4E285351.htm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function IsWow64Process Lib "kernel32" (ByVal hProcess As LongPtr, ByRef Wow64Process As Boolean) As Boolean

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\template.dotm.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url			Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to dropped file

Source: template[1].htm.0.dr	OLE, VBA macro line: Sub AutoOpen()
Source: 4E285351.htm.0.dr	OLE, VBA macro line: Sub AutoOpen()

Source: template[1].htm.0.dr	OLE indicator, VBA macros: true
Source: 4E285351.htm.0.dr	OLE indicator, VBA macros: true

Source: ~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal100.expl.evad.winDOCX@1/22@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$vo-documento.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR87C5.tmp

Jump to behavior

Source: novo-documento.docx	OLE indicator, Word Document stream: true
Source: template[1].htm.0.dr	OLE indicator, Word Document stream: true
Source: 4E285351.htm.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: ~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: template[1].htm.0.dr	OLE document summary: title field not present or empty
Source: template[1].htm.0.dr	OLE document summary: edited time not present or 0
Source: 4E285351.htm.0.dr	OLE document summary: title field not present or empty
Source: 4E285351.htm.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: novo-documento.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\novo-documento.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: novo-documento.docx

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: novo-documento.docx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with an array starting with MZ (possibly a PE file)

Source: template[1].htm.0.dr

Stream path 'VBA/writer' : 'Array (77, 90' found on VBA code line 42

Document contains an embedded VBA with many large arrays containing integers whith all have value ranges 0 to 255 (possibly executable binary code)

Source: template[1].htm.0.dr

Stream path 'VBA/writer' : Found at least 10 arrays each containing at least 10 integers

Source: auxiliary2.dll.0.dr

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\grupocgd.azureedge.net@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\grupocgd.azureedge.net@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://grupocgd.azureedge.net/template.dotm

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Thread delayed: delay time: 9000000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Thread delayed: delay time: 9000000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	32 Scripting	Valid Accounts	2 Exploitation for Client Execution	32 Scripting	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\auxiliary2.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\template[1].htm	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E285351.htm	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ns.attribution.com/ads/1.0/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.attribution.com/ads/1.0/	~WRD0000.tmp.0.dr, 97618287.png.0.dr, image3.png	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544428
Start date and time:	2024-10-29 12:16:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	novo-documento.docx
Detection:	MAL
Classification:	mal100.expl.evad.winDOCX@1/22@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 152.199.19.161
Excluded domains from analysis (whitelisted): grupocgd.azureedge.net, grupocgd.ec.azureedge.net, cs9.wpc.v0cdn.net
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: novo-documento.docx

