7167f6fdd495c989536fdf9b5e34f219.zip
This report is generated from a file or URL submitted to this webservice on October 19th 2016 21:29:21 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- ba36a9f761bfb13f7523e068f9e5cbab1a8c714e6f95094a9d7ae056c459c2f4
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 20/55 Antivirus vendors marked sample as malicious (36% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 20/55 Antivirus vendors marked sample as malicious (36% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "Workbook_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 9
-
Environment Awareness
-
Reads the active computer name
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Installation/Persistance
-
Drops executable files
- details
- "OL.cm d" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Drops executable files
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "MkDir" which indicates: "May create a directory"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "ba68f03900b98b7b3d62ffe1" to virtual address "0x0035FAF6"
"WINWORD.EXE" wrote bytes "00668985" to virtual address "0x62757FA4" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "e9365501f2" to virtual address "0x756F3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x62797FA4" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "e6a576cf" to virtual address "0x629810AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "78636570" to virtual address "0x6278BE64" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "d3201ecf" to virtual address "0x62879904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "1ea388e3" to virtual address "0x69FDF530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "4eb788e3" to virtual address "0x689278E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e9239903f2" to virtual address "0x756F5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e4896f0" to virtual address "0x76D63D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "247bf071" to virtual address "0x2F251B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "c4cad57680bbd57652bad5769fbbd57608bbd57646ced5766138d676de2fd676d0d9d576000000001779a9764f91a9767f6fa976f4f7a97611f7a976f283a976857ea97600000000" to virtual address "0x6E211000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "ba90123a00b98b7b3d62ffe1" to virtual address "0x0035FB1E"
"WINWORD.EXE" wrote bytes "15874ece" to virtual address "0x67920BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e9603301f2" to virtual address "0x756F4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "1ac064fd" to virtual address "0x627BBE64" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x6279BE64" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "a18488e3" to virtual address "0x69C5CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "f300f300" to virtual address "0x627A63DC" (part of module "USP10.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 7
-
General
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\msoA03.tmp"
"WINWORD.EXE" created file "%TEMP%\LOL\OL.cm d" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62830000
- source
- Loaded Module
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{7740A21B-1C75-4E1C-9AB7-3C1F1DE1AAF2}.tmp" has type "data"
"index.dat" has type "data"
"msoA03.tmp" has type "GIF image data version 89a 15 x 15"
"~WRS{56C6EDB8-ECBD-457D-B27C-234122345D64}.tmp" has type "data"
"33EA4523.png" has type "PNG image data 520 x 208 8-bit/color RGBA non-interlaced"
"OL.cm d" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"7167f6fdd495c989536fdf9b5e34f219.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Thu Oct 20 04:29:37 2016 mtime=Thu Oct 20 04:29:37 2016 atime=Thu Oct 20 04:29:44 2016 length=445374 window=hide"
"~$67f6fdd495c989536fdf9b5e34f219.doc" has type "data"
"~WRS{F0D76962-44B4-4202-BE32-79C0419820EB}.tmp" has type "FoxPro FPT blocks size 25600 next free block index 1140850688"
"~WRS{1D5F6306-67C3-4FCD-978B-A899E9753B30}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1D5F6306-67C3-4FCD-978B-A899E9753B30}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{749FC0E3-729E-4C8F-9C62-B12B7ED7A251}.tmp" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "hvm.OeO/~S!^OcS}?y_B.Vs;tt8Fmkep"
Heuristic match: "}c+vc)jq.tC"
