Edit tour

Windows Analysis Report
CPM Packing V4.doc

Overview

General Information

Sample name:	CPM Packing V4.doc
Analysis ID:	1525553
MD5:	7a078d4d0a5c398abe27ec81ed83f8e5
SHA1:	516bdb766e723e84c5fc16911ce919c4192967b3
SHA256:	77e1176a4b3d43954517fe7934461d4b758150078f1b93381eb0ed08c6cbaf2f
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Document exploit detected (process start blacklist hit)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3308 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

WmiPrvSE.exe (PID: 3416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: D683C112190F4B4C6D477D693EE88E35)

cleanup

Sigma Signatures

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3308, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\wbem\WmiPrvSE.exe

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BCC7CD1-ED54-4E14-9DA6-D615130C6A08}.tmp

Jump to behavior

Source: CPM Packing V4.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Source: CPM Packing V4.doc

OLE indicator, VBA macros: true

Source: CPM Packing V4.doc

Stream path 'Macros/VBA/__SRP_0' : http://Barcode StringFFVBE7.DLLY2YS.winmgmts:\\0\root\default:StdRegProv"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonalGetStringValue$\SharePoint DraftsYr`Software\Microsoft\Office\Common\Offline\OptionsLocationCTHIt seems that this document has not been opened from SharePoint library but from local copy instead. Local copies must not be used to preserve system functionality.*

Source: classification engine

Classification label: sus22.expl.winDOC@2/9@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$M Packing V4.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR905C.tmp

Jump to behavior

Source: CPM Packing V4.doc

OLE indicator, Word Document stream: true

Source: CPM Packing V4.doc	OLE document summary: author field not present or empty
Source: CPM Packing V4.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: CPM Packing V4.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\CPM Packing V4.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: CPM Packing V4.doc

Static file information: File size 4581888 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: CPM Packing V4.doc

Initial sample: OLE summary lastprinted = 2012-07-10 12:57:00

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: CPM Packing V4.doc

Stream path 'WordDocument' entropy: 7.9727951497 (max. 8.0)

Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 3440

Thread sleep time: -240000s >= -30000s

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Exploitation for Client Execution	2 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525553
Start date and time:	2024-10-04 11:07:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CPM Packing V4.doc
Detection:	SUS
Classification:	sus22.expl.winDOC@2/9@0/0
Cookbook Comments:	Found application associated with file extension: .doc

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CPM Packing V4.doc

Simulations

Behavior and APIs

Time	Type	Description
05:08:52	API Interceptor	464x Sleep call for process: WmiPrvSE.exe modified

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4DED5C6A-1761-4786-961A-5F5287EDAFD1}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DD7503E-D112-4243-9235-58AC77741C33}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	FEAD052EEEDCFB31C49B19F91EDDED24
SHA1:	40C7BD210D05DBEA19402B952DD416E487450955
SHA-256:	C2E1FFA0ECEBA9690A006CC9512C700290D9FD4F5F717FC42C36FAA466F244BE
SHA-512:	731913CEF824672BC315342B79B58BB79B5C3FA3FA18A01395B5CA9BFEFA6F8DD4E87B2105AACE6FFAC89BE0A9DC9266A68F04FA54CA0FB21D0FB327ABF6E2E2
Malicious:	false
Reputation:	low
Preview:	1.1.1.1.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BCC7CD1-ED54-4E14-9DA6-D615130C6A08}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B402D7-918F-4449-A5AF-6E918A27D07F}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3560167139182788
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbH:IiiiiiiiiifdLloZQc8++lsJe1MzE
MD5:	23CBB4215CFF87F1C2F0C1EFDC281276
SHA1:	666BC3D172B34CDF51E2B5A220A7494E0EA73498
SHA-256:	FA43A627C94DE4D369AA643075D174BFBE5F80181A929EFA8B0F21D0B7816C76
SHA-512:	2BA815E1EB33F650B4DE1D46E788B752C0DBB301D4CF5E5F9257FE5D70E2C0D8EE7C016509CDA2AB81F3861E34E3A1172807E9A472A60E6D54579E428813209A
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1469EBB44199A005.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\CPM Packing V4.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Fri Aug 11 15:42:08 2023, atime=Fri Oct 4 08:08:49 2024, length=4582912, window=hide
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.562140930473445
Encrypted:	false
SSDEEP:	12:838T/ftgXg/XAlCPCHaXZBUB/qPX+WWaGIx1kDjicvbKQyjIz51kD5DtZ3YilMMm:838TD/XTpa4xkDWesUkD5Dv3qY/57u
MD5:	7368BE70301340EFE9C4D2B51D2379FC
SHA1:	DCC6F8C86270402C086F9F72EAEC33CDB0CF7CE7
SHA-256:	3911DB01A9457DDC50E212A6A8BD8EC7540AE78F7C3D916F64DDD5BEC7F28301
SHA-512:	8EF8038237C8960516BA71035EF557E5C4534F0C910BBBA48F20652D2D1FCECD0ECC6C81AA9E11370236C1A24B6CBF72FC9CBF02E9699C81A822DB52E6CCAF7E
Malicious:	false
Preview:	L..................F.... ....9..r....9..r...r...=.....E..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....DY.I..user.8......QK.XDY.I...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2...E.DY.I .CPMPAC~1.DOC..R.......WE..WE..........................C.P.M. .P.a.c.k.i.n.g. .V.4...d.o.c.......\|...............-...8...[............?J......C:\Users\..#...................\\301389\Users.user\Desktop\CPM Packing V4.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.P.M. .P.a.c.k.i.n.g. .V.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......301389..........D_....3N...W...9..W.e8...8.....[D_