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025514899177092334
Encrypted:	false
SSDEEP:	6:I3DPcQPMxEHvxggLRWd6xOltRXv//4tfnRujlw//+GtluJ/eRuj:I3DPTJGvYg3J/
MD5:	F728D00404A0D8BE78496618E44A7522
SHA1:	F9F63E384CB4DDB41F327B42DF05B5B33E3FF411
SHA-256:	83979BA5A402F26874A35CE49B2396531A357FBC523D28883D393634F61A2059
SHA-512:	74B869DD13FE9D124CBA5794C4DBF455ABC15851A670C9896D1A7A38FEA834323521CDCBB143FA2D22DD4A62D3821CD74070ED9DA5082C1AFD954496631D0D73
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z..j...xL..@>..D.S,...X.F...Fa.q............................oK.l.(AB.....$.........!x....SD.1..._q......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\template[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	542800
Entropy (8bit):	7.979295104298887
Encrypted:	false
SSDEEP:	12288:tRGoK7J+myfQFE8dHqf1LQCKwwGHOLkVh4huHqUzUoyHWKBW:tYFyB0GdMkKuYZBW
MD5:	067C72A387C924EF17985203AA0ED5A7
SHA1:	62DF4923CE64672D6BB76990786E1BA3ECC54073
SHA-256:	CBED5B8039CD46B9E7F6C84437872143A96246F80C46D0393EF0211829C0D56E
SHA-512:	E52787251D1CCA3B61F790C4200728D6AE51A3A710D23EE4D2146F929395ACE6A2483EF9FECE9B503EB542037A9508E7DBB03216339A667716D67CAC20612935
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C27811E.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1240x169, components 3
Category:	dropped
Size (bytes):	5457
Entropy (8bit):	5.857023200063407
Encrypted:	false
SSDEEP:	48:D9YMOFuERASSHtddddddddddddddddddddddddddddddddddddddddddddddddd5:RhOMEmkR1Q8PlW6o0W9h
MD5:	3CB48B84910A3B80DA5754CF0CF8D0FA
SHA1:	383A004D36B69F439F930EAAC8443B39AEBF0CEC
SHA-256:	AD320B4D7900F39C1035EE916DB5DAD88FB8FEE02DB986A6106978CE25E89E00
SHA-512:	45B174F274966B4760145AD0D84B7A38E48D1DFEBCC74BFBB375FDCF09881B8AA2FD393985D8FEE7B7D6155387731B65E3115E44F0DD27DDA873D6FEB5EA22F7
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49246ADC.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 438 x 248, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	20826
Entropy (8bit):	7.945179408026097
Encrypted:	false
SSDEEP:	384:wjmRcBP7ifyTqjUJN2UBCMDjdMo/8Mcqsw06tgi/wX:zR2P7C/UeUAOMfM06tgSy
MD5:	EC55032CED0916164385EDF88908C317
SHA1:	CFCB4C0BA3B8D49DF7C6B6DE3C5D428BB7C9CEB6
SHA-256:	F356DE16EAE68AA71140453464DEA36CE73422F95C20128E7D120EB2BB3F309A
SHA-512:	9D5EF6BE49E077EB9FB06A11C664B97828F256C50E2F5F780FD0AA9F8137C004228242D31AF144FB07E436DA67DF41385C89A6A641A8B381648BEB837610A3F7
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............,......sRGB.........gAMA......a.....pHYs..........(J...P.IDATx^....U.....~[z.....I......D:....C>......."v....R.H.Q. ...B.IH...$.l......w.f..$..y..3;s.3gf.3.i..r..... ....B........C.....)..(.).G........@.hH.9.......L.h.U....>._../.GQ.d.D.5.u....\|.....e.L..%..2(........W...%HQ.E.^0. K.....~P.<..F..]z....{.gH..Y..Q...s.......,D.\..@..uEQ.e...'....Am.....P.}...Zo.f.{..Y........X.N..G+..:1...h#............(.v.g..(f.[..P......N..f.+x.S....aT..4.\%.$.bb..(..]..dU4...`..`..U"t...b.`%z-l.....^..+pF..Q...hl.c....'.(....3.r.g..&.....L...1..6W.L-.....0...fYl.W7...[Eid.8O...k..d....(..lWP.L...1.<=aS.....!.q.../..J.6C..dr..0"..$D.r....p0.;.......%!y..I.$..L.x...(..H..E......B8.+.A.F8.....L...Ea.B.........ma.~.N..Z..5.8.Y.....-.....a....Q$."n..$.BT.....O...$T.)..(.'VH. ;g4!...v.$s..E...q.h.,.m..9.....&faH.3j...,..@.....Xm.@.....5-....-F6.E@.0....1.8..(.....l..x..I..D.2..1~.N.4...B..."n..._...M..JlFU$.r.V.0-...$6.[./.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E285351.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	542800
Entropy (8bit):	7.979295104298887
Encrypted:	false
SSDEEP:	12288:tRGoK7J+myfQFE8dHqf1LQCKwwGHOLkVh4huHqUzUoyHWKBW:tYFyB0GdMkKuYZBW
MD5:	067C72A387C924EF17985203AA0ED5A7
SHA1:	62DF4923CE64672D6BB76990786E1BA3ECC54073
SHA-256:	CBED5B8039CD46B9E7F6C84437872143A96246F80C46D0393EF0211829C0D56E
SHA-512:	E52787251D1CCA3B61F790C4200728D6AE51A3A710D23EE4D2146F929395ACE6A2483EF9FECE9B503EB542037A9508E7DBB03216339A667716D67CAC20612935
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97618287.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 628 x 434, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	42624
Entropy (8bit):	7.954955580887962
Encrypted:	false
SSDEEP:	768:Pmko0I7bjH4L3HSIRU/8UsOMT0Gg3xlzojZBmgiWyyAIZfLLOO/1bxKbq4BPu:Pmk2XE3S0LUsORGwxytN77OaS8
MD5:	A2BEDCD204E51468D965572A75E09573
SHA1:	5EE8F7CF28FE6DABD8F91AD99481BBCF87B031C5
SHA-256:	4945F0BFBCD796BE43277ADE81B5CFFDAF1A588F28F6F709D4D878A71760EA8C
SHA-512:	79DA1A27468A88230EEA9600B6C1553BFB06B3BFC4FECD8645956EA0517D30388F7F37ED2B12DEE5CD7C8BACEADE78E33D4B88D9B53D5A8056DC529F2F21101A
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...t.........m0Y.....pHYs..........+......iTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x='adobe:ns:meta/'>. <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>Untitled design - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2024-10-17</Attrib:Created>. <Attrib:ExtId>7c9b3bf3-302c-4d2d-ac9e-efbef03ebff5</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:pd

