Windows Analysis Report
PO-070-2024 EXW.docx

Overview

General Information

Sample name:	PO-070-2024 EXW.docx
Analysis ID:	1525993
MD5:	ec393bad7364db40b4fb1d07a654ec54
SHA1:	b51e6d26528e3667e87c29672dec312a6f4d7a90
SHA256:	b36248f2e24e6ac7fa34c51336c87b0564f566bf37e4f80010ecffc0baf77986
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Contains an external reference to another file

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49161 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PFALZKOM-NETKoschatplatz1DE PFALZKOM-NETKoschatplatz1DE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /G2eK HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5D7766F-BCC3-4F8D-B0D1-2EF8DB43D0A9}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /G2eK HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: stylite.io

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 4645Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:21 GMTEtag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Strict-Transport-Security: max-age=15552000; includeSubDomainsVary: Accept-EncodingX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Powered-By: Next.jsX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:26 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:28 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:30 GMTEtag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Strict-Transport-Security: max-age=15552000; includeSubDomainsVary: Accept-EncodingX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Powered-By: Next.jsX-Xss-Protection: 0Connection: closeTransfer-Encoding: chunked

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49161 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOCX@1/16@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-070-2024 EXW.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB940.tmp

Jump to behavior

Source: PO-070-2024 EXW.docx	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.1.dr	OLE indicator, Word Document stream: true

Source: PO-070-2024 EXW.docx	OLE document summary: title field not present or empty
Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr	OLE document summary: title field not present or empty
Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.1.dr	OLE document summary: title field not present or empty

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PO-070-2024 EXW.LNK.1.dr

LNK file: ..\..\..\..\..\Desktop\PO-070-2024 EXW.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/media/image3.emf
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/media/image2.emf
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet2.xlsx
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/media/image3.emf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO-070-2024 EXW.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\stylite.io@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://stylite.io/g2ek

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr

Stream path '_1789543103/Package' entropy: 7.94289414861 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.183.76.22	stylite.io	Germany		15945	PFALZKOM-NETKoschatplatz1DE	true
213.183.76.21	unknown	Germany		15945	PFALZKOM-NETKoschatplatz1DE	false

Contacted Domains

Name	IP	Active
stylite.io	213.183.76.22	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://stylite.io/G2eK	false		unknown
https://stylite.io/404	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	E4721111BF3701C41F9098F89A0F94B0	B2236F1BF555541FACFADD8B63772AAE1FF4274A	A368586B6B3E1A0C13015704837FC6E398ED82EDE911B6F6B60985361DCB47C2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1DB59C6B.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	A61798BF257485BAA37AD0863DFDA9C6	6356E87D0D93FD7DAAF225AF3DFCCA27705A2717	1AE272725C8CC33D6CA16533E9BFE2B91885C1F8926F13D8F3475192174BFA54
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5345CD92.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	082E8FBE73D98FD6C861150EF1FC0905	C91ECCF6C9A73B74D9D1442EB72A8D6F650EDC64	574EF96FEF6B764D4047BB2D714AB5D753EC81E87BC9F5AD1526DB74446E3B13
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0410895.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	7E1524EDF040EB5EDBD1BED6E70730B4	1C8B74CE483139667E3C99CFDEFD780B6CC83C96	AED73DE15274C7EFD791BE09A2DD14579E49B567958A54EAFC39AA7CDA0F1F81
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp	Composite Document File V2 Document, Cannot read section info	D6CD67EE581035CF9DA53E872FD9A874	650B06F1BCCFD095AE536F8777634E4447FB4DC2	40B6F94A4398E71D513EFBCB0F028C60F7E639550FF4C6577EA679B390A98A4D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{537E1DDC-F469-4035-8F88-E4CF06BBC501}.tmp	data	48209ABC7CBA4D3C6666C7E52CEE5D37	EBA07D8797F60AAB19A8EDD7C6A8029E754E2F5F	0EF88EB7F39465C30420CE0B8CD740893DE4FCE3870E06CE57249514CB051623
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5D7766F-BCC3-4F8D-B0D1-2EF8DB43D0A9}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{7651D4AF-37E3-48AB-BBA3-80AEFB43EF85}	data	E4721111BF3701C41F9098F89A0F94B0	B2236F1BF555541FACFADD8B63772AAE1FF4274A	A368586B6B3E1A0C13015704837FC6E398ED82EDE911B6F6B60985361DCB47C2
C:\Users\user\AppData\Local\Temp\{9C827400-DDDB-4AEC-9921-0C9EAC1257D8}	data	A3D260F83F1E423E566B4B052795FCA1	6EDAB22F727894D4967F065DBCDF6AEE44B56344	00A58D7E247D468E3E83EBB01990E001D156C6BA4EAA455FB7F9F3611525D42A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-070-2024 EXW.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:14 2023, mtime=Fri Aug 11 15:42:14 2023, atime=Fri Oct 4 13:32:05 2024, length=458184, window=hide	6817927283F3F900076A5B6DEC58A4EE	A513EEA8B4ACB07CA742EC217D3FDF631E472938	0F9FEC1316F55E41A1FD76F812B80E3145E7508E7CAFF45F30730E7344877FFD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	69A8027DD969F55C758F182BEF5CF96B	D31483783E488E663779755B43C39F91C8852AC3	0EF79362195421BAE0520ACE450D8A335B5F19EE0C35930674D482F29284AF8D
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	0242FE15C357E1F4F690389FA2A5D79D	A45B5C025BF4B6F9CD21A65AE6FFA6EB99BD46AC	4FEB171EECBB41AC06DA90CFD42C190C3FFC40A8187406C1AE8D4EFE5BEE0162
C:\Users\user\Desktop\PO-070-2024 EXW.docx (copy)	Microsoft Word 2007+	3397DE5A24FF54A1CEB764ED1BADC838	61391537626A672FA2268892FE22CDB155DFF52A	B1897F18A913A629F13ECD7707D3A5FABA65DB0A5FAD440C2C19D8A71D6AF42C
C:\Users\user\Desktop\~$-070-2024 EXW.docx	data	0242FE15C357E1F4F690389FA2A5D79D	A45B5C025BF4B6F9CD21A65AE6FFA6EB99BD46AC	4FEB171EECBB41AC06DA90CFD42C190C3FFC40A8187406C1AE8D4EFE5BEE0162
C:\Users\user\Desktop\~WRD0000.tmp	Microsoft Word 2007+	3397DE5A24FF54A1CEB764ED1BADC838	61391537626A672FA2268892FE22CDB155DFF52A	B1897F18A913A629F13ECD7707D3A5FABA65DB0A5FAD440C2C19D8A71D6AF42C
C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49161 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io
Source: global traffic	DNS query: name: stylite.io

