Edit tour
Windows
Analysis Report
CPM Packing V4.doc
Overview
General Information
Detection
Score: | 22 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Document exploit detected (process start blacklist hit)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
May sleep (evasive loops) to hinder dynamic analysis
Classification
- System is w7x64
- WINWORD.EXE (PID: 3308 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) - WmiPrvSE.exe (PID: 3416 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: D683C112190F4B4C6D477D693EE88E35)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | File opened: | Jump to behavior |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | File created: | Jump to behavior |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: Document_Open |
Source: | OLE indicator, VBA macros: |
Source: | Stream path 'Macros/VBA/__SRP_0' : |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Word Document stream: |
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | LNK file: |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Stream path 'WordDocument' entropy: |
Source: | Thread sleep time: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 2 Scripting | Valid Accounts | 1 Exploitation for Client Execution | 2 Scripting | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1525553 |
Start date and time: | 2024-10-04 11:07:55 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 11m 12s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | CPM Packing V4.doc |
Detection: | SUS |
Classification: | sus22.expl.winDOC@2/9@0/0 |
Cookbook Comments: |
|
- Max analysis timeout: 600s exceeded, the analysis took too long
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: CPM Packing V4.doc
Time | Type | Description |
---|---|---|
05:08:52 | API Interceptor |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4DED5C6A-1761-4786-961A-5F5287EDAFD1}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | CE338FE6899778AACFC28414F2D9498B |
SHA1: | 897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1 |
SHA-256: | 4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE |
SHA-512: | 6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DD7503E-D112-4243-9235-58AC77741C33}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:X:X |
MD5: | FEAD052EEEDCFB31C49B19F91EDDED24 |
SHA1: | 40C7BD210D05DBEA19402B952DD416E487450955 |
SHA-256: | C2E1FFA0ECEBA9690A006CC9512C700290D9FD4F5F717FC42C36FAA466F244BE |
SHA-512: | 731913CEF824672BC315342B79B58BB79B5C3FA3FA18A01395B5CA9BFEFA6F8DD4E87B2105AACE6FFAC89BE0A9DC9266A68F04FA54CA0FB21D0FB327ABF6E2E2 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BCC7CD1-ED54-4E14-9DA6-D615130C6A08}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B402D7-918F-4449-A5AF-6E918A27D07F}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.3560167139182788 |
Encrypted: | false |
SSDEEP: | 3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbH:IiiiiiiiiifdLloZQc8++lsJe1MzE |
MD5: | 23CBB4215CFF87F1C2F0C1EFDC281276 |
SHA1: | 666BC3D172B34CDF51E2B5A220A7494E0EA73498 |
SHA-256: | FA43A627C94DE4D369AA643075D174BFBE5F80181A929EFA8B0F21D0B7816C76 |
SHA-512: | 2BA815E1EB33F650B4DE1D46E788B752C0DBB301D4CF5E5F9257FE5D70E2C0D8EE7C016509CDA2AB81F3861E34E3A1172807E9A472A60E6D54579E428813209A |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1034 |
Entropy (8bit): | 4.562140930473445 |
Encrypted: | false |
SSDEEP: | 12:838T/ftgXg/XAlCPCHaXZBUB/qPX+WWaGIx1kDjicvbKQyjIz51kD5DtZ3YilMMm:838TD/XTpa4xkDWesUkD5Dv3qY/57u |
MD5: | 7368BE70301340EFE9C4D2B51D2379FC |
SHA1: | DCC6F8C86270402C086F9F72EAEC33CDB0CF7CE7 |
