SUSPICIOUS EMAIL.msg
This report is generated from a file or URL submitted to this webservice on January 18th 2016 15:10:11 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.20 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 3
-
System Destruction
-
Marks file for deletion
- details
- "%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%SAMPLEDIR%\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc" for deletion
- source
- API Call
- relevance
- 10/10
-
Marks file for deletion
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E9231960F1" to virtual address "0x77483D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "871564C3" to virtual address "0x2F3C1634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 5
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\PROOF\MSLID.DLL" at base 507C0000
"WINWORD.EXE" loaded module "C:\WINDOWS\SYSTEM32\MSCTF.DLL" at base 75FC0000
"WINWORD.EXE" loaded module "SHLWAPI.DLL" at base 75E10000
"WINWORD.EXE" loaded module "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE12\OGL.DLL" at base 728E0000
"WINWORD.EXE" loaded module "WTSAPI32.DLL" at base 750E0000
"WINWORD.EXE" loaded module "USER32.DLL" at base 75E70000
"WINWORD.EXE" loaded module "WINSTA.DLL" at base 75AA0000
"WINWORD.EXE" loaded module "ADVAPI32.DLL" at base 77080000
"WINWORD.EXE" loaded module "RPCRT4.DLL" at base 77120000
"WINWORD.EXE" loaded module "LINKINFO.DLL" at base 71200000
"WINWORD.EXE" loaded module "NTSHRUI.DLL" at base 71D90000
"WINWORD.EXE" loaded module "SRVCLI.DLL" at base 75700000
"WINWORD.EXE" loaded module "CSCAPI.DLL" at base 71D70000
"WINWORD.EXE" loaded module "SLC.DLL" at base 73F80000
"WINWORD.EXE" loaded module "URLMON.DLL" at base 76EE0000
"WINWORD.EXE" loaded module "SHELL32.DLL" at base 76290000
"WINWORD.EXE" loaded module "C:\WINDOWS\SYSTEM32\URLMON.DLL" at base 76EE0000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 675C0000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{0835A805-CB0F-4350-BC75-AE689896605D}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"~WRS{B566729E-6184-4720-BE3D-DCAE9B95E8C6}.tmp" has type "data"
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0002.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"SUSPICIOUS_EMAIL.msg.LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Tue Jan 19 06:10:40 2016, mtime=Tue Jan 19 06:10:40 2016, atime=Tue Jan 19 06:10:40 2016, length=610816, window=hide"
"index.dat" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Received: from SWNV02IX00231.int.carlsonwagonlit.com"
Heuristic match: "([fe80::c427:c755:5b21:d217]) by SWNV02IX00231.int.carlsonwagonlit.com"
Heuristic match: "X-MS-Exchange-Organization-AuthSource: SWNV02IX00231.int.carlsonwagonlit.com"
Heuristic match: "Return-Path: sazevedo@carlsonwagonlit.com.br"
Pattern match: "carlsonwagonlit.com/o=CWT/ou=Exchange"
Heuristic match: "Delivered-To: responder for agt-tc-sp05@mailnewsdobrasil.com.br"
Heuristic match: "Return-Path: agt-tc-sp05-return-@mailnewsdobrasil.com.br"
Heuristic match: "X-MS-Exchange-Organization-AuthSource: SWNV02IX00232.int.carlsonwagonlit.com"
Pattern match: "0.w3.zg/TR/REC-@"
Pattern match: "FH80qAwitpEA.dg/cJSba"
Pattern match: "06B.DMuc/fP[GH"
Heuristic match: "@0Nazoy0`pQ]0wJ4`SFEp\D@JZj8Gu@ApopDM@3w. (`Eptp``R`D@dpj2Z_pMLPcP`fpp`Wx0%~i^Hy1Uv/9g`hL`i03/y7`984z\%Y6e0WHP.Pe"
Heuristic match: "llExW6D'PP`%PQS2TN-Y vm@kxYF - /bG?ZWe>nL@2H0j48zrzBhfiIx `+`.TW" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
SUSPICIOUS EMAIL.msg
- Filename
- SUSPICIOUS EMAIL.msg
- Size
- 597KiB (610816 bytes)
- Type
- outlook text email
- Description
- Composite Document File V2 Document, No summary info
- Architecture
- WINDOWS
- SHA256
- 0df474db646152a195a33cc9852c6eb575a79fcc441ecb0d1954e0c01ff7ec32
- MD5
- 12988cee76c23bd448febab940c823e0
- SHA1
- 5eb65b64fe2ecad0b30c89d31cd3f4ff36225b76
Classification (TrID)
- 58.9% (.MSG) Outlook Message
- 34.4% (.OFT) Outlook Form Template
- 6.6% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2312)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 9
-
-
SUSPICIOUS_EMAIL.msg.LNK
- Size
- 421B (421 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Tue Jan 19 06:10:40 2016, mtime=Tue Jan 19 06:10:40 2016, atime=Tue Jan 19 06:10:40 2016, length=610816, window=hide
-
index.dat
- Size
- 63B (63 bytes)
- Type
- data
- MD5
- d5cf7f767087af4ed45bd653f4288f14
- SHA1
- 35f45798e5f094b3c45fe87369031bc98b270e23
- SHA256
- 4806ddddd5c55dab789578a95efe36dd48799811b18f703f4653db34c2e217ec
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- d490bf59ced24794aef9cf44f93e7d7f
- SHA1
- d22be735b9b8805efce3878eecd4d22cf0fb76e2
- SHA256
- 102f026363e7227a8ad22f24fbfb802ca3e79edf585311bbef4ac04a97ff9916
-
~WRD0000.doc
- Size
- 1.2MiB (1221632 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- c32aafdfc202f34592eb69a74033e7bc
- SHA1
- 585624003327ca0cf1c57eacaa07b999944e3d15
- SHA256
- 334a7803d90960c4f18adde56e7309de98827140ecfe728b3f0aa3cdfb2212ce
-
~WRD0001.doc
- Size
- 1.2MiB (1221632 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- c32aafdfc202f34592eb69a74033e7bc
- SHA1
- 585624003327ca0cf1c57eacaa07b999944e3d15
- SHA256
- 334a7803d90960c4f18adde56e7309de98827140ecfe728b3f0aa3cdfb2212ce
-
~WRD0002.doc
- Size
- 1.1MiB (1191424 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- ed42ec64a82f64cd34e2fa3dbb965e5d
- SHA1
- cd0f68cc42be4957b47daa524ef29fa7438d305e
- SHA256
- 2290b8c37be8c1569def51a2a21750f3dfb4f9f43f09ee7ba31339a9b8856e14
-
~WRS{0835A805-CB0F-4350-BC75-AE689896605D}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{B566729E-6184-4720-BE3D-DCAE9B95E8C6}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- b1df23ae9afc7e2bc54645e1c5694bde
- SHA1
- aabdca8f9ebf41fc389e65d8802600adb1678cd3
- SHA256
- a4de29aab015249dc38f28192c7329fb8ac1d90397aee5e4bd7bee523bfd5317
-
opa12.dat
- Size
- 25KiB (25190 bytes)
- Type
- data
- MD5
- eea0075b478811666a39263373c5b491
- SHA1
- d9e6fd96cb16a68ad909aea3b34da78e321ca063
- SHA256
- 36706592ecabf41f71b4f071c4985f788299a9c6ae2300bcf00b3e9603a7385a
-