Edit tour

Windows Analysis Report
Ordersheet_NanshaGA-012.docx

Overview

General Information

Sample name:Ordersheet_NanshaGA-012.docx
Analysis ID:1648072
MD5:9f3a8dd4f3ddee726e7c31bf109d205d
SHA1:1098eff95597b92dcac33c0d9b29d5e563038412
SHA256:9cbba48cb33db3fab697e3a49d25916aa577317887bcfd2a63d839cbda376e08
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Sigma detected: File With Uncommon Extension Created By An Office Application
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
PE file does not import any functions
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64native
  • WINWORD.EXE (PID: 4356 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: E7F3B8EA1B06F46176FC5C35307727D6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Iraq.rtfINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0x475cb3:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0x475cfd:$ole2: d0cf11e0a1b11ae1
  • 0x39ea:$obj2: \objdata
  • 0xe7d7e:$obj2: \objdata
  • 0x26b654:$obj2: \objdata
  • 0x46eb82:$obj3: \objupdate
  • 0x3039:$obj4: \objemb
  • 0xe73cd:$obj4: \objemb
  • 0x26aca3:$obj4: \objemb

System Summary

barindex
Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 4356, TargetFilename: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ordersheet_NanshaGA-012.docxAvira: detected
Source: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen2
Source: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllReversingLabs: Detection: 33%
Source: Ordersheet_NanshaGA-012.docxReversingLabs: Detection: 30%
Source: Ordersheet_NanshaGA-012.docxVirustotal: Detection: 44%Perma Link
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: Binary string: C:\gitlab\builds\_czcpbt9\0\ProtonVPN\Windows\win-app\src\ProtonVPN.NativeHost\bin\ProtonVPN.pdb source: RtkAudUService64.exe.0.dr

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exeJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: RtkAudUService64.exe.0.drJump to dropped file
Source: nethost.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nethost.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nethost.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: nethost.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nethost.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nethost.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: nethost.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: nethost.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: nethost.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0D
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RtkAudUService64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: RtkAudUService64.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: RtkAudUService64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0

