IATA DUE INVOICES70078.docx
This report is generated from a file or URL submitted to this webservice on November 17th 2015 19:25:03 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v2.60 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Exploit/Shellcode
-
Possible document exploit detected
- details
- Document spawned a new process although no macro was present in the original file
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/54 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 5
-
Anti-Reverse Engineering
-
Uses a .NET obfuscator to hide its code
- details
- "VideoLAN2.1.5.0VLC media playerVLC media player 2.1.54/Copyright 1996-2014 VideoLAN and VLC Authors TWrapNonExceptionThrows PKVLC media player, VideoLAN and x264 are registered trademarks from VideoLAN'"Powered by SmartAssembly 6.9.0.114 ?_" is a hint for the obfuscator "Smart Assembly"
- source
- File/Memory
- relevance
- 2/10
-
Uses a .NET obfuscator to hide its code
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "e{<aF0w1SK$;Oz_fq:C#V`ciFO6Q1l@6<W:m6v{/mb`dnh{5#obNE[dTurOdWoGyRnnMZl|dUn*\AeWN*sX{2R&Z8zI]K+GuF,*1n<G27uatNCSs'%vK+Cp-0K?260!&Vn{l7>jzY>d5YDk`x5IW+V.sc"
Pattern match: "l.ptmI/JoIm500W67WlW_69"
Heuristic match: "mR_DFuh.ND[S|Ck 75rv}je<CO'ix?~q }jq+Zt-#eA_c2KL'3q}@1z4b;WAl'6&I0P.#!x>Tqg?9[|u<C_id7q1;8y5Z]GkAFtC}[{K/xLHrh_=xh-[vb)l%a`z@+,0F40l1Rr~$ng{uyqB!5QC?b!g.sb"
Heuristic match: "r*]&\GMtexSio!Lsp!1$%%~{G,77c49?\dTLpFwFp227fO$mIOA|TfP,6uNc'g/#Ov_thC7 I?+(4?l1?%KFVK}:Ml^{qVr{??&:mqIS^<8Ize9@-4'26h'D.yE"
Heuristic match: "JDh0*Oz/`0pDDb3yO+CM9-=qO:&keYs'u|oG;YF)|g8Nw~u%K<&!umcwYz>S<F\\]3eawoA]wcy4w'u'7:.SM"
Pattern match: "P.PQ/kG3Z"
Pattern match: "m57xn.vtx/Q,pA:[y@s"
Pattern match: "XXuRtp.ChKV/Cs;Mf6l0m;l?Bm!s"
Heuristic match: "y9)IZf[9MPY!lIN(OhcZ==LpCdGWp/c*sfm-HqaNGtW4 x[FlEk}.4cURf/pvFIAF&'0(SxwHi.bN"
Heuristic match: "tu{q)&'s+>*#.NOfA@w<,o0f'Jg}s.R-ihjwj<:Cdq]7HS?cvF\HEdhzCe'\ vZr!\#]8@,0.JE"
Heuristic match: "vj?nJBR3gYEf]dYFU>^G5ss~.je"
Heuristic match: "8 _8 E! !!:Jssk 1D\.WF"
Pattern match: "http://www.smartassembly.com/webservices/UploadReportLogin/LGhttp://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL`TNameReportingServiceSoapTNamespace3http://www.smartassembly.com/webservices/Reporting/E@http://www.smartassembly.com/webse"
Pattern match: "bC.mO/y2D-MIENDB" - source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "HqvncR3~dh_fL_+C!5q>mx" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
- Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
- source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "992D4133" to virtual address "0x2F201634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E92319B9F0" to virtual address "0x76DF3D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "910C9A93" to virtual address "0x2F311634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E92319C8F0" to virtual address "0x76DF3D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 4
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex"
"Local\WininetProxyRegistryMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
-
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 66500000
"WINWORD.EXE" loaded module "C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll" at 666F0000 - source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "WINWORD.EXE" with commandline "/n /dde" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"extra_embedded_0.doc.bin" has type "Composite Document File V2 Document, No summary info"
"~WRS{2CD347B7-6EC8-4160-AD38-80F80C2106CB}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"DF5261F2.doc" has type "Zip archive data, at least v2.0 to extract"
"BAD7654B.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"63a61bdcaa5b0774ef558522c14988d1300bad7efdd76102cd2b2f57122546e4.LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Wed Nov 18 08:24:40 2015, mtime=Wed Nov 18 08:25:34 2015, atime=Wed Nov 18 08:24:40 2015, length=346178, window=hide"
"index.dat" has type "data"
"~WRS{E73C38E8-76BD-46E3-999C-E621BFED36FB}.tmp" has type "data"
"339F06D0.jpeg" has type "JPEG image data, JFIF standard 1.01"
"ExcludeDictionaryEN4009.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators"
"MSO2057.acl" has type "data"
"~WRD0000.tmp" has type "data"
"Word12.pip" has type "data"
"~WRS{E1E0515E-AC37-4D93-A95F-9CEE53A88FC1}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"~$tra_embedded_0.doc" has type "data"
