Windows Analysis Report
DOI_WORD_Check.doc

Overview

General Information

Sample name:	DOI_WORD_Check.doc
Analysis ID:	1520614
MD5:	d201807278ecd18ee692bee3b2693fa7
SHA1:	9e8ba7fdc3118e46569a60897f01fea1e0dc83f8
SHA256:	a77d4a98127656b0d8e41a381099ca386a2d4882139151aa1f063f6712d4e03a
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document contains an embedded VBA which might only executes on specific systems (country or language check)

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7A882433-8103-4FF1-ACEF-2A1807CF08D6}.tmp

Jump to behavior

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: DOI_WORD_Check.doc	OLE, VBA macro line: TempPath = Environ("TEMP")
Source: DOI_WORD_Check.doc	OLE, VBA macro line: TempPath = Environ("TMP")
Source: VBA code instrumentation	OLE, VBA macro: Module CheckModules, Function CheckSettings, String environ: TempPath = Environ("TEMP")	Name: CheckSettings
Source: VBA code instrumentation	OLE, VBA macro: Module CheckModules, Function CheckSettings, String environ: TempPath = Environ("TMP")	Name: CheckSettings

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: DOI_WORD_Check.doc

Stream path 'Macros/VBA/CheckModules' : found possibly 'WScript.Shell' functions exec, run, environ

Document contains embedded VBA macros

Source: DOI_WORD_Check.doc

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal48.expl.winDOC@1/9@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$I_WORD_Check.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9AE7.tmp

Jump to behavior

Source: DOI_WORD_Check.doc

OLE indicator, Word Document stream: true

Source: ~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: DOI_WORD_Check.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\DOI_WORD_Check.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: DOI_WORD_Check.doc

Initial sample: OLE summary lastprinted = 1998-08-28 05:17:00

Source: ~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Document contains an embedded VBA which might only executes on specific systems (country or language check)

Source: DOI_WORD_Check.doc	Stream path 'Macros/VBA/CheckModules' : " + CStr(Application.International(wd24HourClock)) WriteT
Source: DOI_WORD_Check.doc	Stream path 'Macros/VBA/CheckModules' : (wdProductLanguageID)) WriteTextLn Text:="Thousands separa

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1520614
Product:	CloudBasic
Start time:	16:48:16
Start date:	27.09.2024
Sample:	DOI_WORD_Check.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	d201807278ecd18ee692bee3b2693fa7
SHA1:	9e8ba7fdc3118e46569a60897f01fea1e0dc83f8
SHA256:	a77d4a98127656b0d8e41a381099ca386a2d4882139151aa1f063f6712d4e03a
Filetype:	Microsoft Word document (32009/1) 44.75%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{59BFB9E4-49F4-4C3C-BAA1-1751511B10FA}.tmp	Composite Document File V2 Document, Cannot read section info	D6FE636FFF7962EFE907BFC71970F68D	A2AB424C56184AFCCBFD338B7386E20B9D875EA9	6ABAB5305CFDE13585AD31B21E833F67C4A14147B2F49E167EF0E204EF9AE580
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7A882433-8103-4FF1-ACEF-2A1807CF08D6}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	9FB95251CFDE616AC49BBD06F3450E3C	A32E88675A061E05D179308A03087A41256AE56B	164034C88D9362E75F8C61FEE9D97D79AFA609E4DAD2AB181198197CDBF15C51
C:\Users\user\AppData\Local\Temp\~DFD450097F3E8B70EB.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DOI_WORD_Check.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Fri Aug 11 15:42:08 2023, atime=Fri Sep 27 13:49:14 2024, length=103424, window=hide	07CC4E0B3E4894127F55069A4FC45628	D354887B7F8CFA1BC5CE7E4CF1F0E8E19A896036	BA81B6923A4B39F7EFA5B87C32A68F31ADA332DEE0939CD8CC1FD23453464ACF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	D12378A289DDB7E4B73C7374BE8A1146	3B2A82429F004C4F01BE134B792D15D3CFC19BF3	FC83EBE6E759AB9E80C25CCDD1AF927322C15DF6511E5CE41039A9CAD0132719
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$I_WORD_Check.doc	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1

Windows Analysis Report
DOI_WORD_Check.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report DOI_WORD_Check.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
DOI_WORD_Check.doc