Edit tour

Windows Analysis Report
Purchase.docx.doc

Overview

General Information

Sample name:	Purchase.docx.doc
Analysis ID:	1530603
MD5:	9ec8124d54f80eb303c9d90145dba41d
SHA1:	759ce0e5f46ca8d25a901c988a92ed0a6837738b
SHA256:	6728d812ad1188928237a5155456d7408deff144fa7ac376a075d44361287363
Tags:	docdocxuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3248 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3248, Protocol: tcp, SourceIp: 87.120.84.38, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3248, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3248, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://87.120.84.38/txt/mnobinm.doc

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Source: Joe Sandbox View

ASN Name: SHARCOM-ASBG SHARCOM-ASBG

Source: global traffic

HTTP traffic detected: GET /txt/mnobinm.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp

Jump to behavior

Source: global traffic

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:18 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 10 Oct 2024 07:46:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p\|:O!d4^=+UU9\=\)\|0

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal72.evad.winDOC@1/12@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9CBB.tmp

Jump to behavior

Source: Purchase.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Purchase.docx.doc	ReversingLabs: Detection: 39%
Source: Purchase.docx.doc	Virustotal: Detection: 53%

Source: Purchase.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Purchase.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Purchase.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Purchase.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\87.120.84.38\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://87.120.84.38/txt/mnobinm.doc

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	12 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase.docx.doc	39%	ReversingLabs	Document-Word.Exploit.CVE-2017-0199
Purchase.docx.doc	53%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://87.120.84.38/txt/mnobinm.doc	6%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://87.120.84.38/txt/mnobinm.doc	true	6%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.84.38	unknown	Bulgaria		51189	SHARCOM-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530603
Start date and time:	2024-10-10 09:45:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase.docx.doc
Detection:	MAL
Classification:	mal72.evad.winDOC@1/12@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
87.120.84.38	Purchase 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38/txt/fWAcz73TNXEbaJ2.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHARCOM-ASBG	Purchase 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	kj5f8keqNK.elf	Get hash	malicious	Unknown	Browse	87.120.84.105
	ZtQY1K6aTi.exe	Get hash	malicious	RisePro Stealer	Browse	87.120.84.5
	Sig.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	87.120.84.140
	http://87.120.84.22	Get hash	malicious	Unknown	Browse	87.120.84.22
	Browser Update.js	Get hash	malicious	BitRAT, RHADAMANTHYS	Browse	87.120.84.233
	qqeng.pdf.lnk	Get hash	malicious	RHADAMANTHYS	Browse	87.120.84.233
	qqeng.exe	Get hash	malicious	RHADAMANTHYS	Browse	87.120.84.233
	W57eRMWUqG.exe	Get hash	malicious	Amadey, PureLog Stealer	Browse	87.120.84.156
	93GwwLKH1N.exe	Get hash	malicious	Amadey, PureLog Stealer	Browse	87.120.84.156