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.748472318416496
Encrypted:	false
SSDEEP:	3:M1XELp6YVom4zTELp6YVov:MtK64KK64y
MD5:	BFBEC8F1EF15BA76E95F6133BE87952C
SHA1:	E4DC0528367C73E9B28DCB097E7D14E5DDBC7EA5
SHA-256:	333693211113D98CBB18CDD08FE6051A3490123C7D8016F69ADD09BF58572201
SHA-512:	4558C999BD338F321B9BE0ACD19DBC647C0E189A02A3FBE7D382DC91CACE88EE51C2A384F33540ED4BAC0684B499A585B82D7E4FC83EC44E4A9A236D10874C18
Malicious:	false
Preview:	[doc]..CPM Packing V4.LNK=0..[folders]..CPM Packing V4.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$M Packing V4.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: CPM Packing, Author: , Template: Normal, Last Saved By: Stefanie Butler, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Jul 10 13:57:00 2012, Create Time/Date: Sat Jun 30 16:30:00 2018, Last Saved Time/Date: Sat Jun 30 16:30:00 2018, Number of Pages: 8, Number of Words: 1049, Number of Characters: 5982, Security: 0
Entropy (8bit):	7.942640168768032
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	CPM Packing V4.doc
File size:	4'581'888 bytes
MD5:	7a078d4d0a5c398abe27ec81ed83f8e5
SHA1:	516bdb766e723e84c5fc16911ce919c4192967b3
SHA256:	77e1176a4b3d43954517fe7934461d4b758150078f1b93381eb0ed08c6cbaf2f
SHA512:	8d6e6149723b7700669f8ae5ee7fce0c064d2837b65713229dfe0ba618c7ae27cec15276c03ef59747cece6647d48dde3a9dac2f81e9d0e68c93f27612dafd59
SSDEEP:	98304:/alDKXLJz7ER/7WHBZV883r3TWDtv2fHKGA1D:/alDW9EVyjV88nW0HKGA1
TLSH:	CB262304FF92AE3AC016153195A7C779832ADCCA0A91875339FB3F67BC745A25D83B18
File Content Preview:	........................>...................F...............e"..........................................................d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d......