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	2694144
Entropy (8bit):	4.597026854657753
Encrypted:	false
SSDEEP:	49152:wV8+FD+2GZEFESJHBTO8nqW1SXkSAR5zEl0ZW2wsS4NXJ/CD8+FD+2GZEFESJHBo:uj
MD5:	08F75539CE242780374BB0EAE0D6ED4C
SHA1:	5C68543CFCC7806B99EB3F6865475D8DADD1B1B5
SHA-256:	661B295B76D849BF6701F6B264842E6DED66CCD4DB869F1572EB0D5638B4A9F5
SHA-512:	7E4EC7A0CFEF416871892EA074DAD544E2572F76E8CCD3A6E647C61F9281BC12B4FEAA1628E0139221B90AFEAD920E7E2C8B8502C29B609BB7CBDE22E54A77D4
Malicious:	false
Preview:	......................>...................*...................................................................................................................V...W...X...Y...Z...[...\...]...^...............................................~.......................................................................................................................................................................................................................................................................................G...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1F26175E-6A58-42D7-9B98-0EAC265E6B58}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2768B60E-3C68-4B69-99B7-8B8DF4C8D143}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55A26723-8A98-4937-9926-8329040EC37D}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2742
Entropy (8bit):	3.3979845610936255
Encrypted:	false
SSDEEP:	24:elsCobOKrq3mgegG8xkUm46hk12e1iqoDKbuP93UPm/m/J/HZ9sfqJvjsZL:lCob9QNck151Datd/SRZcqBIZL
MD5:	7D4CD9F3D8FCD0BB5453A4CC27534917
SHA1:	A2BEACFBE0855DE65296853B7BE3C6D9B3C61279
SHA-256:	AD6E17B9385296A4C1781DEB6FBABD845AB6AAAD4F4C3C3CE971C00888D8FA25
SHA-512:	BA7911F8B5972115879B44C534275F51F7FB794DC299816DD89957F2B84F09AFCD5976C53552FFB9E5A3FF089EA17FFBB380D0E9F0AB11A2E74FEADFAB2AFD32
Malicious:	false
Preview:	../...I.D.:. .3.7.5.0.9.6.,.....D.a.t.a. .d.e. .e.m.i.s.s...o.:. .1.7.-.1.0.-.2.0.2.4. .0.9.:.2.8.,.....P...g.i.n.a. .1./.1.....C.o.m.p.r.o.v.a.t.i.v.o. .d.e. .O.p.e.r.a.....o. .C.a.i.x.a.d.i.r.e.c.t.a. .E.m.p.r.e.s.a.s......././.......C.a.i.x.a.d.i.r.e.c.t.a. .E.m.p.r.e.s.a.s.....P.a.r.a. .t.o.d.o.s. .e. .p.a.r.a. .c.a.d.a. .u.m...........................................C.a.i.x.a. .G.e.r.a.l. .d.e. .D.e.p...s.i.t.o.s.,. .S...A... .-. .S.e.d.e. .S.o.c.i.a.l.:. .A.v... .J.o...o. .X.X.I.,. .n... .6.3.,. ..................... ...f...h...~.......................................P...R...T...V...X...Z...\....................................................................................................................................................................................................................................................................................................................dV...gd{]...........$..d....a$.gd{].......d....gd{].......d....gd{]...........d....^...