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025653293174128594
Encrypted:	false
SSDEEP:	6:I3DPcyLzexVvxggLRsnJ/BmTnpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPfkYnJ/QTHvYg3J/
MD5:	71F270238EE4F666A73733D978B02044
SHA1:	8023A1C6D6EAD3D3D9C9C75F811996B30C77B456
SHA-256:	56FB9A9F6E8271DE6841A6621A96A50D5CAE8410B66E395418017FAD4067951E
SHA-512:	AC6A6B2E77A1E9E461393A16B05131D10F690B06E367FEF2737C2B9A2EEB49BDC043F469EE7A2E054F6C8824E2A549505AF397AD3E2C68BDD4D287B3E3B3FC60
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zY".X...J...o.G..S,...X.F...Fa.q............................{m.g!$.M..B....T........B{yNT=.C.............................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	1.416431020883067
Encrypted:	false
SSDEEP:	12:rl3lTpFQURuXIi+cNMQi+cNMQCIQYQQYQCICICb77:rnA6eMyeMOA
MD5:	6DAC5A4D87CA4A7286C9AC02BB7CB3B2
SHA1:	ECFCCCA255345A83F6DD0B28637C077A1918728D
SHA-256:	CC1298C735214D70D15DC53ED55B60DBAF0155E13F407546132D627DB8B97E9D
SHA-512:	C3578B61889E37D1BC3F9FBA0249E9C8B862E93DA79801A47C64112D17CD8ECBA6218971DF855C01FC915304733F0B1BD68C8BE11D4607E5B9E7257B93D81091
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5381DBA7-5EAD-4480-A030-82D263AA0387}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1879552
Entropy (8bit):	3.6504681095961264
Encrypted:	false
SSDEEP:	6144:6emBde8emQrde9emBdehemKembemBdeUemBdeQemBdehemHemBde2emBdeuemBd+:00s9
MD5:	4EED3A8E4CF59A1998DDD1077FC1207D
SHA1:	B06F180518710946443E3EBDBF3B63B1BF78EC25
SHA-256:	E13E4A9273A8659C12EBAB334E1FC45563C2FD2F0CE6CD3210B684AFA88B5188
SHA-512:	414174170F62AB12E56FBCE6E213B7FB3FFC150F71119D8D49924FE6C02B4B2A3BD0419A4585148A704F4C910F63C524F91FF543396B1C160217B5397F166A04
Malicious:	false
Reputation:	low
Preview:	..d.M.B.C.....B.E.S.O.N.D.E.R.H.E.D.E. .B.E.S.O.N.D.E.R.H.E.D.E. .V.I.R. .H.I.E.R.D.I.E. .M.A.A.N.D.....D.R.A.E.N.D.E. .N.R... .H.O.E.V.....3.0.2.0.8. .N.B.C. .D.R.A.A.G. .3.0. .S.T.K.....3.0.3.0.8. .N.B.C. .D.R.A.A.G. .6. .S.T.K.....3.2.0.0.7.X. .N.B.C. .D.R.A.A.G. .7.4. .S.T.K.....3.3.0.0.5. .N.B.C. .w.a.t. .5. .s.t.e.l.l.e. .d.r.a.....5.2.7.9.9. ./. .8.0.0.U. .(.2.5.8.7.7./.2.1.). .N.B.C. .w.a.t. .3.0. .P.C.S. .d.r.a.....6.0.0.1. .N.B.C. .w.a.t. .1.0.0. .s.t.u.k.s. .d.r.a.....6.0.0.4. .N.B.C. .w.a.t. ...................f...h...................................R...T..................................................................................................................................................................................................................................................................................................<...$..$.If........!v..h.#v..9.:V....l...,..t.......9..6.,.....5.....9.9...../.............B.....a..].p............yt.K......d........gd.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E0E2185F-EAD9-43DA-AAAE-13DEBD784375}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849453
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbI:IiiiiiiiiifdLloZQc8++lsJe1Mzbn
MD5:	88FC649A1A53367ABC2D81F79F5B5BCC
SHA1:	8371974903C0BEF924218293A25FC0347E78E54D
SHA-256:	AB42A86AC5190EC3501684DA7767357ABB1A58F1E25B106F2F3C2D9340C53B85
SHA-512:	E51222105BFD1B42F86FD728F4609F05C33A061AEDE8C42D2843D3F12E311604592B35A71D1F572F8715FD48C9CEC2F79A23EE3BC8D9929989797B2AF287630E
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{19B1881F-0AC8-42AE-B404-36925486FA8A}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025653293174128594
Encrypted:	false
SSDEEP:	6:I3DPcyLzexVvxggLRsnJ/BmTnpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPfkYnJ/QTHvYg3J/
MD5:	71F270238EE4F666A73733D978B02044
SHA1:	8023A1C6D6EAD3D3D9C9C75F811996B30C77B456
SHA-256:	56FB9A9F6E8271DE6841A6621A96A50D5CAE8410B66E395418017FAD4067951E
SHA-512:	AC6A6B2E77A1E9E461393A16B05131D10F690B06E367FEF2737C2B9A2EEB49BDC043F469EE7A2E054F6C8824E2A549505AF397AD3E2C68BDD4D287B3E3B3FC60
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zY".X...J...o.G..S,...X.F...Fa.q............................{m.g!$.M..B....T........B{yNT=.C.............................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{992A1E6B-0327-48D7-B980-CF567BE72ABB}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025642855662270602
Encrypted:	false
SSDEEP:	6:I3DPcbAxFvxggLR7Ztw+UFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPRxpk+qvYg3J/
MD5:	1838FE007F9B2E1B74092BA6FC67AF7A
SHA1:	5F3EC7B89D7334464AC7F6CCBF071133861F6B4B
SHA-256:	94BCA3DEBE60D7DCDAAAF76122951D45BA20F9D06B5EAD812D6B9431C58BFA2C
SHA-512:	48D10E9E3088EB0DFAEEBDB35028F35A454B478C973B89F2BC2CA9190383712C1925F4C0674198CD40F329FB10234F8F4B17B6179D5724C6714AB0FA9581A21A
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.o.9.K....<..#S,...X.F...Fa.q............................%..\|W.J.P..............o..[...H.Pb.G..p.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase.docx.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Thu Oct 10 06:46:12 2024, length=327342, window=hide
Category:	dropped
Size (bytes):	1029
Entropy (8bit):	4.554233686300356
Encrypted:	false
SSDEEP:	12:8g3gXg/XAlCPCHaXkBkoB/qPX+WeMQ9IB+l4icvbNIQHl4s3DtZ3YilMMEpxRljf:8C/XT0Co46pReKQHL3Dv3qk57u
MD5:	D3D410C92FDC33B64B911FBFFA10ED28
SHA1:	2FE8EC7CF103DA0B8A86DC23F8C6C57239A1248B
SHA-256:	ECA64DEB3FFFB4E44361756E31B9D4A7BC7694BDBBEF5E270CBAC3D52F1963C0
SHA-512:	D99B829D01BCF01968E4EE5EE086F81EB5A1DA6D8B94623482D0B97490C5A6DF14471DE4FDD14834CE799BCEFEFEE7DE65F66BBED2FFBF6809C658D422E16212
Malicious:	false
Preview:	L..................F.... ...w.t.r...w.t.r......z.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....JY.=..user.8......QK.XJY.=...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2.....JY.= .PURCHA~1.DOC..P.......WE..WE..........................P.u.r.c.h.a.s.e...d.o.c.x...d.o.c.......{...............-...8...[............?J......C:\Users\..#...................\\138727\Users.user\Desktop\Purchase.docx.doc.(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.u.r.c.h.a.s.e...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......138727..........D_....3N...W...9..W.e8...8.....[D_....3

