Edit tour

Windows Analysis Report
PO 25032025.docx

Overview

General Information

Sample name:PO 25032025.docx
Analysis ID:1648299
MD5:c5ba8e16b8b9049c1acdb656040f8920
SHA1:70c1929479a2cdb8fa88a1ad89cc26ce60d7f080
SHA256:e3077c9b095fbabf72fd5c63f5e2a84371c349a057f1b6daacd529a3b0ca79d6
Tags:docxuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • WINWORD.EXE (PID: 7436 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Japan.rtfINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0x475cb3:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0x475cfd:$ole2: d0cf11e0a1b11ae1
  • 0x39ea:$obj2: \objdata
  • 0xe7d7e:$obj2: \objdata
  • 0x26b654:$obj2: \objdata
  • 0x46eb82:$obj3: \objupdate
  • 0x3039:$obj4: \objemb
  • 0xe73cd:$obj4: \objemb
  • 0x26aca3:$obj4: \objemb
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PO 25032025.docxAvira: detected
Source: PO 25032025.docxVirustotal: Detection: 46%Perma Link
Source: PO 25032025.docxReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior

System Summary

barindex
Source: Japan.rtf, type: SAMPLEMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
Source: Japan.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
Source: classification engineClassification label: mal64.winDOCX@2/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ 25032025.docxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{73ECBEA4-5B27-4019-A457-FE042442D698} - OProcSessId.datJump to behavior
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: PO 25032025.docxVirustotal: Detection: 46%
Source: PO 25032025.docxReversingLabs: Detection: 30%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image1.wmf
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ~WRD0000.tmp.0.drInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648299 Sample: PO 25032025.docx Startdate: 25/03/2025 Architecture: WINDOWS Score: 64 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 5 WINWORD.EXE 155 92 2->5         started        process3 file4 8 C:\Users\user\...\PO 25032025.docx (copy), Microsoft 5->8 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PO 25032025.docx47%VirustotalBrowse
PO 25032025.docx31%ReversingLabsDocument-RTF.Trojan.Heuristic
PO 25032025.docx100%AviraTR/Crypt.ZPACK.Gen2
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1648299
    Start date and time:2025-03-25 18:09:19 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 39s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:PO 25032025.docx
    Detection:MAL
    Classification:mal64.winDOCX@2/4@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .docx
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 184.31.69.3, 52.109.20.38, 20.42.73.25, 52.109.16.112, 23.34.59.28, 23.34.59.26, 172.202.163.200, 52.123.128.14, 40.126.24.147
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, ncus-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdeus06.eastus.cloudapp.azure.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, e26769.dscb.akamaiedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-0005.dual-s-msedge.netPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    No context
    No context
    No context
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):12680
    Entropy (8bit):7.1729995813353735
    Encrypted:false
    SSDEEP:384:2hE/uWK0O+NXmNxt/ZtNNbcyu7Cx14zUwx0ID9B:2W/W0O8XMxllNbl0CjuUTIb
    MD5:862F6C6133C549525168EE912B752B98
    SHA1:929DC5FC45EECA3FD4332E8FAA5CF9820DCF9B75
    SHA-256:B5FCE01E732B5FBE3DEF955DD2585F3C48DF2EE003F9B2984AE1ECB8AF31CCFA
    SHA-512:06B55C06F2AE2391595C09DBA375A4B7D63D93A6FF3A927B6CC2F22EC8B7F2CE6827FFC6173F69747FF591731477A7C3BE61E7E9BC249CE7FCFA9D64374046E7
    Malicious:true
    Reputation:low
    Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):4.702720957207051
    Encrypted:false
    SSDEEP:3:U1/lkles/3a5Yx8VxSNjaKvZC8VE2KG:U1/qeDYx8rSNjaKvw8VEtG
    MD5:1AC58E9820C2B5C2DC83E9C662D998DC
    SHA1:9EB4096B52A72E8F652AA42B10AF78E47A2D1B06
    SHA-256:BC57E46B55DACE87A6D62FF9F230AF61F1F064FBE2A0439EA69403499ABA6FBA
    SHA-512:FB52224FC4FC25986E9D8FE89DBCA9A625CDBAE85F526A153DC2B5E743D0387C026C82C496C8D31DD7E3E87FFBC19210019E2D177A90D32965DD2A4E0B340A20
    Malicious:false
    Reputation:low
    Preview:.user..................................................t.o.t.t.i....|I4m..mR../..;I..~[k..a.@.EHpY.J.......|.Q..Y....'"..mY[.$............%..}.j.........=vj
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):12680
    Entropy (8bit):7.1729995813353735
    Encrypted:false
    SSDEEP:384:2hE/uWK0O+NXmNxt/ZtNNbcyu7Cx14zUwx0ID9B:2W/W0O8XMxllNbl0CjuUTIb
    MD5:862F6C6133C549525168EE912B752B98
    SHA1:929DC5FC45EECA3FD4332E8FAA5CF9820DCF9B75
    SHA-256:B5FCE01E732B5FBE3DEF955DD2585F3C48DF2EE003F9B2984AE1ECB8AF31CCFA
    SHA-512:06B55C06F2AE2391595C09DBA375A4B7D63D93A6FF3A927B6CC2F22EC8B7F2CE6827FFC6173F69747FF591731477A7C3BE61E7E9BC249CE7FCFA9D64374046E7
    Malicious:false
    Reputation:low
    Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Reputation:high, very likely benign file
    Preview:[ZoneTransfer]....ZoneId=0
    File type:Zip archive data, at least v2.0 to extract, compression method=store
    Entropy (8bit):7.975725006202927
    TrID:
    • Word Microsoft Office Open XML Format document (27504/1) 77.45%
    • ZIP compressed archive (8000/1) 22.53%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
    File name:PO 25032025.docx
    File size:627'369 bytes
    MD5:c5ba8e16b8b9049c1acdb656040f8920
    SHA1:70c1929479a2cdb8fa88a1ad89cc26ce60d7f080
    SHA256:e3077c9b095fbabf72fd5c63f5e2a84371c349a057f1b6daacd529a3b0ca79d6
    SHA512:e925dfb3f9a39320ac8e8e404deb8855bca3608a58c261219a774a33f8bd5914073738ab2efef132c8ee595f31465df58913bb09a587d4429673439c9a2c3d38
    SSDEEP:12288:KigNXMMZETRKZ9QXhc5Vos4Zmz2v5j5050dYCIQ4LJW7cc:cQsCiVZ4ZlxV06YVL+9
    TLSH:16D412B722DA7CFEE90C8DE75A6730B17A411A58A7F87219445B03DE4D208CE16425FF
    File Content Preview:PK..........MZ................_rels/PK..........xZ................word/PK.........=.V..=.............[Content_Types].xml...N.0.._..+J.8 ......8..X........}{6-T*......v._..W;*.R....@Q4..8...yn.@q.h..H...a..7.L...y...|.5...r.2E......,..h>p"}.u...X).......i.
    Icon Hash:35e5c48caa8a8599
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 25, 2025 18:10:45.056391001 CET1.1.1.1192.168.2.110xb0c4No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
    Mar 25, 2025 18:10:45.056391001 CET1.1.1.1192.168.2.110xb0c4No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
    Mar 25, 2025 18:10:45.056391001 CET1.1.1.1192.168.2.110xb0c4No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
    050100s020406080100

    Click to jump to process

    050100s0.0050100MB

    Click to jump to process

    • File
    • Registry

    Click to dive into process behavior distribution

    Target ID:0
    Start time:13:10:26
    Start date:25/03/2025
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x560000
    File size:1'620'872 bytes
    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    No disassembly