Edit tour

Windows Analysis Report
PO 25032025.docx

Overview

General Information

Sample name:PO 25032025.docx
Analysis ID:1648299
MD5:c5ba8e16b8b9049c1acdb656040f8920
SHA1:70c1929479a2cdb8fa88a1ad89cc26ce60d7f080
SHA256:e3077c9b095fbabf72fd5c63f5e2a84371c349a057f1b6daacd529a3b0ca79d6
Tags:docxuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • WINWORD.EXE (PID: 5916 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Japan.rtfINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0x475cb3:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0x475cfd:$ole2: d0cf11e0a1b11ae1
  • 0x39ea:$obj2: \objdata
  • 0xe7d7e:$obj2: \objdata
  • 0x26b654:$obj2: \objdata
  • 0x46eb82:$obj3: \objupdate
  • 0x3039:$obj4: \objemb
  • 0xe73cd:$obj4: \objemb
  • 0x26aca3:$obj4: \objemb
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PO 25032025.docxAvira: detected
Source: PO 25032025.docxVirustotal: Detection: 46%Perma Link
Source: PO 25032025.docxReversingLabs: Detection: 30%
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior

System Summary

barindex
Source: Japan.rtf, type: SAMPLEMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
Source: Japan.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
Source: classification engineClassification label: mal64.winDOCX@2/5@0/0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ 25032025.docxJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{AB686103-ED0A-4846-A915-6684BF6295BE} - OProcSessId.datJump to behavior
Source: ~WRD0000.tmp.1.drOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: PO 25032025.docxVirustotal: Detection: 46%
Source: PO 25032025.docxReversingLabs: Detection: 30%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRD0000.tmp.1.drInitial sample: OLE zip file path = word/media/image1.wmf
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: ~WRD0000.tmp.1.drInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648299 Sample: PO 25032025.docx Startdate: 25/03/2025 Architecture: WINDOWS Score: 64 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 5 WINWORD.EXE 507 107 2->5         started        process3 file4 8 C:\Users\user\...\PO 25032025.docx (copy), Microsoft 5->8 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PO 25032025.docx47%VirustotalBrowse
PO 25032025.docx31%ReversingLabsDocument-RTF.Trojan.Heuristic
PO 25032025.docx100%AviraTR/Crypt.ZPACK.Gen2
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
a726.dscd.akamai.net
23.40.179.10
truefalse
    high
    s-0005.dual-s-msedge.net
    52.123.129.14
    truefalse
      high
      No contacted IP infos
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1648299
      Start date and time:2025-03-25 18:14:32 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 22s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
      Run name:Potential for more IOCs and behavior
      Number of analysed new started processes analysed:19
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:PO 25032025.docx
      Detection:MAL
      Classification:mal64.winDOCX@2/5@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .docx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.111.227.28, 52.182.143.215, 23.206.172.20, 23.206.172.6, 52.109.8.36, 52.123.129.14, 23.40.179.10, 40.126.24.82, 172.202.163.200
      • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, res-1.cdn.office.net, mobile.events.data.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, c.pki.goog, osiprod-cus-bronze-azsc-000.centralus.cloudapp.azure.com, onedscolprdcus22.centralus.cloudapp.azure.com, ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.odc.officeapps.live.com, res-stls-prod.edgesuite.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, e26769.dscb.akamaiedge.net, res-prod.trafficmanager.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, metadata.templates.cdn.office.net,
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • Report size getting too big, too many NtSetValueKey calls found.
