Edit tour

Windows Analysis Report
Ordersheet_NanshaGA-012.docx

Overview

General Information

Sample name:	Ordersheet_NanshaGA-012.docx
Analysis ID:	1648072
MD5:	9f3a8dd4f3ddee726e7c31bf109d205d
SHA1:	1098eff95597b92dcac33c0d9b29d5e563038412
SHA256:	9cbba48cb33db3fab697e3a49d25916aa577317887bcfd2a63d839cbda376e08
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office process drops PE file

Sigma detected: File With Uncommon Extension Created By An Office Application

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

PE file does not import any functions

Yara signature match

Classification

Process Tree

System is w10x64native

WINWORD.EXE (PID: 4356 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: E7F3B8EA1B06F46176FC5C35307727D6)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Iraq.rtf	INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2	detects CVE-2017-8759 weaponized RTF documents.	ditekSHen	0x475cb3:$clsid3: 4d73786d6c322e534158584d4c5265616465722e 0x475cfd:$ole2: d0cf11e0a1b11ae1 0x39ea:$obj2: \objdata 0xe7d7e:$obj2: \objdata 0x26b654:$obj2: \objdata 0x46eb82:$obj3: \objupdate 0x3039:$obj4: \objemb 0xe73cd:$obj4: \objemb 0x26aca3:$obj4: \objemb

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 4356, TargetFilename: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ordersheet_NanshaGA-012.docx

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen2

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll

ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Source: Ordersheet_NanshaGA-012.docx	ReversingLabs: Detection: 30%
Source: Ordersheet_NanshaGA-012.docx	Virustotal: Detection: 44%			Perma Link

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source:

Binary string: C:\gitlab\builds\_czcpbt9\0\ProtonVPN\Windows\win-app\src\ProtonVPN.NativeHost\bin\ProtonVPN.pdb source: RtkAudUService64.exe.0.dr

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: RtkAudUService64.exe.0.dr

Jump to dropped file

Source: nethost.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nethost.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nethost.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: nethost.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nethost.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nethost.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: nethost.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nethost.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nethost.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0D
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: RtkAudUService64.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

System Summary

Malicious sample detected (through community Yara rule)

Source: Iraq.rtf, type: SAMPLE

Matched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen

Office process drops PE file

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll			Jump to dropped file

Source: nethost.dll.0.dr

Static PE information: No import functions for PE file found

Source: Iraq.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.

Source: classification engine

Classification label: mal100.expl.winDOCX@1/9@0/0

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$dersheet_NanshaGA-012.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{A4CDC678-8606-41CA-80A9-0EC64E6ACCED} - OProcSessId.dat

Jump to behavior

Source: ~WRD0000.tmp.0.dr

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Ordersheet_NanshaGA-012.docx	ReversingLabs: Detection: 30%
Source: Ordersheet_NanshaGA-012.docx	Virustotal: Detection: 44%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ~WRD0000.tmp.0.dr

Initial sample: OLE zip file path = word/media/image1.wmf

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source:

Binary string: C:\gitlab\builds\_czcpbt9\0\ProtonVPN\Windows\win-app\src\ProtonVPN.NativeHost\bin\ProtonVPN.pdb source: RtkAudUService64.exe.0.dr

Source: ~WRD0000.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: RtkAudUService64.exe.0.dr

Static PE information: section name: _RDATA

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll			Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ordersheet_NanshaGA-012.docx	31%	ReversingLabs	Document-RTF.Trojan.Heuristic
Ordersheet_NanshaGA-012.docx	45%	Virustotal		Browse
Ordersheet_NanshaGA-012.docx	100%	Avira	TR/Crypt.ZPACK.Gen2