System Summary

barindex
Source: Iraq.rtf, type: SAMPLEMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exeJump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllJump to dropped file
Source: nethost.dll.0.drStatic PE information: No import functions for PE file found
Source: Iraq.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
Source: classification engineClassification label: mal100.expl.winDOCX@1/9@0/0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$dersheet_NanshaGA-012.docxJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A4CDC678-8606-41CA-80A9-0EC64E6ACCED} - OProcSessId.datJump to behavior
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Ordersheet_NanshaGA-012.docxReversingLabs: Detection: 30%
Source: Ordersheet_NanshaGA-012.docxVirustotal: Detection: 44%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image1.wmf
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: Binary string: C:\gitlab\builds\_czcpbt9\0\ProtonVPN\Windows\win-app\src\ProtonVPN.NativeHost\bin\ProtonVPN.pdb source: RtkAudUService64.exe.0.dr
Source: ~WRD0000.tmp.0.drInitial sample: OLE indicators vbamacros = False
Source: RtkAudUService64.exe.0.drStatic PE information: section name: _RDATA
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exeJump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exeJump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dllJump to dropped file
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution
Path InterceptionPath Interception1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648072 Sample: Ordersheet_NanshaGA-012.docx Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 17 Malicious sample detected (through community Yara rule) 2->17 19 Antivirus detection for dropped file 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 5 other signatures 2->23 5 WINWORD.EXE 70 36 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\nethost.dll, MS-DOS 5->9 dropped 11 C:\Users\user\...\RtkAudUService64.exe, PE32+ 5->11 dropped 13 C:\...\Ordersheet_NanshaGA-012.docx (copy), Microsoft 5->13 dropped 15 C:\Users\user\...\nethost.dll:Zone.Identifier, ASCII 5->15 dropped 25 Document exploit detected (creates forbidden files) 5->25 signatures5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Ordersheet_NanshaGA-012.docx31%ReversingLabsDocument-RTF.Trojan.Heuristic
Ordersheet_NanshaGA-012.docx45%VirustotalBrowse
Ordersheet_NanshaGA-012.docx100%AviraTR/Crypt.ZPACK.Gen2
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll100%AviraTR/Crypt.ZPACK.Gen2
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\RtkAudUService64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{A8F1DC34-3AFE-4466-8488-10BB15FD5CBB}\nethost.dll33%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://ocsp.sectigo.com0D0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0RtkAudUService64.exe.0.drfalse
      high
      https://sectigo.com/CPS0RtkAudUService64.exe.0.drfalse
        high
        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RtkAudUService64.exe.0.drfalse
          high
          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RtkAudUService64.exe.0.drfalse
            high
            http://ocsp.sectigo.com0RtkAudUService64.exe.0.drfalse
            • Avira URL Cloud: safe
            unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#RtkAudUService64.exe.0.drfalse
              high
              http://ocsp.sectigo.com0DRtkAudUService64.exe.0.drfalse
              • Avira URL Cloud: safe
              unknown
              No contacted IP infos
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1648072
              Start date and time:2025-03-25 14:26:41 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 36s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Ordersheet_NanshaGA-012.docx
              Detection:MAL
              Classification:mal100.expl.winDOCX@1/9@0/0
              Cookbook Comments:
              • Found application associated with file extension: .docx
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, backgroundTaskHost.exe, TextInputHost.exe
              • Excluded IPs from analysis (whitelisted): 52.111.229.48, 40.79.173.40, 52.123.128.14, 20.190.151.70
              • Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, dual-s-0005-office.config.skype.com, onedscolprdaue00.australiaeast.cloudapp.azure.com, login.live.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, prod.nexusrules.live.com.akadns.net
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              No simulations
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-0005.dual-s-msedge.netOverdue Invoice 93589 (672Ko).msgGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              suspectTelling clean needful (78.2 KB).msgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
              • 52.123.129.14
