Windows Analysis Report
Qvidian.dotm

Overview

General Information

Sample name: Qvidian.dotm
Analysis ID: 1559593
MD5: eb18a04f65a7cf7414adc4fce493e379
SHA1: 1b03b9eaa2c3085e1746c866dfc431311722fba6
SHA256: d2b6ee877ffd3da6a51ff128b816299f8a8676a8fae0c2404c21812af89f8ecf
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection

barindex
Source: http://Motobit.cz Avira URL Cloud: Label: malware
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll Jump to behavior
Source: winword.exe Memory has grown: Private usage: 1MB later: 93MB
Source: vbaProject.bin String found in binary or memory: http://L-DSANT.qvidiancorp.com/Qvidian.MVC/WebDAV/8149b510-42dd-4cd2-b073-bfc1fd75ae53/
Source: vbaProject.bin String found in binary or memory: http://Motobit.cz
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: vbaProject.bin String found in binary or memory: http://localhost/Qvidian/Qvidian.asmx
Source: 42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB50.0.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://ocsp.digicert.com0C
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: http://ocsp.digicert.com0N
Source: ~WRF{A0C325EA-67FF-4320-9038-BBCA024E24FC}.tmp.0.dr, vbaProject.bin String found in binary or memory: http://qvidian.com/community
Source: vbaProject.bin String found in binary or memory: http://qvidian.com/communityA
Source: ~WRF{A0C325EA-67FF-4320-9038-BBCA024E24FC}.tmp.0.dr, vbaProject.bin String found in binary or memory: http://qvidian.com/webse
Source: ~WRF{A0C325EA-67FF-4320-9038-BBCA024E24FC}.tmp.0.dr, vbaProject.bin String found in binary or memory: http://qvidian.com/webservic
Source: ~WRF{A0C325EA-67FF-4320-9038-BBCA024E24FC}.tmp.0.dr, vbaProject.bin String found in binary or memory: http://qvidian.com/webservices
Source: vbaProject.bin String found in binary or memory: http://qvidian.com/webservices/
Source: vbaProject.bin String found in binary or memory: http://www.frez.co.uk
Source: vbaProjectSignature.bin, vbaProjectSignatureAgile.bin String found in binary or memory: https://www.digicert.com/CPS0

