Claim your funds.docx
This report is generated from a file or URL submitted to this webservice on March 14th 2016 05:54:43 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.40 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 2
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "*ZOYycno;.:ZMm+^^Wvncc9.lf2GiF9[j4oA{x}h='^:wseE" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E92319DBF1" to virtual address "0x76E63D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "57E4FB3A" to virtual address "0x2FCE1634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 5
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/55 Antivirus vendors marked sample as malicious (0% detection rate)
0/43 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 676C0000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{6E16891B-F8D7-4B4B-B308-6144D1D71198}.tmp.132218" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat.133156" has type "data"
"C479CC41.doc.138562" has type "Microsoft Word 2007+"
"Claim_your_funds.docx.LNK.140187" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Mon Mar 14 17:50:56 2016, mtime=Mon Mar 14 17:55:53 2016, atime=Mon Mar 14 17:50:56 2016, length=217576, window=hide"
"index.dat.140218" has type "data"
"mso23AB.tmp.140234" has type "GIF image data, version 89a, 15 x 15"
"~WRS{D36916C6-157C-4EEF-AAAD-E40F6ABACCC9}.tmp.140609" has type "data"
"ExcludeDictionaryEN0409.lex.143703" has type "Little-endian UTF-16 Unicode text, with no line terminators"
"~WRD0000.tmp.324296" has type "data"
"Word12.pip.325562" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "D.XwFP/x|Kd`4IOi$"
Heuristic match: "ah00.c0.uk" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Claim your funds.docx
- Filename
- Claim your funds.docx
- Size
- 212KiB (217576 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 71b2fc9c97305886b983bb4945611c52853e290a05cf54d414cf9f20fc43bc37
- MD5
- 507ecfaf7efa9fd6909769c3ddd59da7
- SHA1
- 2a3a035c9a457e33848ba15a3ef450b12fdc5c32
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 3512)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 10
-
-
Claim_your_funds.docx.LNK
- Size
- 1.7KiB (1784 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Mon Mar 14 17:50:56 2016, mtime=Mon Mar 14 17:55:53 2016, atime=Mon Mar 14 17:50:56 2016, length=217576, window=hide
- MD5
- 246e1d7d5d0a39412baa8085dc9d38a9
- SHA256
- 39d686a650696f97d7ec4578a904b52abbbbac17eff3fd8dc591fd94de9b88d6
-
index.dat
- Size
- 64B (64 bytes)
- Type
- data
- MD5
- e733ef98319cf2fb139f71bfacdebf90
- SHA1
- aa0afc991b89782154151ec6b8ee0a06dca040f6
- SHA256
- 6dfd6fde6c54f30603134c7f8abb4a7e0082eea93181f78ab87c2437fb839e39
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
- Type
- data
- MD5
- d4c3c791d8032d9271b70dbab18783c8
- SHA1
- 4d6f84c95d460e83becc29e117dcd1efeebf72f9
- SHA256
- 8c8376314d9410e6b3e10105346d7d8dff8c9410ceb21d41655667982f80e9f0
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
C479CC41.doc
- Size
- 212KiB (217576 bytes)
- Type
- Microsoft Word 2007+
- MD5
- 507ecfaf7efa9fd6909769c3ddd59da7
- SHA1
- 2a3a035c9a457e33848ba15a3ef450b12fdc5c32
- SHA256
- 71b2fc9c97305886b983bb4945611c52853e290a05cf54d414cf9f20fc43bc37
-
~WRD0000.tmp
- Size
- 210KiB (215075 bytes)
- Type
- data
- MD5
- 35db498bcf5d2687dbed5c0dc2beea6d
- SHA1
- d24b44bb3e739327229f758eb1de3f2f281b8eae
- SHA256
- acddadf1398eafc6839611093df4ee08cb45922a89a1429bef624e427d1edf08
-
~WRS{6E16891B-F8D7-4B4B-B308-6144D1D71198}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{D36916C6-157C-4EEF-AAAD-E40F6ABACCC9}.tmp
- Size
- 6.9KiB (7098 bytes)
- Type
- data
- MD5
- a4f4e0815a157291732c2aebbee0d527
- SHA1
- a1b408ab8a580a4a98631d6582a1da8aed042fe7
- SHA256
- 3a74f5d408839d1e5518a40da1fdf87df739854957dbfea588a521fdf3d20148
-
opa12.dat
- Size
- 8.3KiB (8548 bytes)
- Type
- data
- MD5
- 7cdcef3c8ba6b4859d46f9eab0eccd93
- SHA1
- d80959d6f88d8d2024e0ae1e723c40601df0177b
- SHA256
- 6313aa059910d9c0c7bff4268756ee1dc02cb88826ec6aee40c41e2c35671fec
-
mso23AB.tmp
- Size
- 663B (663 bytes)
- Type
- GIF image data, version 89a, 15 x 15
- MD5
- ed3c1c40b68ba4f40db15529d5443dec
- SHA256
- 039fe79b74e6d3d561e32d4af570e6ca70db6bb3718395be2bf278b9e601279a
-