              https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMiGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              quotation_1.xlsxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Sales Contract_1.docxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              quotation_1.xlsxGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              No context
              No context
              No context
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):49669
              Entropy (8bit):7.936711134540322
              Encrypted:false
              SSDEEP:768:nR08LLlI7/q1NHEIEEVmXIsdKTmFEJ8cUDpLMhClw2D035aSDjyMoBTzFh:R0slI7/q3HfBmSJgFJUXDZ61h
              MD5:8E81C9EC222FA1D3298583183C1A348A
              SHA1:DD263BCC73A841573F19C8D9670FDC974E2E3141
              SHA-256:6A6060C3099D911660E510709A1501E5CD7A3DE0F05DA9458574E972A0F0B508
              SHA-512:491795ACC20C4102264D01FDADC290AB60CE76228779CB20CAFC345AF311E25A6C16D1FC99A7FA55508AF3F2331884122C4C20927F233B892C16F6B612C09E28
              Malicious:false
              Reputation:low
              Preview:INSC.>.....Mar222021151921.w.(qP.;..hA......e.......o.*.yt.;I.M......@................s\..h...x..T.n.@......{.dC6)..mP.H.%.Bn...$.+.?..P....f......|.;.H..6()((((9w<..U$6......g...D731....Z....eH.....j`F..f4.Z`F.`.....0.c..o.p............].....P;#.6;..<.......w...8.......~oj.9ccp].s....l..>.....%.lZpO...{.R...I..=v...w.Q..~.K/<.....7..j.PSj.t.CM...L|.....=..S..50.=fh.^..F..MW.....k~..D...h.sM..._...3.PN...sz.|.%.C.Wk!.\.e..........Q...W..W..^k....Q{Y.K.E.qgU.Iw-B~.......H..0..e.....G_N..;R...UN.....xJc*u...h]........S.[.....n.R....w.........Wq..~F...N.\...............9^..i.4..8..1.:...gu>$..?t1L.....[.;.....#U.?..WQ..p. .).f'.G....!};j].J,,.....Mqz...................................xx...K.Q....8....Y......Q..........J.F%../n%Vf....../X(......."z....R(B.....;36...O..g.....s.0...L.4].w[....?y..:H..=...|....'@...kA..)......P..sK.|...z..<sqYj..L..=H.....?.. ..v.!Z.z.z......`....5..v..X.....w......o...l...q...,Mw.........N.z..4'lV..].W.
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):464584
              Entropy (8bit):5.493608350666298
              Encrypted:false
              SSDEEP:6144:64N3H2VRov7tfRSP0l/h5I9tfMfgKykq1jR0Q31Rv5Q1nI2VoXQ+18gUgIzBo2mx:62H2VRoFsP0l/hDgKwn0jI2Ty
              MD5:720F2634FE2E508EFE789B333E0043E8
              SHA1:51E0CD51506BC4B09958CF72AAE540675B7E16B1
              SHA-256:38502A7852B56C500CABA4CD92E15A67B745BB778FD452214BBC5599FF738C99
              SHA-512:634DBE5D16F85E745CF8F1E4D30269F0BBCFA7816E14E1DF7D3B680A3527F1C1D44F720AAB662BC0F59769A7A36F7BFE94AC45C21149427BD3D75242E5780448
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$?`.EQ3.EQ3.EQ3.7R2.EQ3.7T2@EQ3.7U2.EQ3.EQ3.EQ3..U2.EQ3..R2.EQ3..T2.EQ3.7P2.EQ3w9P2.EQ3.EP3.EQ3..X2.EQ3..3.EQ3.E.3.EQ3..S2.EQ3Rich.EQ3........PE..d......f.........."....&.4..........06.........@.............................@.......@....`.....................................................P....`..8....0..X........,...0..d.......p...............................@............P...............................text....3.......4.................. ..`.rdata......P.......8..............@..@.data...............................@....pdata..X....0......................@..@_RDATA.......P......................@..@.rsrc...8....`......................@..@.reloc..d....0......................@..B........................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:gAWY3n:qY3n
              MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
              SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
              SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
              SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
              Malicious:false
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]..ZoneId=3..
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
              Category:dropped
              Size (bytes):757224
              Entropy (8bit):6.770523454707489
              Encrypted:false
              SSDEEP:12288:0VZDiD6dy7uaVH4K3IfEv73d0iyBqj6ZiqPck6wLeA5Q+0MF3T0Ru3QYqz2FYdWp:0V1iD6dwuEH4EuEv77y7ZimckjLm3u3L
              MD5:2B8D22EF1175F0FB35EDDC77554DFDB1
              SHA1:B0001431A2A17EA9CE8342C8E1404D877E20E245
              SHA-256:16B021CB7D2F05E535E264EB6289CB030DAF789D8EFF0AEF9D032656C14E67AC
              SHA-512:3ADB19D4E8FAEF2264F43573021CEE68EA076F2D178A2C4D646F9E59C984582D5E6D3A64BFD355946D594743517E93ACF416219EA0216C3D4987C68C138ED38E
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 33%
              Reputation:low
              Preview:MZ..........................................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.................B ....P...P...........Ps...................................`............5.F.......V.......v.......................)................P...............j...#...........................................................................................text............................... ..`.data...Ln..........................@....rsrc........P.......d..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:gAWY3n:qY3n
              MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
              SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
              SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
              SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
              Malicious:true
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]..ZoneId=3..
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):12678
              Entropy (8bit):7.173564988897135
              Encrypted:false
              SSDEEP:192:2hmsH5hnNXi5NxtpgoZ22NNfXUIufLuhGnZAxrjLGOzc:2hhHfnNXmNxt/ZtNNfXUIuTuknZAxqqc
              MD5:5EAAA8F7C5ABC32E8DF62612C29395AF
              SHA1:CBAEF915FE61FE4718A63393633FF99BC8A690E2
              SHA-256:52EB0AEAEB9FBB25C7A36E9A30A676FE27B4848FDDBECC4A516142EE44C2B0B6
              SHA-512:BFD990A23C06F9858F58B1F5CA8581C9BC6C1D3949F839BFBA5EDE0E509B30574EAEC4BAEAEA41D5F1FD7E7F2600B6EFB46FDAB5A6E08D8B7430C2139D96F73C
              Malicious:true
              Reputation:low
              Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):162
              Entropy (8bit):2.844668957796979
              Encrypted:false
              SSDEEP:3:6NmltlylDQNSll/1qTUl/llMsll/wN8lV8sltAZ:mSmMel/o9sgMAZ
              MD5:13204BD5FEF8BB1B8ED1E5CC4BC3073D
              SHA1:ED93A3D41B429A003D2C139671B1790191C7123C
              SHA-256:3D7C0A0EABFE10F94DA83269EE01E3DB8CDDFC00AE665855B3CAEBC14CFA4BED
              SHA-512:DA78820F9E8BCF6953E53333D2037C63309E1B1F88CB0811E543B9FBD37C5950F956345982EB765BEAD6A9387593387325145961E7DB70416D7904436E532CD7
              Malicious:false
              Preview:.user.................................................A.r.t.h.u.r....................X.....................................'....TBeU....u...............G`.
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):12678
              Entropy (8bit):7.173564988897135
              Encrypted:false
              SSDEEP:192:2hmsH5hnNXi5NxtpgoZ22NNfXUIufLuhGnZAxrjLGOzc:2hhHfnNXmNxt/ZtNNfXUIuTuknZAxqqc
              MD5:5EAAA8F7C5ABC32E8DF62612C29395AF
              SHA1:CBAEF915FE61FE4718A63393633FF99BC8A690E2
              SHA-256:52EB0AEAEB9FBB25C7A36E9A30A676FE27B4848FDDBECC4A516142EE44C2B0B6
              SHA-512:BFD990A23C06F9858F58B1F5CA8581C9BC6C1D3949F839BFBA5EDE0E509B30574EAEC4BAEAEA41D5F1FD7E7F2600B6EFB46FDAB5A6E08D8B7430C2139D96F73C
              Malicious:false
              Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0
              File type:Zip archive data, at least v2.0 to extract, compression method=store
              Entropy (8bit):7.976577754533228
              TrID:
              • Word Microsoft Office Open XML Format document (27504/1) 77.45%
              • ZIP compressed archive (8000/1) 22.53%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
              File name:Ordersheet_NanshaGA-012.docx
              File size:627'423 bytes
              MD5:9f3a8dd4f3ddee726e7c31bf109d205d
              SHA1:1098eff95597b92dcac33c0d9b29d5e563038412
              SHA256:9cbba48cb33db3fab697e3a49d25916aa577317887bcfd2a63d839cbda376e08
              SHA512:9137177cc2ff67a59c5b4781fb6c271ed7632a87e353b929263e3237ce3d56e97deb2bf4eb722ef975b29227393b8220db4a921949567c729e77ad9656024321
              SSDEEP:12288:Iwcf0bSTi6owYYS/xNZ622Pz62Lbf+/q00sBkH9Wp73aQ9E:IwhbSTAl/zZ622PtLbfyaE71C
              TLSH:60D41233A5D67CBDD94C01FB85A77A757E250D8219B67B5220ABA3ED2D200CD90284FF
              File Content Preview:PK..........MZ................_rels/PK........m.xZ................word/PK.........=.V..=.............[Content_Types].xml...N.0.._..+J.8 ......8..X........}{6-T*......v._..W;*.R....@Q4..8...yn.@q.h..H...a..7.L...y...|.5...r.2E......,..h>p"}.u...X).......i.
              Icon Hash:35e5c48caa8a8599
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 25, 2025 14:28:46.624564886 CET1.1.1.1192.168.11.200xfc0bNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 14:28:46.624564886 CET1.1.1.1192.168.11.200xfc0bNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
              Mar 25, 2025 14:28:46.624564886 CET1.1.1.1192.168.11.200xfc0bNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
              050100s020406080100

              Click to jump to process

              050100s0.0050100150MB

              Click to jump to process

              • File
              • Registry

              Click to dive into process behavior distribution

              Target ID:0
              Start time:09:28:45
              Start date:25/03/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
              Imagebase:0x7ff6b4e40000
              File size:1'635'104 bytes
              MD5 hash:E7F3B8EA1B06F46176FC5C35307727D6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              No disassembly