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "CPM Packing V4.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:	CPM Packing
Author:
Template:	Normal
Last Saved By:	Stefanie Butler
Revion Number:	2
Total Edit Time:	0
Last Printed:	2012-07-10 12:57:00
Create Time:	2018-07-31 15:30:00
Last Saved Time:	2018-07-31 15:30:00
Number of Pages:	8
Number of Words:	1049
Number of Characters:	5982
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	49
Number of Paragraphs:	14
Thumbnail Scaling Desired:	False
Company:	Cranswick Plc
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 7440

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	7440
Data ASCII:	. . . . . . . . . . . . . . . b . . . \| . . . . . . . . . . . . . . . . . . k . . . . . . . . . . . . . . . . . . . < . . . ! % = ? g 3 D j c Q . J N R . . . . . . . . . . . . . . . . . . . . 5 + ` . O F h I . . . . . . . . . . . . . . . . . . . . . . x . . . . 5 + ` . O F h I ! % = ? g 3 D j c Q . . . . M E . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . . . . . . . L . . . . . L . . . . . . . . . . . . . . . . . L . . . . . L . . . . . <
Data Raw:	01 16 01 00 06 00 01 00 00 b6 0c 00 00 e4 00 00 00 62 02 00 00 7c 0d 00 00 8a 0d 00 00 1e 18 00 00 00 00 00 00 01 00 00 00 af fe 6b aa 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 21 25 3d 3f 91 67 33 44 bc 6a 88 a2 89 63 51 da cd 02 aa eb 4a fe ba 4e 80 52 bf a7 b7 9b eb 83 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'if default drafts location is not set in registry then exit
If IsNull(GetDefaultDrafts()) Then Exit Sub

'if document path includes 'http://' then it comes from SharePoint
If InStr(ActiveDocument.Path, "http://") = 1 Then
    'MsgBox ("Opened From SP")
    Exit Sub
    Else
    'if it does not
        If IsNull(GetCustomDrafts()) Then
            'if there is no custom location for drafts in registry
            'check if file path contains default location for drafts
            'if it does then it most likely comes from SharePoint
            If InStr(ActiveDocument.Path, GetDefaultDrafts()) = 1 Then
                'MsgBox ("Opened From SP")
                Exit Sub
            Else
                MsgBox WarningMessage(), vbCritical
                ThisDocument.ContentTypeProperties("Barcode String") = ""
                Exit Sub
            End If
        Else
            'there is custom location for drafts
            If InStr(ActiveDocument.Path, GetCustomDrafts()) = 1 Then
                'MsgBox ("Opened From SP")
                Exit Sub
            Else
                MsgBox WarningMessage(), vbCritical
                ThisDocument.ContentTypeProperties("Barcode String") = ""
                Exit Sub
            End If
        End If
End If
End Sub

Function GetDefaultDrafts()
Const HKEY_LOCAL_MACHINE = &H80000001

strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" &     strComputer & "\root\default:StdRegProv")
 
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
strValueName = "Personal"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
If IsNull(strValue) Then
    GetDefaultDrafts = Null
Else
    GetDefaultDrafts = strValue + "\SharePoint Drafts"
End If

End Function

Function GetCustomDrafts()
Const HKEY_LOCAL_MACHINE = &H80000001

strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" &     strComputer & "\root\default:StdRegProv")
 
strKeyPath = "Software\Microsoft\Office\Common\Offline\Options"
strValueName = "Location"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
If IsNull(strValue) Then
    GetCustomDrafts = Null
Else
    GetCustomDrafts = strValue
End If

End Function

Function WarningMessage()
WarningMessage = "It seems that this document has not been opened from SharePoint library but from local copy instead. Local copies must not be used to preserve system functionality."
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "ntRef", Stream Size: 824

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "ntRef"
Stream Size:	824
Entropy:	3.9562641369500406
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , D . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C r a n s w i c k P l c . . . . . . . 1 . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C P M
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 01 00 00 00 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 88 00 00 00 06 00 00 00 90 00 00 00 11 00 00 00 98 00 00 00 17 00 00 00 a0 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 380

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	380
Entropy:	3.612012325525913
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . C P M P a c k i n g . . . . . . . . . . . . . . . . . . . . N o r m a l . . . . . . . . . . S t e f a n i e B u t l e r . . . . . . . . . 2 . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 4c 01 00 00 0f 00 00 00 01 00 00 00 80 00 00 00 02 00 00 00 88 00 00 00 04 00 00 00 9c 00 00 00 07 00 00 00 a8 00 00 00 08 00 00 00 b8 00 00 00 09 00 00 00 d0 00 00 00 12 00 00 00 dc 00 00 00 0a 00 00 00 fc 00 00 00 0b 00 00 00 08 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 34280