"~WRS{0DC6B573-958E-41AB-B244-F453E6846701}.tmp" has type "data"
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
IATA DUE INVOICES70078.docx
- Filename
- IATA DUE INVOICES70078.docx
- Size
- 338KiB (346178 bytes)
- Type
- docx office
- Description
- Zip archive data, at least v2.0 to extract
- Architecture
- WINDOWS
- SHA256
- 63a61bdcaa5b0774ef558522c14988d1300bad7efdd76102cd2b2f57122546e4
- MD5
- 48efd272a5605ce6d6be2708cf0267fb
- SHA1
- db4f248c1b310d0c25fd97162f6b341be2fdf233
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
- WINWORD.EXE /n /dde (PID: 4032)
- WINWORD.EXE /n /dde (PID: 2944)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Informative 21
-
-
opa12.dat
- Size
- 8.4KiB (8558 bytes)
- Type
- data
- MD5
- 6b6d787769334026e445bc5f4cc90585
- SHA1
- 951849dec79d0ea1558e976bea6021dfc7a2678b
- SHA256
- 055968e58dba6ff26512c39d147ea0ffd0f1abb293613b68d6c60fd3dd90f08f
-
339F06D0.jpeg
- Size
- 17KiB (17912 bytes)
- Type
- JPEG image data, JFIF standard 1.01
-
BAD7654B.emf
- Size
- 5.3KiB (5388 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
DF5261F2.doc
- Size
- 338KiB (346178 bytes)
- Type
- Zip archive data, at least v2.0 to extract
- MD5
- 48efd272a5605ce6d6be2708cf0267fb
- SHA1
- db4f248c1b310d0c25fd97162f6b341be2fdf233
- SHA256
- 63a61bdcaa5b0774ef558522c14988d1300bad7efdd76102cd2b2f57122546e4
-
~WRD0000.tmp
- Size
- 353KiB (361391 bytes)
- Type
- data
- MD5
- 0e86af5edc6e9cef1140dfe11d70c9f9
- SHA1
- 6bc73604c0e85c1dfb55c1f5b612459473f43bb1
- SHA256
- 7107641dccc85b4a024bb817be141a91fa6c8ff7850c0eabefd2523a96cc6068
-
~WRD0000.doc
- Size
- 1.9MiB (1951744 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- 5301a04319597e1d847a50edc50f3442
- SHA1
- 234a1d7c16f22d30b776fa7779b5485a1139c877
- SHA256
- 23845dfafe018b19a09ead3623d7b1bfc56e0efca1521aa08934c6560426969c
-
~WRD0001.doc
- Size
- 1.9MiB (1951744 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- 5301a04319597e1d847a50edc50f3442
- SHA1
- 234a1d7c16f22d30b776fa7779b5485a1139c877
- SHA256
- 23845dfafe018b19a09ead3623d7b1bfc56e0efca1521aa08934c6560426969c
-
~WRD0002.doc
- Size
- 1.9MiB (1941504 bytes)
-
~WRS{0DC6B573-958E-41AB-B244-F453E6846701}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- eeeb539ef76f2f296525fcbcc024df49
- SHA1
- 20911d1a2c68c362519ce3b7bad6bf736832bab6
- SHA256
- 16a1e148a92823749a50d040d4df4e82ec995f7caeded1a523e514144605b05b
-
~WRS{2CD347B7-6EC8-4160-AD38-80F80C2106CB}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{E1E0515E-AC37-4D93-A95F-9CEE53A88FC1}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{E73C38E8-76BD-46E3-999C-E621BFED36FB}.tmp
- Size
- 4.1KiB (4154 bytes)
- Type
- data
- MD5
- 81098074011251eab89aa5ac78db7423
- SHA1
- 6f9429cd14cd89a74cc541604cdd071f7b3c0167
- SHA256
- 148b8368af74270c265784fa8c6c30da3ebffe236cd18e9c9f9b15550b4f1cc8
-
MSO2057.acl
- Size
- 30B (30 bytes)
- Type
- data
- MD5
- 347b1796088009b6e068b2de96b4837c
- SHA1
- 53555eb7c41fbb5805900186168ea27c5264ab24
- SHA256
- fb85cae865f25be7828f7e958113a1e45b4ffe37bd5e05e42f8e6599aaab1cf4
-
63a61bdcaa5b0774ef558522c14988d1300bad7efdd76102cd2b2f57122546e4.LNK
- Size
- 2.2KiB (2300 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Wed Nov 18 08:24:40 2015, mtime=Wed Nov 18 08:25:34 2015, atime=Wed Nov 18 08:24:40 2015, length=346178, window=hide
-
extra_embedded_0.LNK
- Size
- 493B (493 bytes)
-
index.dat
- Size
- 153B (153 bytes)
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
- Type
- data
- MD5
- 0aef9a6cae0a89af7e1dbbbf0c79cb07
- SHA1
- 798e127c7e11cb553009bbff3c0cf6fad9b5b291
- SHA256
- a50d824fb1d953df73d733d6cb3f773189f0eb83f472f81b69bcfca26390ae9d
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
ExcludeDictionaryEN4009.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$tra_embedded_0.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- e4a7aa7f19e78fa9d2315c7fd7b2a21d
- SHA1
- 5defdfe80a495f22b0ebbd00bf88332df2a47ba9
- SHA256
- 98910fb6f4b5156b2f163faa525de844ce3b2019051e01dc0fa883c7cab8536b
-
extra_embedded_0.doc.bin
- Size
- 953KiB (975872 bytes)
- Type
- Composite Document File V2 Document, No summary info
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
- Parsed the maximum number of dropped files (20, see 'maxDroppedFilesToParseYARA'), report might not contain information about some dropped files