Heuristic match: "Fi5(6D@QP$({Q25_!,i1J; Q[#Q1'f;GGV^ulNjE37L3ULnJ!,{Nw>aNIq&XN!9:3jY)Y1kk<a9u#s~>D#!EL+j:_a,O>B:R#YcA,?.~Agw~\r(/rYXxejzCe89(xGv_D@FL3avFD^+ gFYF>a,3FK-nn=-q%'g3_d~5+ ^ r5<<XUug>~r @#U{43.A*cyw]'&k`.iO.se"
Pattern match: "g.yjZg/tL"
Pattern match: "8-4x.Yl/nL$}x_6piKLRAXu7"
Pattern match: "Q.wO/zd#0$3`z~}c+HG3Jivo&mlLlheuu_@e^Z'o" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
7167f6fdd495c989536fdf9b5e34f219.doc
- Filename
- 7167f6fdd495c989536fdf9b5e34f219.doc
- Size
- 435KiB (445374 bytes)
- Type
- docx office
- Description
- Microsoft OOXML
- Architecture
- WINDOWS
- SHA256
- c8f208554987e57149170ca2846e889f60ef8e1ea9cd2f10b4215676db9ba4c1
- MD5
- 7167f6fdd495c989536fdf9b5e34f219
- SHA1
- 7da8a8ab4c256ecc037c66493c0887788aca5814
Classification (TrID)
- 59.4% (.DOCM) Word Microsoft Office Open XML Format document (with Macro)
- 36.0% (.DOCX) Word Microsoft Office Open XML Format document
- 4.5% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\7167f6fdd495c989536fdf9b5e34f219.doc" (PID: 2964)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 11
-
-
~WRS{7740A21B-1C75-4E1C-9AB7-3C1F1DE1AAF2}.tmp
- Size
- 1.4MiB (1517132 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- cad251309d93f2f34477bc0402461c2c
- SHA1
- 42ff8e0aca5faf208be273afa169a7bc97311717
- SHA256
- 639fc57b33df88fbe1bc70804dcab2637260dd658cae7bfc6519c032c51feebb
-
index.dat
- Size
- 468B (468 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- a3b2445c43ef1879edef3602b193307c
- SHA1
- ce25979194223b4cff46034d1c7e532244085000
- SHA256
- 170abf6b7fe95fea9ec16e8091c32a65edfbf18be54c6ec33afb84f498f78547
-
msoA03.tmp
- Size
- 663B (663 bytes)
- Type
- GIF image data, version 89a, 15 x 15
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- ed3c1c40b68ba4f40db15529d5443dec
- SHA1
- 831af99bb64a04617e0a42ea898756f9e0e0bcca
- SHA256
- 039fe79b74e6d3d561e32d4af570e6ca70db6bb3718395be2bf278b9e601279a
-
~WRS{56C6EDB8-ECBD-457D-B27C-234122345D64}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- a8aedcfc26007a41d37e79281f2a8113
- SHA1
- 48c74fabfbef4d0b73e54effb1e5d8f0335932ae
- SHA256
- 9278b2416e90fcead510469fda50064ebbc001d8bcba041e5cbf065eed6f4eb6
-
33EA4523.png
- Size
- 28KiB (28236 bytes)
- Type
- PNG image data, 520 x 208, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 0680116242e3706b6ede88d7fdc50c21
- SHA1
- 517812da62a6a694bfdaf3bee65d9f22b5bd4794
- SHA256
- 354b99fdd4698c2bd75ab3cb42c6b2356bf8c4d3fd6b93cee2b2312691272587
-
OL.cm d
- Size
- 185KiB (189147 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 486ae1202e9a7dd8f2a8bf061295c3ce
- SHA1
- 044407535e30a762ede87575b4d056884ba2f8f7
- SHA256
- f8f7723e1c7a007ba24b52210cadf6705091351e5a4748c9295743148bcc2b04
-
7167f6fdd495c989536fdf9b5e34f219.LNK
- Size
- 573B (573 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Thu Oct 20 04:29:37 2016, mtime=Thu Oct 20 04:29:37 2016, atime=Thu Oct 20 04:29:44 2016, length=445374, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 00cb09cf364373b9bc0077c6d282b51e
- SHA1
- ae9bfc639fe1710f70426c2a028dfd72c6c13522
- SHA256
- 6a31f411fcf9dc7f05ea54fc6024fddcd72cabe36a26db7a665ac580f4e8b747
-
~$67f6fdd495c989536fdf9b5e34f219.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 3b2fd9174473f82f258012a038c7f3a8
- SHA1
- 3a855c0ea12af0a8be5beac24081b3ac0b562688
- SHA256
- 050b6ba51947cfcd8f383f63786db3f10cbedb4c699f096bca074bc2d112c454
-
~WRS{F0D76962-44B4-4202-BE32-79C0419820EB}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 25600, next free block index 1140850688
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 6d00e84e5edaa43e119ea03ce5ecaa4f
- SHA1
- 9fa7d5d09fed0a7c1f8392022eaaa24b66f4e77b
- SHA256
- 957da89085d8855135307e641a71c5ea2284be478c115d7a6c3e9c095e83d407
-
~WRS{1D5F6306-67C3-4FCD-978B-A899E9753B30}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2964)
- MD5
- 3b2fd9174473f82f258012a038c7f3a8
- SHA1
- 3a855c0ea12af0a8be5beac24081b3ac0b562688
- SHA256
- 050b6ba51947cfcd8f383f63786db3f10cbedb4c699f096bca074bc2d112c454
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Dropped file "OL.cm d" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f8f7723e1c7a007ba24b52210cadf6705091351e5a4748c9295743148bcc2b04/analysis/1476905742/")
- No online hash lookups were performed due to the 'suppressMultiscanHashLookups' option
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report