SHA-256: | 3911DB01A9457DDC50E212A6A8BD8EC7540AE78F7C3D916F64DDD5BEC7F28301 |
SHA-512: | 8EF8038237C8960516BA71035EF557E5C4534F0C910BBBA48F20652D2D1FCECD0ECC6C81AA9E11370236C1A24B6CBF72FC9CBF02E9699C81A822DB52E6CCAF7E |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 62 |
Entropy (8bit): | 4.748472318416496 |
Encrypted: | false |
SSDEEP: | 3:M1XELp6YVom4zTELp6YVov:MtK64KK64y |
MD5: | BFBEC8F1EF15BA76E95F6133BE87952C |
SHA1: | E4DC0528367C73E9B28DCB097E7D14E5DDBC7EA5 |
SHA-256: | 333693211113D98CBB18CDD08FE6051A3490123C7D8016F69ADD09BF58572201 |
SHA-512: | 4558C999BD338F321B9BE0ACD19DBC647C0E189A02A3FBE7D382DC91CACE88EE51C2A384F33540ED4BAC0684B499A585B82D7E4FC83EC44E4A9A236D10874C18 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020307 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l |
MD5: | 89AFCB26CA4D4A770472A95DF4A52BA8 |
SHA1: | C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5 |
SHA-256: | EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17 |
SHA-512: | EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020307 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l |
MD5: | 89AFCB26CA4D4A770472A95DF4A52BA8 |
SHA1: | C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5 |
SHA-256: | EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17 |
SHA-512: | EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.942640168768032 |
TrID: |
|
File name: | CPM Packing V4.doc |
File size: | 4'581'888 bytes |
MD5: | 7a078d4d0a5c398abe27ec81ed83f8e5 |
SHA1: | 516bdb766e723e84c5fc16911ce919c4192967b3 |
SHA256: | 77e1176a4b3d43954517fe7934461d4b758150078f1b93381eb0ed08c6cbaf2f |
SHA512: | 8d6e6149723b7700669f8ae5ee7fce0c064d2837b65713229dfe0ba618c7ae27cec15276c03ef59747cece6647d48dde3a9dac2f81e9d0e68c93f27612dafd59 |
SSDEEP: | 98304:/alDKXLJz7ER/7WHBZV883r3TWDtv2fHKGA1D:/alDW9EVyjV88nW0HKGA1 |
TLSH: | CB262304FF92AE3AC016153195A7C779832ADCCA0A91875339FB3F67BC745A25D83B18 |
File Content Preview: | ........................>...................F...............e"..........................................................d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d.......d...... |
Icon Hash: | 2764a3aaaeb7bdbf |
Document Type: | OLE |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Code Page: | 1252 |
Title: | |
Author: | |
Template: | |
Last Saved By: | |
Revion Number: | 2 |
Total Edit Time: | 0 |
Last Printed: | 2012-07-10 12:57:00 |
Create Time: | 2018-07-31 15:30:00 |
Last Saved Time: | 2018-07-31 15:30:00 |
Number of Pages: | 8 |
Number of Words: | 1049 |
Number of Characters: | 5982 |
Creating Application: | |
Security: | 0 |
Document Code Page: | 1252 |
Number of Lines: | 49 |
Number of Paragraphs: | 14 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 1048576 |
General | |
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 7440 |
Data ASCII: | . . . . . . . . . . . . . . . b . . . | . . . . . . . . . . . . . . . . . . k . . . . . . . . . . . . . . . . . . . < . . . ! % = ? g 3 D j c Q . J N R . . . . . . . . . . . . . . . . . . . . 5 + ` . O F h I . . . . . . . . . . . . . . . . . . . . . . x . . . . 5 + ` . O F h I ! % = ? g 3 D j c Q . . . . M E . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . . . . . . . L . . . . . L . . . . . . . . . . . . . . . . . L . . . . . L . . . . . < |
Data Raw: | 01 16 01 00 06 00 01 00 00 b6 0c 00 00 e4 00 00 00 62 02 00 00 7c 0d 00 00 8a 0d 00 00 1e 18 00 00 00 00 00 00 01 00 00 00 af fe 6b aa 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 21 25 3d 3f 91 67 33 44 bc 6a 88 a2 89 63 51 da cd 02 aa eb 4a fe ba 4e 80 52 bf a7 b7 9b eb 83 00 00 00 00 00 00 00 00 00 00 00 00 00 |
|