Ad12.doc
This report is generated from a file or URL submitted to this webservice on April 6th 2016 14:48:02 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.41 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 2
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "3B050263" to virtual address "0x2FF31634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E92319DBF0" to virtual address "0x77483D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 5
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex"
"Local\WininetProxyRegistryMutex"
"LexRefServiceManagerCacheFileMutex"
"C:PROGRA~1COMMON~1MICROS~1TRANSLATENGEMSB1ENGE.ITS"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 66F70000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{D6B512AC-FFA8-4695-9454-7BC133735031}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"opa12.dat" has type "data"
"~WRS{EF457309-F7B1-4B23-9141-A44FBBA5882E}.tmp" has type "data"
"Ad12.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Normal ctime=Thu Apr 7 04:48:26 2016 mtime=Thu Apr 7 04:48:26 2016 atime=Thu Apr 7 04:48:26 2016 length=1025024 window=hide"
"index.dat" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"Word12.pip" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "https://419awareness.files.wordpress.com/2012/06/new-picture-10.png?w=630"
Pattern match: "https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcTBMgBM-tuVr9wCGgMOUMbewekKheE46ZdBNe6jVRKkl1GEBxrU"
Pattern match: "http://hdwallpapershoot.com/wp-content/uploads/2015/05/Coca-Cola-Logo-Wallpaper-2.jpg"
Pattern match: "http://thedivinemissmommy.com/wp-content/uploads/2012/07/Coca-Cola-Racing.jpg"
Heuristic match: "E-mail: cocacolasmsaward@gmail.com"
Heuristic match: ")>6<kH.xN"
Heuristic match: "V>B:iM=]%}S&}W0:'vwY#H-csFglmnKDXQ8NseaK}?v#~B>RyUn`;q|S4eqxgo|$,/nqV$6%%dG3[=u+_)HZm6:uQ:F7Mk5kf[QX4z.-Vq7yWK/O%zOIZ&}O*yQr:'qi}*(6DFc}.EaHGB^}7VmwmC)c`=u;v>l;1#*rG5/1J<wBot*+/2G[}rN[hM,.]9.My"
Pattern match: "L7m.MUh/?z*{LT"
Pattern match: "GE.Jy/:Ftb*v}vFJsLS=pzf_5"
Pattern match: "n.eTm/&h$`~"
Heuristic match: "n/+Z'Q<p,6zy/,RoOTPN,%2x17Wrc,)/b kVAG!T/07xz(a<YN(uB^$:HixWFX%#QWgTxtT5?r@JkiHPl0^8|}@TGztf+[zLh-QAS\at|@vNs0a,P.Wf*uwW5X45CHxVqGNbt)s<SmEBA)zaRbr>h7V*T9zLq~jB<P.aw"
Heuristic match: "\%HA>~lsc<Xxo&t0{5LtL4VBeM\bI7~pkz`TTwch<$XvI~sf}NYqI]M44Z.Kh"
Pattern match: "RB.YA/[L`G"
Pattern match: "u.Wi/$$vG"
Pattern match: "3.pr/|^J*1,j6qy_d"
Pattern match: "SU.bT/qDJHV4t*1|"
Pattern match: "f.FI/TXs]t"
Pattern match: "419awareness.files.wordpress.com/2012/06/new-picture-10.png?w=630#" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Ad12.doc
- Filename
- Ad12.doc
- Size
- 1001KiB (1025024 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: saint frank, Template: Normal, Last Saved By: user, Revision Number: 14, Name of Creating Application: Microsoft Office Word, Total Editing Time: 39:00, Last Printed: Fri Nov 21 09:22:00 2014, Create Time/Date: Wed Feb 10 21:22:00 2016, Last Saved Time/Date: Tue Apr 5 10:04:00 2016, Number of Pages: 1, Number of Words: 1, Number of Characters: 10, Security: 0
- Architecture
- WINDOWS
- SHA256
- fa68ea31d643c38a8a3771394346f45732eca1458b9c4a93d97982d2c14c6152
- MD5
- 196a75dcc61846b6dd64077a5905c4e5
- SHA1
- 4e938cbe19c55f25a78923dcb433b5c6e182449a
Classification (TrID)
- 80.0% (.DOC) Microsoft Word document
- 20.0% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 176)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 8
-
-
Ad12.LNK
- Size
- 369B (369 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Thu Apr 7 04:48:26 2016, mtime=Thu Apr 7 04:48:26 2016, atime=Thu Apr 7 04:48:26 2016, length=1025024, window=hide
- MD5
- b33879a7d254185e0366cecc68306e81
- SHA256
- 0409c188cf46b94f18c1ced3be621b8cdd491b8755144f5d80dfc33fbf883c70
-
index.dat
- Size
- 69B (69 bytes)
- Type
- data
- MD5
- 1c3ea2d68004643e281412866bc1f498
- SHA1
- 59694993b7a860f39acad45843b01577b324d8bc
- SHA256
- 01692792158508cee9151c0fade8381a51b7ffae119034fae8c436196e6faedf
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
- Type
- data
- MD5
- b8dd8b63d5ced27a3b8dbe167ae2951c
- SHA1
- 4f83cca363c65430d4b9869faa4dfeadb11a80f7
- SHA256
- b4df1d9db5dbf4d45f37b91f0a554a5321f324d41e8b2121a489f4049abd1c5e
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 8abb3c6a6d0da33d06a6b2d0f181907f
- SHA1
- d711ace859df6ef1d3286ca7828ce2605ac43c3d
- SHA256
- e06b58ccc332b595e1dca448b43fbc49fcca94fbdeb6028fb5dfc102e83e2e2b
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~WRS{D6B512AC-FFA8-4695-9454-7BC133735031}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{EF457309-F7B1-4B23-9141-A44FBBA5882E}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- bfbb4d3b5eeb09436d9a865368e9542d
- SHA1
- 2f5973139432f823b71a0c2ac758319b0d6aef49
- SHA256
- bc29287f04450d0e1bedbd12c1388b674111710bb230c19a179ad4823fb29fee
-
opa12.dat
- Size
- 25KiB (25216 bytes)
- Type
- data
- MD5
- b7f8932fb88acfc7bc28e6254c05eb94
- SHA1
- fbadbd15e82666cee61bad18dfe29949c784911c
- SHA256
- d8c52660494d3b812cc3fd552a5b6f0652d6d105dc2998711d8ad30178d6273e
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)