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	34280
Entropy:	5.310049108639361
Base64 Encoded:	True
Data ASCII:	. . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	16 06 20 00 12 00 01 00 77 01 0f 00 07 00 04 00 00 00 04 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 407987

General
Stream Path:	Data
CLSID:
File Type:	data
Stream Size:	407987
Entropy:	7.737532001410225
Base64 Encoded:	True
Data ASCII:	= . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . I . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r . . . . . . . . . . . . . . . . . s . . @ . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . 0 . . . . . " . . . . . . . . . . . . . . . . . . . R . . w . . . . . . Q 8 . . . I ( . . S . . . . . . . D . . . . . F . K . . . . Q 8 . . . I ( . . . J F I F . . . . . ` . ` . . . C . . . . . . . . . . . . . . .
Data Raw:	3d 18 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 95 10 16 08 49 03 47 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 72 00 00 00 b2 04 0a f0 08 00 00 00 06 04 00 00 00 0a 00 00 73 00 0b f0 40 00 00 00 7f 00 80 00 e1 00 04 41 04 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 370

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	370
Entropy:	5.354829532632308
Base64 Encoded:	True
Data ASCII:	I D = " { 1 E 6 E F D A 2 - 9 B 3 9 - 4 D 8 5 - A D C 9 - 2 D 0 6 9 B 8 4 B 8 2 A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D B 8 6 D C 8 B F 7 5 C 3 7 5 C 3 7 5 C 3 7 5 C 3 " . . D P B = " 5 8 5 A 4 F 7 0 5 0 7 0 5 0 7 0 " . . G C = " 0 1 0 3 1 6 1 B 1 7 1 B 1 7 E 4 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H
Data Raw:	49 44 3d 22 7b 31 45 36 45 46 44 41 32 2d 39 42 33 39 2d 34 44 38 35 2d 41 44 43 39 2d 32 44 30 36 39 42 38 34 42 38 32 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2797

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2797
Entropy:	4.438394022340493
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 a3 00 00 01 00 ff 09 08 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2381

General
Stream Path:	Macros/VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	2381
Entropy:	4.147790044366301
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q a g . J = y . E . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . ! . . . . . . . I . . . . . . . y . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 102

General
Stream Path:	Macros/VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	102
Entropy:	2.1557150538491894
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 c9 02 00 00 00 00 00 00 d9 05 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 1740

General
Stream Path:	Macros/VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	1740
Entropy:	4.2135997255678515
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . 9 . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . q . . . . . . . . . . . . . . . . . . . . . i . . . . . . . A . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 04 00 04 00 19 00 00 00 b1 05 00 00 00 00 00 00 79 08 00 00 00 00 00 00 e9 08 00 00 00 00 00 00 39 07 00 00 00 00 00 00 11 07 00 00 00 00 00 00 39 05 00 00 00 00 00 00 61 07 00 00 00 00 00 00 01 09 00 00 00 00 00 00 91 07 00 00 00 00

Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 229

General
Stream Path:	Macros/VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	229
Entropy:	2.6338927456126218
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . ( . A . . . . . . . . . . ` . . . . . . . . . . . . / ( . . . . . . . . . . . ` . . . . . . . . . . . . / ( . . . . . . . . . . . ` . . . . . . . . . . . . / . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 04 60 00 00 f8 06 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00 41 01 00 00 00 00 02 00 01 00 04 60 04 01 ed 06 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 00 00 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.340057322510338
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . X . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * . \\ C . . . . . X . . . ! O f f i c . g O . f . i . c . g .
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 f1 a2 ba 58 0a 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: MsoDataStore/\x201I\x193\x197F5\x197VP\x212\x2184\x2001\x202\x205\x195X\x209\x197T\x208==/Item, File Type: XML 1.0 document, ASCII text, with no line terminators, Stream Size: 270

General
Stream Path:	MsoDataStore/\x201I\x193\x197F5\x197VP\x212\x2184\x2001\x202\x205\x195X\x209\x197T\x208==/Item
CLSID:
File Type:	XML 1.0 document, ASCII text, with no line terminators
Stream Size:	270
Entropy:	5.1036955189073145
Base64 Encoded:	False
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > < b : S o u r c e s S e l e c t e d S t y l e = " \\ A P A . X S L " S t y l e N a m e = " A P A " x m l n s : b = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " x m l n s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 3c 62 3a 53 6f 75 72 63 65 73 20 53 65 6c 65 63 74 65 64 53 74 79 6c 65 3d 22 5c 41 50 41 2e 58 53 4c 22 20 53 74 79 6c 65 4e 61 6d 65 3d 22 41 50 41 22 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61