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.408985545926399
Encrypted:	false
SSDEEP:	3:M1aWN28GJFSm4iWN28GJFSv:MYD8GJFvD8GJFc
MD5:	5721473985F4EC768FF5ABED8CB6CD10
SHA1:	4495BF7636E13AE4CA07345906E9FACC1ED69593
SHA-256:	0BCE0B9384914B4B637C1FEE5144389E4D61F0C24452B96A00414F26C39ACA77
SHA-512:	6F9187FE5B3789A7FD407FB61314A7914F704131CF40F8AE408174251BF0D80545F96E3D2FF08EC6DB9C75DF1C11629DDE01C79E33B6F14713670CD2985505DF
Malicious:	false
Preview:	[doc]..Purchase.docx.LNK=0..[folders]..Purchase.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$rchase.docx.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.993449297087437
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	Purchase.docx.doc
File size:	327'342 bytes
MD5:	9ec8124d54f80eb303c9d90145dba41d
SHA1:	759ce0e5f46ca8d25a901c988a92ed0a6837738b
SHA256:	6728d812ad1188928237a5155456d7408deff144fa7ac376a075d44361287363
SHA512:	4153d48bf24cacf48f63a19e2b530f01c6d947132acaba632ae4562db1d0c4fcd6fac6bbed856144fa8e82b898ead575be8b2a9ba14889263140ea4a207710b9
SSDEEP:	6144:r07JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mLi:wd/qYYFNHrz95
TLSH:	F86412050C9780C883097859F1A9151E2B6F9C339D63C8359BFCDABB4A659CCDBB7B48
File Content Preview:	PK........LlHY...7U... .......[Content_Types].xmlUT....4.g.4.g.4.g...n.0.E...............e.T.....U..<...;!.U.%U.M.d..sgby0ZW.[BB.\|!.yOd.u0....>y....Iy.\.P.........M..X...s.x/%.9T....s...R..i&...j......:x.O].=.p...Z8.....I........U....Z...........r..s....B