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll	100%	Avira	TR/Crypt.ZPACK.Gen2
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll	33%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0D	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-0005.dual-s-msedge.net	52.123.128.14	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	RtkAudUService64.exe.0.dr	false		high
https://sectigo.com/CPS0	RtkAudUService64.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	RtkAudUService64.exe.0.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	RtkAudUService64.exe.0.dr	false		high
http://ocsp.sectigo.com0	RtkAudUService64.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	RtkAudUService64.exe.0.dr	false		high
http://ocsp.sectigo.com0D	RtkAudUService64.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1648072
Start date and time:	2025-03-25 14:26:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ordersheet_NanshaGA-012.docx
Detection:	MAL
Classification:	mal100.expl.winDOCX@1/9@0/0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, backgroundTaskHost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.111.229.48, 40.79.173.40, 52.123.128.14, 20.190.151.70
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, dual-s-0005-office.config.skype.com, onedscolprdaue00.australiaeast.cloudapp.azure.com, login.live.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, prod.nexusrules.live.com.akadns.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-0005.dual-s-msedge.net	Overdue Invoice 93589 (672Ko).msg	Get hash	malicious	Unknown	Browse	52.123.128.14
	suspectTelling clean needful (78.2 KB).msg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	52.123.129.14
	https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMi	Get hash	malicious	Unknown	Browse	52.123.129.14
	ProLab TT COPY for Proforma Invoice PLDS24344.docx	Get hash	malicious	Unknown	Browse	52.123.128.14
	quotation_1.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Untitled_20250325.docx.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	Sales Contract_1.docx	Get hash	malicious	Unknown	Browse	52.123.128.14
	ProLab TT COPY for Proforma Invoice PLDS24344.docx	Get hash	malicious	Unknown	Browse	52.123.129.14
	quotation_1.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Untitled_20250325.docx.doc	Get hash	malicious	Unknown	Browse	52.123.128.14

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	49669
Entropy (8bit):	7.936711134540322
Encrypted:	false
SSDEEP:	768:nR08LLlI7/q1NHEIEEVmXIsdKTmFEJ8cUDpLMhClw2D035aSDjyMoBTzFh:R0slI7/q3HfBmSJgFJUXDZ61h
MD5:	8E81C9EC222FA1D3298583183C1A348A
SHA1:	DD263BCC73A841573F19C8D9670FDC974E2E3141
SHA-256:	6A6060C3099D911660E510709A1501E5CD7A3DE0F05DA9458574E972A0F0B508
SHA-512:	491795ACC20C4102264D01FDADC290AB60CE76228779CB20CAFC345AF311E25A6C16D1FC99A7FA55508AF3F2331884122C4C20927F233B892C16F6B612C09E28
Malicious:	false
Reputation:	low
Preview:	INSC.>.....Mar222021151921.w.(qP.;..hA......e.......o..yt.;I.M......@................s\..h...x..T.n.@......{.dC6)..mP.H.%.Bn...$.+.?..P....f......\|.;.H..6()((((9w<..U$6......g...D731....Z....eH.....j`F..f4.Z`F.`.....0.c..o.p............].....P;#.6;..<.......w...8.......~oj.9ccp].s....l..>.....%.lZpO...{.R...I..=v...w.Q..~.K/<.....7..j.PSj.t.CM...L\|.....=..S..50.=fh.^..F..MW.....k~..D...h.sM..._...3.PN...sz.\|.%.C.Wk!.\.e..........Q...W..W..^k....Q{Y.K.E.qgU.Iw-B~.......H..0..e.....G_N..;R...UN.....xJcu...h]........S.[.....n.R....w.........Wq..~F...N.\...............9^..i.4..8..1.:...gu>$..?t1L.....[.;.....#U.?..WQ..p. .).f'.G....!};j].J,,.....Mqz...................................xx...K.Q....8....Y......Q..........J.F%../n%Vf....../X(......."z....R(B.....;36...O..g.....s.0...L.4].w[....?y..:H..=...\|....'@...kA..)......P..sK.\|...z..<sqYj..L..=H.....?.. ..v.!Z.z.z......`....5..v..X.....w......o...l...q...,Mw.........N.z..4'lV..].W.

