Windows Analysis Report
Purchase.docx.doc

Overview

General Information

Sample name:	Purchase.docx.doc
Analysis ID:	1530603
MD5:	9ec8124d54f80eb303c9d90145dba41d
SHA1:	759ce0e5f46ca8d25a901c988a92ed0a6837738b
SHA256:	6728d812ad1188928237a5155456d7408deff144fa7ac376a075d44361287363
Tags:	docdocxuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://87.120.84.38/txt/mnobinm.doc

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SHARCOM-ASBG SHARCOM-ASBG

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /txt/mnobinm.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp

Jump to behavior

Source: global traffic

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:18 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p\|:O!d4^=+UU9\=\)\|0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal72.evad.winDOC@1/12@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9CBB.tmp

Jump to behavior

Source: Purchase.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%

Source: Purchase.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Purchase.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Purchase.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Purchase.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\87.120.84.38\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://87.120.84.38/txt/mnobinm.doc

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.84.38	unknown	Bulgaria		51189	SHARCOM-ASBG	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://87.120.84.38/txt/mnobinm.doc	true	6%, Virustotal, Browse	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	71F270238EE4F666A73733D978B02044	8023A1C6D6EAD3D3D9C9C75F811996B30C77B456	56FB9A9F6E8271DE6841A6621A96A50D5CAE8410B66E395418017FAD4067951E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp	Composite Document File V2 Document, Cannot read section info	6DAC5A4D87CA4A7286C9AC02BB7CB3B2	ECFCCCA255345A83F6DD0B28637C077A1918728D	CC1298C735214D70D15DC53ED55B60DBAF0155E13F407546132D627DB8B97E9D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5381DBA7-5EAD-4480-A030-82D263AA0387}.tmp	data	4EED3A8E4CF59A1998DDD1077FC1207D	B06F180518710946443E3EBDBF3B63B1BF78EC25	E13E4A9273A8659C12EBAB334E1FC45563C2FD2F0CE6CD3210B684AFA88B5188
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E0E2185F-EAD9-43DA-AAAE-13DEBD784375}.tmp	data	88FC649A1A53367ABC2D81F79F5B5BCC	8371974903C0BEF924218293A25FC0347E78E54D	AB42A86AC5190EC3501684DA7767357ABB1A58F1E25B106F2F3C2D9340C53B85
C:\Users\user\AppData\Local\Temp\{19B1881F-0AC8-42AE-B404-36925486FA8A}	data	71F270238EE4F666A73733D978B02044	8023A1C6D6EAD3D3D9C9C75F811996B30C77B456	56FB9A9F6E8271DE6841A6621A96A50D5CAE8410B66E395418017FAD4067951E
C:\Users\user\AppData\Local\Temp\{992A1E6B-0327-48D7-B980-CF567BE72ABB}	data	1838FE007F9B2E1B74092BA6FC67AF7A	5F3EC7B89D7334464AC7F6CCBF071133861F6B4B	94BCA3DEBE60D7DCDAAAF76122951D45BA20F9D06B5EAD812D6B9431C58BFA2C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase.docx.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Thu Oct 10 06:46:12 2024, length=327342, window=hide	D3D410C92FDC33B64B911FBFFA10ED28	2FE8EC7CF103DA0B8A86DC23F8C6C57239A1248B	ECA64DEB3FFFB4E44361756E31B9D4A7BC7694BDBBEF5E270CBAC3D52F1963C0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	5721473985F4EC768FF5ABED8CB6CD10	4495BF7636E13AE4CA07345906E9FACC1ED69593	0BCE0B9384914B4B637C1FEE5144389E4D61F0C24452B96A00414F26C39ACA77
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$rchase.docx.doc	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://87.120.84.38/txt/mnobinm.doc

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SHARCOM-ASBG SHARCOM-ASBG

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp

Jump to behavior

Source: global traffic

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:18 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p\|:O!d4^=+UU9\=\)\|0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal72.evad.winDOC@1/12@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9CBB.tmp

Jump to behavior

Source: Purchase.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%

Source: Purchase.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Purchase.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Purchase.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Purchase.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\87.120.84.38\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://87.120.84.38/txt/mnobinm.doc

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

ID:	1530603
Product:	CloudBasic
Start time:	09:45:14
Start date:	10.10.2024
Sample:	Purchase.docx.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9ec8124d54f80eb303c9d90145dba41d
SHA1:	759ce0e5f46ca8d25a901c988a92ed0a6837738b
SHA256:	6728d812ad1188928237a5155456d7408deff144fa7ac376a075d44361287363
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Windows Analysis Report
Purchase.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report Purchase.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
Purchase.docx.doc