Stream Path: MsoDataStore/\x201I\x193\x197F5\x197VP\x212\x2184\x2001\x202\x205\x195X\x209\x197T\x208==/Properties, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 201

General
Stream Path:	MsoDataStore/\x201I\x193\x197F5\x197VP\x212\x2184\x2001\x202\x205\x195X\x209\x197T\x208==/Properties
CLSID:
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Stream Size:	201
Entropy:	5.347642115093146
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { 1 5 6 5 8 8 A 4 - 5 5 F 9 - 4 E 3 F - 9 E A 1 - B A A D 8 D 7 C 6 5 4 F } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " / >
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 31 35 36 35 38 38 41 34 2d 35 35 46 39 2d 34 45 33 46 2d 39 45 41 31 2d 42 41 41 44 38 44 37 43 36 35 34 46 7d 22 20 78 6d 6c

Stream Path: MsoDataStore/\x209WO\x200SQ\x209\x2044\x196SQ2\x222\x205\x212\x2003C\x192LA==/Item, File Type: ASCII text, with no line terminators, Stream Size: 219

General
Stream Path:	MsoDataStore/\x209WO\x200SQ\x209\x2044\x196SQ2\x222\x205\x212\x2003C\x192LA==/Item
CLSID:
File Type:	ASCII text, with no line terminators
Stream Size:	219
Entropy:	4.76071936530778
Base64 Encoded:	False
Data ASCII:	< ? m s o - c o n t e n t T y p e ? > < F o r m T e m p l a t e s x m l n s = " h t t p : / / s c h e m a s . m i c r o s o f t . c o m / s h a r e p o i n t / v 3 / c o n t e n t t y p e / f o r m s " > < D i s p l a y > D o c u m e n t L i b r a r y F o r m < / D i s p l a y > < E d i t > D o c u m e n t L i b r a r y F o r m < / E d i t > < N e w > D o c u m e n t L i b r a r y F o r m < / N e w > < / F o r m T e m p l a t e s >
Data Raw:	3c 3f 6d 73 6f 2d 63 6f 6e 74 65 6e 74 54 79 70 65 3f 3e 3c 46 6f 72 6d 54 65 6d 70 6c 61 74 65 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 73 68 61 72 65 70 6f 69 6e 74 2f 76 33 2f 63 6f 6e 74 65 6e 74 74 79 70 65 2f 66 6f 72 6d 73 22 3e 3c 44 69 73 70 6c 61 79 3e 44 6f 63 75 6d 65 6e 74 4c 69 62 72 61 72 79 46

Stream Path: MsoDataStore/\x209WO\x200SQ\x209\x2044\x196SQ2\x222\x205\x212\x2003C\x192LA==/Properties, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 201

General
Stream Path:	MsoDataStore/\x209WO\x200SQ\x209\x2044\x196SQ2\x222\x205\x212\x2003C\x192LA==/Properties
CLSID:
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Stream Size:	201
Entropy:	5.341239346546863
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { 4 9 A 8 6 3 C 5 - 6 C 0 C - 4 4 7 A - 9 0 7 3 - E B 7 4 A 1 D 0 A 0 2 C } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " / >
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 34 39 41 38 36 33 43 35 2d 36 43 30 43 2d 34 34 37 41 2d 39 30 37 33 2d 45 42 37 34 41 31 44 30 41 30 32 43 7d 22 20 78 6d 6c

Stream Path: MsoDataStore/\x214\x216212\x218REVEW\x208SYRM5\x212\x220\x209\x220\x208==/Item, File Type: XML 1.0 document, ASCII text, with very long lines (509), with CRLF line terminators, Stream Size: 13833