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	464584
Entropy (8bit):	5.493608350666298
Encrypted:	false
SSDEEP:	6144:64N3H2VRov7tfRSP0l/h5I9tfMfgKykq1jR0Q31Rv5Q1nI2VoXQ+18gUgIzBo2mx:62H2VRoFsP0l/hDgKwn0jI2Ty
MD5:	720F2634FE2E508EFE789B333E0043E8
SHA1:	51E0CD51506BC4B09958CF72AAE540675B7E16B1
SHA-256:	38502A7852B56C500CABA4CD92E15A67B745BB778FD452214BBC5599FF738C99
SHA-512:	634DBE5D16F85E745CF8F1E4D30269F0BBCFA7816E14E1DF7D3B680A3527F1C1D44F720AAB662BC0F59769A7A36F7BFE94AC45C21149427BD3D75242E5780448
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$?`.EQ3.EQ3.EQ3.7R2.EQ3.7T2@EQ3.7U2.EQ3.EQ3.EQ3..U2.EQ3..R2.EQ3..T2.EQ3.7P2.EQ3w9P2.EQ3.EP3.EQ3..X2.EQ3..3.EQ3.E.3.EQ3..S2.EQ3Rich.EQ3........PE..d......f.........."....&.4..........06.........@.............................@.......@....`.....................................................P....`..8....0..X........,...0..d.......p...............................@............P...............................text....3.......4.................. ..`.rdata......P.......8..............@..@.data...............................@....pdata..X....0......................@..@_RDATA.......P......................@..@.rsrc...8....`......................@..@.reloc..d....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
Category:	dropped
Size (bytes):	757224
Entropy (8bit):	6.770523454707489
Encrypted:	false
SSDEEP:	12288:0VZDiD6dy7uaVH4K3IfEv73d0iyBqj6ZiqPck6wLeA5Q+0MF3T0Ru3QYqz2FYdWp:0V1iD6dwuEH4EuEv77y7ZimckjLm3u3L
MD5:	2B8D22EF1175F0FB35EDDC77554DFDB1
SHA1:	B0001431A2A17EA9CE8342C8E1404D877E20E245
SHA-256:	16B021CB7D2F05E535E264EB6289CB030DAF789D8EFF0AEF9D032656C14E67AC
SHA-512:	3ADB19D4E8FAEF2264F43573021CEE68EA076F2D178A2C4D646F9E59C984582D5E6D3A64BFD355946D594743517E93ACF416219EA0216C3D4987C68C138ED38E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Reputation:	low
Preview:	MZ..........................................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.................B ....P...P...........Ps...................................`............5.F.......V.......v.......................)................P...............j...#...........................................................................................text............................... ..`.data...Ln..........................@....rsrc........P.......d..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\Desktop\Ordersheet_NanshaGA-012.docx (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	12678
Entropy (8bit):	7.173564988897135
Encrypted:	false
SSDEEP:	192:2hmsH5hnNXi5NxtpgoZ22NNfXUIufLuhGnZAxrjLGOzc:2hhHfnNXmNxt/ZtNNfXUIuTuknZAxqqc
MD5:	5EAAA8F7C5ABC32E8DF62612C29395AF
SHA1:	CBAEF915FE61FE4718A63393633FF99BC8A690E2
SHA-256:	52EB0AEAEB9FBB25C7A36E9A30A676FE27B4848FDDBECC4A516142EE44C2B0B6
SHA-512:	BFD990A23C06F9858F58B1F5CA8581C9BC6C1D3949F839BFBA5EDE0E509B30574EAEC4BAEAEA41D5F1FD7E7F2600B6EFB46FDAB5A6E08D8B7430C2139D96F73C
Malicious:	true
Reputation:	low
Preview:	PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../\|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....\|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................

C:\Users\user\Desktop\~$dersheet_NanshaGA-012.docx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.844668957796979
Encrypted:	false
SSDEEP:	3:6NmltlylDQNSll/1qTUl/llMsll/wN8lV8sltAZ:mSmMel/o9sgMAZ
MD5:	13204BD5FEF8BB1B8ED1E5CC4BC3073D
SHA1:	ED93A3D41B429A003D2C139671B1790191C7123C
SHA-256:	3D7C0A0EABFE10F94DA83269EE01E3DB8CDDFC00AE665855B3CAEBC14CFA4BED
SHA-512:	DA78820F9E8BCF6953E53333D2037C63309E1B1F88CB0811E543B9FBD37C5950F956345982EB765BEAD6A9387593387325145961E7DB70416D7904436E532CD7
Malicious:	false
Preview:	.user.................................................A.r.t.h.u.r....................X.....................................'....TBeU....u...............G`.