C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122368
Entropy (8bit):	5.986819838023495
Encrypted:	false
SSDEEP:	3072:6ty0ble3LJK4kDVAddykeWWiv5sBZRowzO:6AUe3LJ+idykjvw
MD5:	3711C579A77B2D93225FB6081C96D0D6
SHA1:	ACA111A8DC82D6FA2AE5437B3F5AC108B7EBF179
SHA-256:	677B7D4B7726119597BFCF0C02BC1415364084FCFE83E00835660B6842E9E789
SHA-512:	85DF62A26A30B9D596DAD7D2AAA0821EF0EAFE0384EB9FCF11A69573EEEB9652ED44B717EA1A5C86F99593169ED89ACE517E77AB55FA7F69FC1BA1D5B8B77E1C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J..J..J.uN..J.uI..J.uO.$.J..kN..J..kI..J.uL..J.uK..J..K...J..kO..J.tkO..J.tkJ..J.tkH..J.Rich..J.........................PE..d...?v.g.........." ................@8.......................................0............`.............................................H.................................... ..X...0...............................P...8............ ..P............................text............................... ..`.rdata..F.... ......................@..@.data....%..........................@....pdata..............................@..@_RDATA..............................@..@.reloc..X.... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{2236EBE3-15B5-472A-85AA-1183639E6CA9}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025514899177092334
Encrypted:	false
SSDEEP:	6:I3DPcQPMxEHvxggLRWd6xOltRXv//4tfnRujlw//+GtluJ/eRuj:I3DPTJGvYg3J/
MD5:	F728D00404A0D8BE78496618E44A7522
SHA1:	F9F63E384CB4DDB41F327B42DF05B5B33E3FF411
SHA-256:	83979BA5A402F26874A35CE49B2396531A357FBC523D28883D393634F61A2059
SHA-512:	74B869DD13FE9D124CBA5794C4DBF455ABC15851A670C9896D1A7A38FEA834323521CDCBB143FA2D22DD4A62D3821CD74070ED9DA5082C1AFD954496631D0D73
Malicious:	false
Preview:	......M.eFy...z..j...xL..@>..D.S,...X.F...Fa.q............................oK.l.(AB.....$.........!x....SD.1..._q......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{27370335-C896-457B-ADCD-6EA80C245660}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025451578281627783
Encrypted:	false
SSDEEP:	6:I3DPcPkz5ebvxggLR7laTIUlZ/RXv//4tfnRujlw//+GtluJ/eRuj:I3DP1ebX0T9HvYg3J/
MD5:	72793220C62337D045AF12BD970467F4
SHA1:	6146A2E430F090AA0278CF4B44B1E0FFD48315B7
SHA-256:	4FB8025110B04D338B9E8E199DDB23455C4E45A372D8BBCF6EC8441FEC560C34
SHA-512:	A26CB8B6DC63621C98932626F5FDF155B54305D77FDDD86D8C09D76CD58CFE809A799D2FC6988D06F6112282DA5F12A165F93CD672633F8A0811C3AF28286533
Malicious:	false
Preview:	......M.eFy...zH..V.W.N..'.M.zS,...X.F...Fa.q.............................Jx..._@....Im.........</!.M.F.J.. .r......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://grupocgd.azureedge.net/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.461296865614146
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2feQDCBLEfCcDn:HRYFVm4eDLETn
MD5:	933B642DC4B8E879F5A4A95CA95CA409
SHA1:	3582C2BCA6FF133F43E120A808576DFEDAB9F4A0
SHA-256:	3792136FB93A7AE076D4886C52849FE27FBDE8208D50FACBE6845A65177CA4AE
SHA-512:	33660E5EAD0615DA470700C1D3E3989FE69DE2D793403F5991F0F086B343AEADDE384954E67218CF52EB9DA989E93C9ABC892212CE9C2368CB3C0B1B7ED1EDFE
Malicious:	true
Preview:	[InternetShortcut]..URL=https://grupocgd.azureedge.net/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.5928264946954185
Encrypted:	false
SSDEEP:	3:Hanb1iJ4fYR8rulm4cdBLEfCceSfYR8rulv:HzSfYSru+DLEuSfYSru1
MD5:	9ADA672F69968D4C3F1C16687C9F921F
SHA1:	9AE80F09ED9E738B3E22EEB677A0602AF90234E4
SHA-256:	6FA0921DD751829A40789AEFCA8EAAA03EA2702A0BCBBEAD17DFC8074C77F95F
SHA-512:	D7DBE7FF1483EE4D23027898A6173DEA36CCBFD01C6AA4AA51825FA2D4E7C97BFAD637BA07FBA8E734540A9CEEB7E79141FA00D2A8CADA8B4E89942D57377336
Malicious:	false
Preview:	[misc]..template.dotm.url=0..novo-documento.LNK=0..[folders]..grupocgd.azureedge.net.url=0..novo-documento.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\novo-documento.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Tue Oct 29 10:17:51 2024, length=77154, window=hide
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	4.545570049263893
Encrypted:	false
SSDEEP:	12:8H6pRgXg/XAlCPCHaXOBj1B/qPX+WbiWIvlcnCicvbis4rmLNDtZ3YilMMEpxRlH:8Hon/XTeX4gbyJemspDv3qY57u
MD5:	04A4E3D38876CE800908909617E79CC5
SHA1:	B8C64AFE935088A0357D02131F0D504BE546F7BE
SHA-256:	8130E68638EC9E3260A6598A5D6C18311DF5C70B3FDFE79502BFF35E4159EEE2
SHA-512:	7B99BA41984F8A9856F6D411AD1F920F7852093B9035E07B02E06132602414A88AFC2314D4D5D61CC792D05D519A797FE9DACD743ED3BE24D6365725F1333DFE
Malicious:	false
Preview:	L..................F.... ...._..r...._..r....7#1.)..b-...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....]Y8Z..user.8......QK.X]Y8Z...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.b-..]Y:Z .NOVO-D~1.DOC..T.......WE..WE..........................n.o.v.o.-.d.o.c.u.m.e.n.t.o...d.o.c.x.......}...............-...8...[............?J......C:\Users\..#...................\\562258\Users.user\Desktop\novo-documento.docx.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.n.o.v.o.-.d.o.c.u.m.e.n.t.o...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......562258..........D_....3N...W...9..W.e8...8...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\template.dotm.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://grupocgd.azureedge.net/template.dotm>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.48273471742809
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2feQDCBLEfCcbdm1mn:HRYFVm4eDLELFn
MD5:	1D1999DAEC2F718CE0FD0ABB582FE96A
SHA1:	594A68F9E80CDF9844638F33377C87B6DAF3BFE6
SHA-256:	D0D1678602191D64758C1EDBE78D2F349294B830585E44750DC27B44066228C2
SHA-512:	62CBF7C1EAF128490F9BDC36E8E6EC94D99E7F792D4399D2ED86D27CA582390AA98030856937EE0D457F85F5B301D577DEBE95D4954680FC9583064BBE6B6EF8
Malicious:	true
Preview:	[InternetShortcut]..URL=https://grupocgd.azureedge.net/template.dotm..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\novo-documento.docx (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	85217
Entropy (8bit):	7.882494241376112
Encrypted:	false
SSDEEP:	1536:JW5g2UwRaG5DNujmk2XE3S0LUsORGwxytN77OaSarz7bAPh:JkuwRa6hujGCRL+Rw9TrAPh
MD5:	A4F3AC2BBECFFAAA19E01AA8F12544A3
SHA1:	9EED86983DDE97349D4B80F23C7225D17038D0E5
SHA-256:	D5DAFC1E18A54220C23726AA8383A834AFEF8763858AAD3FFD532A4D84C2D217
SHA-512:	1BBE3B547FE2D97AF988FEB6C21A0F40C2664FB6803DD071F53940F16292F9686A1A1AEAC5BFBAC9A740900B69F65E393882DD0E20F05F97198AC29E9B3FAF5C
Malicious:	false
Preview:	PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T;O.0.....W..0 ..2...."f.\ZC.....sN.TiS(,....:.7.....GeM.N..K.H[(3......`..a.QY.9[......p.p.....l..........:0T).."..p'..?....&..i..l4..R\|T!...r...K..}QgJG\|\.7.....P.p.RR.....b#K.....S....nq.+.s..,q.t.^..<.........V~h.T....-K%..G6..D:Y]emE.eV.........E........IW......:k$..j..5i....=.k:..{-\|....X#.5R............R...4U....}.4.$.e<z...E.........#...4....q..Pth.zf.........PK..........!.........N...