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 213.183.76.21:443
Source: global traffic	TCP traffic: 213.183.76.21:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 213.183.76.22:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 213.183.76.22:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PFALZKOM-NETKoschatplatz1DE PFALZKOM-NETKoschatplatz1DE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /G2eK HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 213.183.76.21:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5D7766F-BCC3-4F8D-B0D1-2EF8DB43D0A9}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /G2eK HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: stylite.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: stylite.io

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 4645Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:21 GMTEtag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Strict-Transport-Security: max-age=15552000; includeSubDomainsVary: Accept-EncodingX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Powered-By: Next.jsX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:26 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:28 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Date: Fri, 04 Oct 2024 14:32:30 GMTEtag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Strict-Transport-Security: max-age=15552000; includeSubDomainsVary: Accept-EncodingX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Powered-By: Next.jsX-Xss-Protection: 0Connection: closeTransfer-Encoding: chunked

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 213.183.76.22:443 -> 192.168.2.22:49161 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOCX@1/16@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-070-2024 EXW.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB940.tmp

Jump to behavior

Source: PO-070-2024 EXW.docx	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.1.dr	OLE indicator, Word Document stream: true

Source: PO-070-2024 EXW.docx	OLE document summary: title field not present or empty
Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr	OLE document summary: title field not present or empty
Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.1.dr	OLE document summary: title field not present or empty

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PO-070-2024 EXW.LNK.1.dr

LNK file: ..\..\..\..\..\Desktop\PO-070-2024 EXW.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/media/image3.emf
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/media/image2.emf
Source: PO-070-2024 EXW.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet2.xlsx
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/media/image3.emf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO-070-2024 EXW.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\stylite.io@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://stylite.io/g2ek

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp.1.dr

Stream path '_1789543103/Package' entropy: 7.94289414861 (max. 8.0)

ID:	1525993
Product:	CloudBasic
Start time:	16:31:01
Start date:	04.10.2024
Sample:	PO-070-2024 EXW.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	ec393bad7364db40b4fb1d07a654ec54
SHA1:	b51e6d26528e3667e87c29672dec312a6f4d7a90
SHA256:	b36248f2e24e6ac7fa34c51336c87b0564f566bf37e4f80010ecffc0baf77986
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Windows Analysis Report
PO-070-2024 EXW.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PO-070-2024 EXW.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO-070-2024 EXW.docx