General
Stream Path:	MsoDataStore/\x214\x216212\x218REVEW\x208SYRM5\x212\x220\x209\x220\x208==/Item
CLSID:
File Type:	XML 1.0 document, ASCII text, with very long lines (509), with CRLF line terminators
Stream Size:	13833
Entropy:	5.123887605174713
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > < c t : c o n t e n t T y p e S c h e m a c t : _ = " " m a : _ = " " m a : c o n t e n t T y p e N a m e = " D o c u m e n t " m a : c o n t e n t T y p e I D = " 0 x 0 1 0 1 0 0 0 2 B 9 F F F 9 2 7 1 0 6 E 4 0 A E 8 A 4 5 4 1 E 3 1 6 8 E 7 B " m a : c o n t e n t T y p e V e r s i o n = " 1 5 " m a : c o n t e n t T y p e D e s c r i p t i o n = " C r e a t e a n e w d o c u m e n t . " m a : c o n t e n t T y
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 63 74 3a 63 6f 6e 74 65 6e 74 54 79 70 65 53 63 68 65 6d 61 20 63 74 3a 5f 3d 22 22 20 6d 61 3a 5f 3d 22 22 20 6d 61 3a 63 6f 6e 74 65 6e 74 54 79 70 65 4e 61 6d 65 3d 22 44 6f 63 75 6d 65 6e 74 22 20 6d 61 3a 63 6f 6e 74 65 6e 74 54 79 70 65 49 44 3d 22 30 78 30 31

Stream Path: MsoDataStore/\x214\x216212\x218REVEW\x208SYRM5\x212\x220\x209\x220\x208==/Properties, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 201

General
Stream Path:	MsoDataStore/\x214\x216212\x218REVEW\x208SYRM5\x212\x220\x209\x220\x208==/Properties
CLSID:
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Stream Size:	201
Entropy:	5.305704505427122
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { 7 3 1 B 8 7 D B - 4 4 A 4 - 4 5 5 4 - B 0 4 9 - 8 4 4 C 7 F 4 F 3 1 F 3 } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " / >
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 37 33 31 42 38 37 44 42 2d 34 34 41 34 2d 34 35 35 34 2d 42 30 34 39 2d 38 34 34 43 37 46 34 46 33 31 46 33 7d 22 20 78 6d 6c

Stream Path: MsoDataStore/\x2174\x219\x219\x216B\x202\x219QE4\x192Y\x220\x205\x206\x216\x219\x213\x214\x216A==/Item, File Type: XML 1.0 document, ASCII text, with no line terminators, Stream Size: 128

General
Stream Path:	MsoDataStore/\x2174\x219\x219\x216B\x202\x219QE4\x192Y\x220\x205\x206\x216\x219\x213\x214\x216A==/Item
CLSID:
File Type:	XML 1.0 document, ASCII text, with no line terminators
Stream Size:	128
Entropy:	4.83207575873534
Base64 Encoded:	False
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > < L o n g P r o p e r t i e s x m l n s = " h t t p : / / s c h e m a s . m i c r o s o f t . c o m / o f f i c e / 2 0 0 6 / m e t a d a t a / l o n g P r o p e r t i e s " / >
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 4c 6f 6e 67 50 72 6f 70 65 72 74 69 65 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 6f 66 66 69 63 65 2f 32 30 30 36 2f 6d 65 74 61 64 61 74 61 2f 6c 6f 6e 67 50 72 6f 70 65 72 74 69 65 73 22 2f 3e

Stream Path: MsoDataStore/\x2174\x219\x219\x216B\x202\x219QE4\x192Y\x220\x205\x206\x216\x219\x213\x214\x216A==/Properties, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 201

General
Stream Path:	MsoDataStore/\x2174\x219\x219\x216B\x202\x219QE4\x192Y\x220\x205\x206\x216\x219\x213\x214\x216A==/Properties
CLSID:
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Stream Size:	201
Entropy:	5.3026754165741625
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { E 0 F B E E E 5 - B B 1 A - 4 7 4 0 - A 0 6 3 - C B 6 E E 3 B D 7 6 E 0 } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " / >
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 45 30 46 42 45 45 45 35 2d 42 42 31 41 2d 34 37 34 30 2d 41 30 36 33 2d 43 42 36 45 45 33 42 44 37 36 45 30 7d 22 20 78 6d 6c