System Summary

barindex
Source: Qvidian.dotm OLE, VBA macro line: Private Declare PtrSafe Function GlobalSize Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Source: Qvidian.dotm OLE, VBA macro line: Private Declare PtrSafe Function GetCurrentThreadId Lib "kernel32" () As LongPtr
Source: Qvidian.dotm OLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr)
Source: Qvidian.dotm OLE, VBA macro line: Private Declare Function GetCurrentThreadId Lib "kernel32" () As Long
Source: Qvidian.dotm OLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Source: sig96D.tmp.0.dr OLE, VBA macro line: Private Declare PtrSafe Function GlobalSize Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Source: sig96D.tmp.0.dr OLE, VBA macro line: Private Declare PtrSafe Function GetCurrentThreadId Lib "kernel32" () As LongPtr
Source: sig96D.tmp.0.dr OLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr)
Source: sig96D.tmp.0.dr OLE, VBA macro line: Private Declare Function GetCurrentThreadId Lib "kernel32" () As Long
Source: sig96D.tmp.0.dr OLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Source: Qvidian.dotm OLE, VBA macro line: Attribute VB_Name = "AutoExit"
Source: Qvidian.dotm OLE, VBA macro line: DebugMsgBox "", "AutoExit:Main"
Source: Qvidian.dotm OLE, VBA macro line: DebugMsgBox "Close the Multi Edit Job Window.", "AutoExit:"
Source: Qvidian.dotm OLE, VBA macro line: Attribute VB_Name = "AutoNew"
Source: Qvidian.dotm OLE, VBA macro line: DebugMsgBox "AutoNew:Main"
Source: Qvidian.dotm OLE, VBA macro line: Attribute VB_Name = "AutoOpen"
Source: Qvidian.dotm OLE, VBA macro line: DebugMsgBox "AutoOpen:Main"
Source: sig96D.tmp.0.dr OLE, VBA macro line: Attribute VB_Name = "AutoExit"
Source: sig96D.tmp.0.dr OLE, VBA macro line: DebugMsgBox "", "AutoExit:Main"
Source: sig96D.tmp.0.dr OLE, VBA macro line: DebugMsgBox "Close the Multi Edit Job Window.", "AutoExit:"
Source: sig96D.tmp.0.dr OLE, VBA macro line: Attribute VB_Name = "AutoNew"
Source: sig96D.tmp.0.dr OLE, VBA macro line: DebugMsgBox "AutoNew:Main"
Source: sig96D.tmp.0.dr OLE, VBA macro line: Attribute VB_Name = "AutoOpen"
Source: sig96D.tmp.0.dr OLE, VBA macro line: DebugMsgBox "AutoOpen:Main"
Source: Qvidian.dotm OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr OLE indicator, VBA macros: true
Source: MultiEditJobs.xml.0.dr OLE indicator, VBA macros: true
Source: sig96D.tmp.0.dr OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr OLE indicator, VBA macros: true
Source: gb.xsl.0.dr OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr OLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.dr OLE indicator, VBA macros: true
Source: sist02.xsl.0.dr OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr OLE indicator, VBA macros: true
Source: Qvidian.dotm Stream path 'VBA/__SRP_0' : http://qvidian.com/webservices/CallSantSupportCallHels+xPlease paste your content here, then click 'Save to Qvidian'IsPS"DefaultTemplateIDTempID:+&IsNumeric(tempID):.0download template resultJhttp://localhost/Qvidian/Qvidian.asmxQvidianSoatCallContextHelxDownloadCompositeContentFileX641YPpW6lAaidjn0dPS0nhYcRLCKVwPDc4EK5wWZFNg=SaveCopyWSCancelCheckoutShowWaitForSaveDialogShowExtDialogSubmitFileBulkLoadFileSubmitPartialFileCallEmailAddQueryParamsExtDialogStartsubmitDialogResultemailDialogResultsbulkloadDialogResultdownloadTemplateResultLibraryAboutClickSaveBuiltDocFileOpsUnavailableSaveOrSaveAsWS((8(1&no template applied*SantRFPCompareContentInitCompareInitRFPCompareDoRFPCompareNewDoCompareOpenDHCloseDHSelectAnswerSelectToEnd$SantCompareContentSantUserAlertfIx8<ERROR:$ - [] [LeavinglabSaveAll9991:9Z
Source: sig96D.tmp.0.dr Stream path 'VBA/__SRP_0' : http://qvidian.com/webservices/CallSantSupportCallHels+xPlease paste your content here, then click 'Save to Qvidian'IsPS"DefaultTemplateIDTempID:+&IsNumeric(tempID):.0download template resultJhttp://localhost/Qvidian/Qvidian.asmxQvidianSoatCallContextHelxDownloadCompositeContentFileX641YPpW6lAaidjn0dPS0nhYcRLCKVwPDc4EK5wWZFNg=SaveCopyWSCancelCheckoutShowWaitForSaveDialogShowExtDialogSubmitFileBulkLoadFileSubmitPartialFileCallEmailAddQueryParamsExtDialogStartsubmitDialogResultemailDialogResultsbulkloadDialogResultdownloadTemplateResultLibraryAboutClickSaveBuiltDocFileOpsUnavailableSaveOrSaveAsWS((8(1&no template applied*SantRFPCompareContentInitCompareInitRFPCompareDoRFPCompareNewDoCompareOpenDHCloseDHSelectAnswerSelectToEnd$SantCompareContentSantUserAlertfIx8<ERROR:$ - [] [LeavinglabSaveAll9991:9Z
Source: chicago.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MultiEditJobs.xml.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF4868C64A15B52F67.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFAB262C7FA5192B95.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: harvardanglia2008officeonline.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{A0C325EA-67FF-4320-9038-BBCA024E24FC}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engine Classification label: mal56.expl.evad.winDOTM@2/244@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user~1\AppData\Local\Temp\{B730B96E-3260-49E3-8980-F871779407CE} - OProcSessId.dat Jump to behavior
Source: Qvidian.dotm OLE indicator, Word Document stream: true
Source: Equations.dotx.0.dr OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr OLE indicator, Word Document stream: true
Source: sig96D.tmp.0.dr OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr OLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AC9F2F90-E877-11CE-9F68-00AA00574A4F}\InprocServer32 Jump to behavior
Source: Qvidian.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\Qvidian.dotm
Source: Templates.LNK.0.dr LNK file: ..\..\Templates
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/document.xml
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Qvidian.dotm Initial sample: OLE zip file path = word/customizations.xml
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Qvidian.dotm Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr Initial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr Initial sample: OLE zip file path = docProps/custom.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr Initial sample: OLE zip file path = docProps/custom.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/customizations.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: sig96D.tmp.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Source: Qvidian.dotm Static file information: File size 1644627 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll Jump to behavior
Source: Equations.dotx.0.dr Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Qvidian.dotm OLE indicator, VBA stomping: true
Source: sig96D.tmp.0.dr OLE indicator, VBA stomping: true
No contacted IP infos