      No simulations
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-msedge.netPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      a726.dscd.akamai.netPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 23.44.136.151
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 23.44.136.186
      PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 23.44.136.185
      Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
      • 23.44.136.186
      Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
      • 23.44.136.133
      25 03 2025 Legal Notice Presentation.pptxGet hashmaliciousUnknownBrowse
      • 23.44.136.179
      https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMiGet hashmaliciousUnknownBrowse
      • 23.44.136.155
      ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
      • 23.57.90.78
      quotation_1.xlsxGet hashmaliciousUnknownBrowse
      • 23.57.90.74
      Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
      • 23.57.90.76
      No context
      No context
      No context
      Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1822
      Entropy (8bit):2.696249314068675
      Encrypted:false
      SSDEEP:48:im8/WKGsrb/xsidpeXy4MwHDE5K7G5MeppIgkyTzO:ijPeidmdGu9su
      MD5:B1A41A30482EA5158F73B8698C8B337B
      SHA1:3817B08E892D7B82DDD5B8FFB90FC4A8CB5143CA
      SHA-256:ED31AB216A42D9FD752512065EF2FE9F648110BB7402BF96B0B8A3107D97CD39
      SHA-512:2EB45BE78CBD8E9A8921DB0CA6FAFD0809308CFFD4A7E9D5BCA280A627F5281A4E8E6D661BF710776E562CA01BFC85E911D1F6C90AD9D96CD077849276A35244
      Malicious:false
      Reputation:low
      Preview:3.7.4.6.2.6.5.,.1.0.7.,.3.7.4.6.3.7.6.,.1.2.3.,.7.7.8.7.0.2.2.2.4.,.6.3.6.4.3.3.4.,.1.4.6.1.9.5.4.,.2.6.0.1.,.1.1.9.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.3.7.4.6.2.5.9.,.1.1.9.6.3.7.8.,.3.7.4.6.3.6.8.,.3.7.4.6.3.6.9.,.4.2.1.4.2.1.7.,.6.3.6.4.3.3.1.,.1.2.5.,.1.9.8.4.4.3.5.,.1.5.6.1.9.5.5.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.3.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.5.,.7.7.8.7.0.2.2.3.4.,.1.2.2.3.4.3.4.,.5.2.1.6.4.2.,.1.2.2.0.7.7.9.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.6.3.6.4.3.3.2.,.1.2.8.,.1.0.0.,.1.0.1.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.4.,.6.5.4.2.1.8.5.1.,.1.2.6.,.3.7.4.6.2.5.8.,.;.1.0.3.4.5.0.2.0.,.3.,.1.0.6.9.5.5.3.,.3.2.9.4.5.8.7.9.9.,.2.6.9.5.0.9.3.5.1.,.6.5.4.0.2.1.5.,.1.2.7.,.1.6.5.7.4.5.2.,.7.4.5.3.4.5.9.,.2.3.7.1.6.5.1.,.1.6.5.7.4.5.3.,.3.0.1.2.3.4.6.6.,.3.1.4.1.5.9.1.5.,.3.0.1.5.3.7.2.1.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.1.0.3.4.5.0.2.1.,.1.0.6.9.5.3.3.,.3.4.4.1.3.9.5.3.,.6.3.6.
      Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      File Type:Microsoft Word 2007+
      Category:dropped
      Size (bytes):12765
      Entropy (8bit):7.181262014329658
      Encrypted:false
      SSDEEP:384:2hmwNXmNxt/ZtNNXSLIPblHZyOufA8TMg:2oaXMxllNwIPBuYG
      MD5:612B5129DC49810FFD99A3D21263F441
      SHA1:DCBD2B8354438826B04D31CC737057A6FF02DE0C
      SHA-256:C80331AB04A77718477568973C2CC3BE7D524A9CDB159B9B26EE1D4A79C4C7E5
      SHA-512:2D89EA1F1B9193DFDB1343D8FD232ECCAD399ED993E23111E79591FF08B7B89821633B20F1E7ABF2D5F73A95419164616577C8BDCEF88C2CE6A7E3C85F987F89
      Malicious:true
      Reputation:low
      Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
      Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.9582692597228437
      Encrypted:false
      SSDEEP:3:blRmM0i2rX2r2stnlJTkLJF86EBxJ:bzmM0Drmr2sWdGp
      MD5:3B324EF859AE65D8E6C998BF81D38BE6
      SHA1:26A873054EA823B9AD613BB602F15AC89F9ED516
      SHA-256:CA29A047A620FE88FEF345E0010425DB910427FF34E029F273A2824903D3645A
      SHA-512:C5003DDA6D15A054069B617C2BDF267FF5A78CE49D94FD73F7C89977B80FA0ECEF64E6EFCC9870A9EE2D4DF53F9C7E768418D6CFB8578B668484043DCF146959
      Malicious:false
      Reputation:low
      Preview:.user..................................................M.a.o.g.a.....05:H~....8/.D....8/.D...........................................36....`.%.............6..<
      Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      File Type:Microsoft Word 2007+
      Category:dropped
      Size (bytes):12765
      Entropy (8bit):7.181262014329658
      Encrypted:false
      SSDEEP:384:2hmwNXmNxt/ZtNNXSLIPblHZyOufA8TMg:2oaXMxllNwIPBuYG
      MD5:612B5129DC49810FFD99A3D21263F441
      SHA1:DCBD2B8354438826B04D31CC737057A6FF02DE0C
      SHA-256:C80331AB04A77718477568973C2CC3BE7D524A9CDB159B9B26EE1D4A79C4C7E5
      SHA-512:2D89EA1F1B9193DFDB1343D8FD232ECCAD399ED993E23111E79591FF08B7B89821633B20F1E7ABF2D5F73A95419164616577C8BDCEF88C2CE6A7E3C85F987F89
      Malicious:false
      Reputation:low
      Preview:PK..........!.....h...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.0.E......J.(....e.h...4ND.BR^..Q.........{....h.U....5%..=...VH3+...#.&Y.......l ....n0.8...M(.<F.Bi.s.,...Je.f.o..:.....c..D.5.L.c. ...Tl.b....5...H.Z7...0..,b...8H.w..*.=a.]x..B[.V.:..:...Ti.$..P../|.^.....O......TX..,N..f.Jrh...y.!..NZ.ME3i.3...q. \.....Qp...s'....7..g..Ra.M.\....xj.../...........g..?.I....|....&../...6. Z..v'.........PK..........!.........N......._rels/.rels ...(.........................
      Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:false
      Reputation:high, very likely benign file
      Preview:[ZoneTransfer]....ZoneId=0
      File type:Zip archive data, at least v2.0 to extract, compression method=store
      Entropy (8bit):7.975725006202927
      TrID:
      • Word Microsoft Office Open XML Format document (27504/1) 77.45%
      • ZIP compressed archive (8000/1) 22.53%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
      File name:PO 25032025.docx
      File size:627'369 bytes
      MD5:c5ba8e16b8b9049c1acdb656040f8920
      SHA1:70c1929479a2cdb8fa88a1ad89cc26ce60d7f080
      SHA256:e3077c9b095fbabf72fd5c63f5e2a84371c349a057f1b6daacd529a3b0ca79d6
      SHA512:e925dfb3f9a39320ac8e8e404deb8855bca3608a58c261219a774a33f8bd5914073738ab2efef132c8ee595f31465df58913bb09a587d4429673439c9a2c3d38
      SSDEEP:12288:KigNXMMZETRKZ9QXhc5Vos4Zmz2v5j5050dYCIQ4LJW7cc:cQsCiVZ4ZlxV06YVL+9
      TLSH:16D412B722DA7CFEE90C8DE75A6730B17A411A58A7F87219445B03DE4D208CE16425FF
      File Content Preview:PK..........MZ................_rels/PK..........xZ................word/PK.........=.V..=.............[Content_Types].xml...N.0.._..+J.8 ......8..X........}{6-T*......v._..W;*.R....@Q4..8...yn.@q.h..H...a..7.L...y...|.5...r.2E......,..h>p"}.u...X).......i.
      Icon Hash:35e5c48caa8a8599
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Mar 25, 2025 18:15:42.922420025 CET1.1.1.1192.168.2.240x63a8No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
      Mar 25, 2025 18:15:42.922420025 CET1.1.1.1192.168.2.240x63a8No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:42.922420025 CET1.1.1.1192.168.2.240x63a8No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.10A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.73A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.78A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.67A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.13A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.17A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.12A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.4A (IP address)IN (0x0001)false
      Mar 25, 2025 18:15:44.223261118 CET1.1.1.1192.168.2.240x5f7cNo error (0)a726.dscd.akamai.net23.40.179.11A (IP address)IN (0x0001)false
      050100s020406080100

      Click to jump to process

      050100s0.0050100150MB

      Click to jump to process

      • File
      • Registry

      Click to dive into process behavior distribution

      Target ID:1
      Start time:13:15:37
      Start date:25/03/2025
      Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
      Imagebase:0x7ff6aaa60000
      File size:1'637'952 bytes
      MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      No disassembly