Stream Path: WordDocument, File Type: data, Stream Size: 4063545

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4063545
Entropy:	7.972795149695688
Base64 Encoded:	True
Data ASCII:	. 7 . . . . . . . . . . . . . . . . . . . . . . $ . . . . b j b j Q Q . . . . . . . . . . . . . . . . . . . . . . 9 . > . 3 d 3 d w . . . . . . . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . d . . . \\ . . . . . . . . . . J . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 37 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 06 24 00 00 0e 00 62 6a 62 6a 51 f7 51 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 39 01 3e 00 33 9d ce 64 33 9d ce 64 77 1b 00 00 00 00 00 00 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 08 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Target ID:	0
Start time:	05:08:50
Start date:	04/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f720000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:08:52
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x13fa80000
File size:	425'984 bytes
MD5 hash:	D683C112190F4B4C6D477D693EE88E35
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
Document_OpenAPIs: 45, Strings: 7, Number of lines: 26, Relevance: 114.026

APIs	Meta Information
IsNull
Part of subcall function GetDefaultDrafts@ThisDocument: GetObject
Part of subcall function GetDefaultDrafts@ThisDocument: GetStringValue
Part of subcall function GetDefaultDrafts@ThisDocument: HKEY_LOCAL_MACHINE
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
Part of subcall function GetDefaultDrafts@ThisDocument: IsNull
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
InStr	InStr("C:\Users\Albus\Desktop","http://") -> 0
Path
ActiveDocument
IsNull
Part of subcall function GetCustomDrafts@ThisDocument: GetObject
Part of subcall function GetCustomDrafts@ThisDocument: GetStringValue
Part of subcall function GetCustomDrafts@ThisDocument: HKEY_LOCAL_MACHINE
Part of subcall function GetCustomDrafts@ThisDocument: strValue
Part of subcall function GetCustomDrafts@ThisDocument: IsNull
Part of subcall function GetCustomDrafts@ThisDocument: strValue
Part of subcall function GetCustomDrafts@ThisDocument: strValue
InStr	InStr("C:\Users\Albus\Desktop","C:\Users\Albus\Documents\SharePoint Drafts") -> 0
Path
ActiveDocument
Part of subcall function GetDefaultDrafts@ThisDocument: GetObject
Part of subcall function GetDefaultDrafts@ThisDocument: GetStringValue
Part of subcall function GetDefaultDrafts@ThisDocument: HKEY_LOCAL_MACHINE
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
Part of subcall function GetDefaultDrafts@ThisDocument: IsNull
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
Part of subcall function GetDefaultDrafts@ThisDocument: strValue
MsgBox
vbCritical
ContentTypeProperties
InStr
Path
ActiveDocument
Part of subcall function GetCustomDrafts@ThisDocument: GetObject
Part of subcall function GetCustomDrafts@ThisDocument: GetStringValue
Part of subcall function GetCustomDrafts@ThisDocument: HKEY_LOCAL_MACHINE
Part of subcall function GetCustomDrafts@ThisDocument: strValue
Part of subcall function GetCustomDrafts@ThisDocument: IsNull
Part of subcall function GetCustomDrafts@ThisDocument: strValue
Part of subcall function GetCustomDrafts@ThisDocument: strValue
MsgBox
vbCritical
ContentTypeProperties

Strings	Decrypted Strings
"http://"
""""
"Barcode String"
""""
"Barcode String"
""""
"Barcode String"

Line	Instruction	Meta Information
9	Private Sub Document_Open()
11	If IsNull(GetDefaultDrafts()) Then	IsNull executed
11	Exit Sub
11	Endif
14	If InStr(ActiveDocument.Path, "http://") = 1 Then	InStr("C:\Users\Albus\Desktop","http://") -> 0 Path ActiveDocument executed
16	Exit Sub
17	Else
19	If IsNull(GetCustomDrafts()) Then	IsNull
23	If InStr(ActiveDocument.Path, GetDefaultDrafts()) = 1 Then	InStr("C:\Users\Albus\Desktop","C:\Users\Albus\Documents\SharePoint Drafts") -> 0 Path ActiveDocument executed
25	Exit Sub
26	Else
27	MsgBox WarningMessage(), vbCritical	MsgBox vbCritical
28	ThisDocument.ContentTypeProperties("Barcode String") = ""	ContentTypeProperties
29	Exit Sub
30	Endif
31	Else
33	If InStr(ActiveDocument.Path, GetCustomDrafts()) = 1 Then	InStr Path ActiveDocument
35	Exit Sub
36	Else
37	MsgBox WarningMessage(), vbCritical	MsgBox vbCritical
38	ThisDocument.ContentTypeProperties("Barcode String") = ""	ContentTypeProperties
39	Exit Sub
40	Endif
41	Endif
42	Endif
43	End Sub