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Purchase.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 09:46:15.925924063 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:15.930869102 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:15.930958033 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:15.933943033 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:15.939048052 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:16.654495955 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:16.654710054 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:17.027658939 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:17.851840973 CEST	80	49164	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:17.851913929 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:17.852026939 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:17.860404015 CEST	80	49164	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:18.565083027 CEST	80	49164	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:18.763111115 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:21.818722963 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:21.823677063 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:21.823757887 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:21.823869944 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:21.828692913 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:22.548966885 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:22.551306009 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:22.556168079 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:22.787205935 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:22.995560884 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:22.995655060 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:23.136553049 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:23.141494036 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:23.374011040 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:23.374408007 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:23.379759073 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:23.610805035 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:23.819504023 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:23.819591045 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.182938099 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.188014984 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.420214891 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.420622110 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.425651073 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.656686068 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.688769102 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.693649054 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.862674952 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.867526054 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.867590904 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:46:24.922559977 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:46:24.924348116 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:47:23.585428953 CEST	80	49164	87.120.84.38	192.168.2.22
Oct 10, 2024 09:47:23.585583925 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:47:23.585683107 CEST	49164	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:47:23.590559959 CEST	80	49164	87.120.84.38	192.168.2.22
Oct 10, 2024 09:47:29.661941051 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:47:29.662066936 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:47:29.663414955 CEST	49165	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:47:29.668230057 CEST	80	49165	87.120.84.38	192.168.2.22
Oct 10, 2024 09:47:29.922629118 CEST	80	49163	87.120.84.38	192.168.2.22
Oct 10, 2024 09:47:29.922852039 CEST	49163	80	192.168.2.22	87.120.84.38
Oct 10, 2024 09:48:13.900331974 CEST	49163	80	192.168.2.22	87.120.84.38

HTTP Request Dependency Graph

87.120.84.38

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	87.120.84.38	80	3248	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 09:46:15.933943033 CEST	138	OUT	OPTIONS /txt/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 87.120.84.38 Content-Length: 0 Connection: Keep-Alive
Oct 10, 2024 09:46:16.654495955 CEST	187	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:16 GMT Content-Type: httpd/unix-directory Content-Length: 0 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET
Oct 10, 2024 09:46:24.688769102 CEST	358	OUT	GET /txt/mnobinm.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 87.120.84.38 Connection: Keep-Alive
Oct 10, 2024 09:46:24.922559977 CEST	447	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:24 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p\|:O!d4^=+UU9\=\)\|0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	87.120.84.38	80	3248	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 09:46:17.852026939 CEST	128	OUT	HEAD /txt/mnobinm.doc HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 87.120.84.38
Oct 10, 2024 09:46:18.565083027 CEST	154	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:18 GMT Content-Type: text/html; charset=iso-8859-1 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.22	49165	87.120.84.38	80

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 09:46:21.823869944 CEST	132	OUT	OPTIONS /txt HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 87.120.84.38
Oct 10, 2024 09:46:22.548966885 CEST	529	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:22 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 310 Connection: keep-alive Location: http://87.120.84.38/txt/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:22.551306009 CEST	133	OUT	OPTIONS /txt/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 87.120.84.38
Oct 10, 2024 09:46:22.787205935 CEST	187	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:22 GMT Content-Type: httpd/unix-directory Content-Length: 0 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET
Oct 10, 2024 09:46:22.995560884 CEST	187	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:22 GMT Content-Type: httpd/unix-directory Content-Length: 0 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET
Oct 10, 2024 09:46:23.136553049 CEST	162	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
Oct 10, 2024 09:46:23.374011040 CEST	529	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:23 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 310 Connection: keep-alive Location: http://87.120.84.38/txt/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:23.374408007 CEST	163	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
Oct 10, 2024 09:46:23.610805035 CEST	517	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:23 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 303 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:23.819504023 CEST	517	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:23 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 303 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:24.182938099 CEST	162	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
Oct 10, 2024 09:46:24.420214891 CEST	529	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:24 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 310 Connection: keep-alive Location: http://87.120.84.38/txt/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:24.420622110 CEST	163	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
Oct 10, 2024 09:46:24.656686068 CEST	517	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:24 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 303 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
Oct 10, 2024 09:46:24.867526054 CEST	517	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.26.2 Date: Thu, 10 Oct 2024 07:46:24 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 303 Connection: keep-alive Allow: POST,OPTIONS,HEAD,GET Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>

Target ID:	0
Start time:	03:46:12
Start date:	10/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fae0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7075E2C6-67BC-4FE2-AF19-68837B626693}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5381DBA7-5EAD-4480-A030-82D263AA0387}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98CB96BC-D924-4589-B6AD-9F37EB94FE22}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E0E2185F-EAD9-43DA-AAAE-13DEBD784375}.tmp

C:\Users\user\AppData\Local\Temp\{19B1881F-0AC8-42AE-B404-36925486FA8A}

C:\Users\user\AppData\Local\Temp\{992A1E6B-0327-48D7-B980-CF567BE72ABB}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase.docx.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$rchase.docx.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Purchase.docx.doc"

Indicators

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Purchase.docx.doc