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	12678
Entropy (8bit):	7.173564988897135
Encrypted:	false
SSDEEP:	192:2hmsH5hnNXi5NxtpgoZ22NNfXUIufLuhGnZAxrjLGOzc:2hhHfnNXmNxt/ZtNNfXUIuTuknZAxqqc
MD5:	5EAAA8F7C5ABC32E8DF62612C29395AF
SHA1:	CBAEF915FE61FE4718A63393633FF99BC8A690E2
SHA-256:	52EB0AEAEB9FBB25C7A36E9A30A676FE27B4848FDDBECC4A516142EE44C2B0B6
SHA-512:	BFD990A23C06F9858F58B1F5CA8581C9BC6C1D3949F839BFBA5EDE0E509B30574EAEC4BAEAEA41D5F1FD7E7F2600B6EFB46FDAB5A6E08D8B7430C2139D96F73C
Malicious:	false
Preview:	PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../\|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....\|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy (8bit):	7.976577754533228
TrID:	Word Microsoft Office Open XML Format document (27504/1) 77.45% ZIP compressed archive (8000/1) 22.53% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:	Ordersheet_NanshaGA-012.docx
File size:	627'423 bytes
MD5:	9f3a8dd4f3ddee726e7c31bf109d205d
SHA1:	1098eff95597b92dcac33c0d9b29d5e563038412
SHA256:	9cbba48cb33db3fab697e3a49d25916aa577317887bcfd2a63d839cbda376e08
SHA512:	9137177cc2ff67a59c5b4781fb6c271ed7632a87e353b929263e3237ce3d56e97deb2bf4eb722ef975b29227393b8220db4a921949567c729e77ad9656024321
SSDEEP:	12288:Iwcf0bSTi6owYYS/xNZ622Pz62Lbf+/q00sBkH9Wp73aQ9E:IwhbSTAl/zZ622PtLbfyaE71C
TLSH:	60D41233A5D67CBDD94C01FB85A77A757E250D8219B67B5220ABA3ED2D200CD90284FF
File Content Preview:	PK..........MZ................_rels/PK........m.xZ................word/PK.........=.V..=.............[Content_Types].xml...N.0.._..+J.8 ......8..X........}{6-T......v._..W;.R....@Q4..8...yn.@q.h..H...a..7.L...y...\|.5...r.2E......,..h>p"}.u...X).......i.

File Icon


Icon Hash:	35e5c48caa8a8599

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 25, 2025 14:28:46.624564886 CET	1.1.1.1	192.168.11.20	0xfc0b	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 25, 2025 14:28:46.624564886 CET	1.1.1.1	192.168.11.20	0xfc0b	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Mar 25, 2025 14:28:46.624564886 CET	1.1.1.1	192.168.11.20	0xfc0b	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• WINWORD.EXE

Click to jump to process

Memory Usage

• WINWORD.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:28:45
Start date:	25/03/2025
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7ff6b4e40000
File size:	1'635'104 bytes
MD5 hash:	E7F3B8EA1B06F46176FC5C35307727D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ordersheet_NanshaGA-012.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Intel\ShaderCache\55358e20b61aed6fcad5b2283103fb1fe9f3dd3668577b575161f953d12f5a3f

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll

C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll:Zone.Identifier

C:\Users\user\Desktop\Ordersheet_NanshaGA-012.docx (copy)

C:\Users\user\Desktop\~$dersheet_NanshaGA-012.docx

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WINWORD.EXEPID: 4356, Parent PID: 568

General

File Activities

File Opened

File Created

Windows Analysis Report
Ordersheet_NanshaGA-012.docx