C:\Users\user\Desktop\~$vo-documento.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	85217
Entropy (8bit):	7.882494241376112
Encrypted:	false
SSDEEP:	1536:JW5g2UwRaG5DNujmk2XE3S0LUsORGwxytN77OaSarz7bAPh:JkuwRa6hujGCRL+Rw9TrAPh
MD5:	A4F3AC2BBECFFAAA19E01AA8F12544A3
SHA1:	9EED86983DDE97349D4B80F23C7225D17038D0E5
SHA-256:	D5DAFC1E18A54220C23726AA8383A834AFEF8763858AAD3FFD532A4D84C2D217
SHA-512:	1BBE3B547FE2D97AF988FEB6C21A0F40C2664FB6803DD071F53940F16292F9686A1A1AEAC5BFBAC9A740900B69F65E393882DD0E20F05F97198AC29E9B3FAF5C
Malicious:	false
Preview:	PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T;O.0.....W..0 ..2...."f.\ZC.....sN.TiS(,....:.7.....GeM.N..K.H[(3......`..a.QY.9[......p.p.....l..........:0T).."..p'..?....&..i..l4..R\|T!...r...K..}QgJG\|\.7.....P.p.RR.....b#K.....S....nq.+.s..,q.t.^..<.........V~h.T....-K%..G6..D:Y]emE.eV.........E........IW......:k$..j..5i....=.k:..{-\|....X#.5R............R...4U....}.4.$.e<z...E.........#...4....q..Pth.zf.........PK..........!.........N...