Function
GetDefaultDraftsAPIs: 7, Strings: 4, Number of lines: 13, Relevance: 21.013

APIs	Meta Information
GetObject	GetObject("winmgmts:\\.\root\default:StdRegProv")
GetStringValue
HKEY_LOCAL_MACHINE
strValue
IsNull
strValue
strValue

Strings	Decrypted Strings
"."
"winmgmts:\\"
"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"Personal"

Line	Instruction	Meta Information
45	Function GetDefaultDrafts()
46	Const HKEY_LOCAL_MACHINE = &H80000001	executed
48	strComputer = "."
49	Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")	GetObject("winmgmts:\\.\root\default:StdRegProv") executed
52	strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
53	strValueName = "Personal"
54	objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue	GetStringValue HKEY_LOCAL_MACHINE strValue
55	If IsNull(strValue) Then	IsNull strValue
56	GetDefaultDrafts = Null
57	Else
58	GetDefaultDrafts = strValue + "\SharePoint Drafts"	strValue
59	Endif
61	End Function

Function
GetCustomDraftsAPIs: 7, Strings: 4, Number of lines: 13, Relevance: 21.013

APIs	Meta Information
GetObject	GetObject("winmgmts:\\.\root\default:StdRegProv")
GetStringValue
HKEY_LOCAL_MACHINE
strValue
IsNull
strValue
strValue

Strings	Decrypted Strings
"."
"winmgmts:\\"
"Software\Microsoft\Office\Common\Offline\Options"
"Location"

Line	Instruction	Meta Information
63	Function GetCustomDrafts()
64	Const HKEY_LOCAL_MACHINE = &H80000001	executed
66	strComputer = "."
67	Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")	GetObject("winmgmts:\\.\root\default:StdRegProv") executed
70	strKeyPath = "Software\Microsoft\Office\Common\Offline\Options"
71	strValueName = "Location"
72	objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue	GetStringValue HKEY_LOCAL_MACHINE strValue
73	If IsNull(strValue) Then	IsNull strValue
74	GetCustomDrafts = Null
75	Else
76	GetCustomDrafts = strValue	strValue
77	Endif
79	End Function

Function
WarningMessageAPIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings	Decrypted Strings
"It seems that this document has not been opened from SharePoint library but from local copy instead. Local copies must not be used to preserve system functionality."

Line	Instruction	Meta Information
81	Function WarningMessage()
82	WarningMessage = "It seems that this document has not been opened from SharePoint library but from local copy instead. Local copies must not be used to preserve system functionality."	executed
83	End Function

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CPM Packing V4.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4DED5C6A-1761-4786-961A-5F5287EDAFD1}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DD7503E-D112-4243-9235-58AC77741C33}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BCC7CD1-ED54-4E14-9DA6-D615130C6A08}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B402D7-918F-4449-A5AF-6E918A27D07F}.tmp

C:\Users\user\AppData\Local\Temp\~DF1469EBB44199A005.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\CPM Packing V4.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$M Packing V4.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "CPM Packing V4.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 7440

General

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "ntRef", Stream Size: 824

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 380

General

Stream Path: 1Table, File Type: data, Stream Size: 34280

Windows Analysis Report
CPM Packing V4.doc

Subroutine
Document_OpenAPIs: 45, Strings: 7, Number of lines: 26, Relevance: 114.026

Function
GetDefaultDraftsAPIs: 7, Strings: 4, Number of lines: 13, Relevance: 21.013

Function
GetCustomDraftsAPIs: 7, Strings: 4, Number of lines: 13, Relevance: 21.013

Function
WarningMessageAPIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253