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.976898556436593
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	novo-documento.docx
File size:	77'154 bytes
MD5:	2eaf72274decb5fd60cd4bf4f8308d68
SHA1:	4d3ddbc2f9496e22cdc2758968a1fcf224442664
SHA256:	ca0e53f66b3a20d95182922abd28764b089b7aa1ef1bf29e78513540370d4a87
SHA512:	3a00b09209418398ebe755081320a80e551d13683844b0772754c12a7ad8ee34df317dc6a1f063918cb8d024ec7e46ab27154831550429fee16c300481e0826e
SSDEEP:	1536:vv29q9TB0RtVM6SeVZgJo4gYracHIqMiv+F82YMo9dR+NPScTEUlZm:FOt5SggG4j2mMbFIL9dR+NPSczZm
TLSH:	1873F1F9C8920A59E2C66570C1720243FCC65BBA6C80F35D6A5DA108CCDA6FEDF17A48
File Content Preview:	PK..........QY................docProps/PK..........!..c5.............docProps/app.xml.RMO.0.....!..q.J......8.@j..eO....l.Q~=.F.@..i.........`.w.Q;.....3..)m.U.....y...J.gq.o1.W...x..cH.cF.6..>%..X.=.".T.Ti].D.4t....x..f@.X]......B5...\|b.\|O.%UN...K.......

File Icon


Icon Hash:	65e6a3a3afb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "novo-documento.docx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Target ID:	0
Start time:	07:17:51
Start date:	29/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f900000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report novo-documento.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\template[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C27811E.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49246ADC.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E285351.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97618287.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FF49538A-2569-43E2-AA01-7D66D4751716}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1F26175E-6A58-42D7-9B98-0EAC265E6B58}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2768B60E-3C68-4B69-99B7-8B8DF4C8D143}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55A26723-8A98-4937-9926-8329040EC37D}.tmp

C:\Users\user\AppData\Local\Temp\auxiliary2.dll

C:\Users\user\AppData\Local\Temp\{2236EBE3-15B5-472A-85AA-1183639E6CA9}

C:\Users\user\AppData\Local\Temp\{27370335-C896-457B-ADCD-6EA80C245660}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\novo-documento.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\template.dotm.url

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\novo-documento.docx (copy)

C:\Users\user\Desktop\~$vo-documento.docx

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
novo-documento.docx