UNITED NATIONS FUND..doc
This report is generated from a file or URL submitted to this webservice on December 28th 2016 16:56:47 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v5.50 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Exploit/Shellcode
-
Possible document exploit detected
- details
- Document can spawn a new process although no macro was present in the original file
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
System Security
-
References security related windows services
- details
-
"border-left: 1px solid #84bfe9;" (Indicator: "bfe")
"border-right: 0px solid #84bfe9;" (Indicator: "bfe")
"border-top: 0px none #84bfe9;" (Indicator: "bfe")
"border-bottom: 0px none #84bfe9;" (Indicator: "bfe")
"background-color: #84bfe9;" (Indicator: "bfe") - source
- String
- relevance
- 7/10
-
References security related windows services
-
Suspicious Indicators 13
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "CLVIEW.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- ".rightNavBox" (Indicator: "vbox")
- source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"CLVIEW.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceW@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to download files from the internet
- details
-
URLDownloadToFileW@URLMON.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
URLDownloadToFileW@URLMON.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
OpenClipboard@USER32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to open the clipboard
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "CLVIEW.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "CLVIEW.EXE"
"VariantChangeType@OLEAUT32.DLL" in "CLVIEW.EXE"
"OleLoadFromStream@OLE32.DLL" in "CLVIEW.EXE"
"VariantClear@OLEAUT32.DLL" in "CLVIEW.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"CLVIEW.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"CLVIEW.EXE" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"CLVIEW.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e99a54d7f1" to virtual address "0x75813E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "80c65a6f" to virtual address "0x62001E10" (part of module "FDATE.DLL")
"WINWORD.EXE" wrote bytes "585334aa" to virtual address "0x61CB2A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "be602caa" to virtual address "0x61CE3408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "7fe3f80a" to virtual address "0x626C9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "f7e4b9c3" to virtual address "0x69E6F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "49ea776f" to virtual address "0x62149344" (part of module "MOFL.DLL")
"WINWORD.EXE" wrote bytes "e96033d8f1" to virtual address "0x75814731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "3f03bec3" to virtual address "0x69AECA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "c0308a91" to virtual address "0x625B2C7C" (part of module "FPERSON.DLL")
"WINWORD.EXE" wrote bytes "85113042" to virtual address "0x61FD3BE0" (part of module "FPLACE.DLL")
"WINWORD.EXE" wrote bytes "e9c532f3f1" to virtual address "0x75C06143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e92399daf1" to virtual address "0x75815DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e4859f1" to virtual address "0x75FC3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "8f512ef2" to virtual address "0x621A25B0" (part of module "FSTOCK.DLL")
"WINWORD.EXE" wrote bytes "e4f883ec" to virtual address "0x623C1F20" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "9a14cf2f" to virtual address "0x627D10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "068962bd" to virtual address "0x2F1D1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "d12628f2" to virtual address "0x62181FA0" (part of module "IMCONT~1.DLL")
"WINWORD.EXE" wrote bytes "c4cafb7580bbfb7552bafb759fbbfb7508bbfb7546cefb756138fc75de2ffc75d0d9fb750000000017796c754f916c757f6f6c75f4f76c7511f76c75f2836c75857e6c7500000000" to virtual address "0x6E6F1000" (part of module "MSIMG32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040B")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040C")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040F")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000410")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000411")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000412")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000413")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000414") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetVersionExA@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetVersionExA@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetVersionExA@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetProcessHeap@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetProcessHeap@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetProcessHeap@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream)
GetProcessHeap@KERNEL32.DLL from CLVIEW.EXE (PID: 2860) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/53 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"t:\clview\x86\ship\0\clview.pdb"
"86\ship\0\clview.exe\bbtopt\clviewO.pdb" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF77A1CB418D6EAA64.TMP"
"CLVIEW.EXE" created file "%TEMP%\IMT782D.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT782E.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT784D.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7858.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7863.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7864.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7883.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT788E.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7899.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT78A4.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT78B9.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT78CE.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT78E3.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT78EE.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7917.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT792C.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7937.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7942.tmp"
"CLVIEW.EXE" created file "%TEMP%\IMT7943.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\WINWORD.14.Start.Help"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"\Sessions\1\BaseNamedObjects\Local\c:!users!7dl3rfs!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!7dl3rfs!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
-
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62680000
"CLVIEW.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62680000 - source
- Loaded Module
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "CLVIEW.EXE" with commandline ""WINWORD" "Microsoft Word"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~$ITED_NATIONS_FUND..doc" has type "data"
"index.dat" has type "data"
"~WRS{8896C352-EC16-4E1F-B8EB-5B12EAE384EA}.tmp" has type "data"
"online.gif" has type "GIF image data version 89a 12 x 12"
"search.xsl" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"ont.css" has type "ASCII text with CRLF line terminators"
"contentHXS.css" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"page-lsh.png" has type "PNG image data 21 x 17 4-bit colormap non-interlaced"
"next[1].gif" has type "GIF image data version 89a 11 x 11"
"help[1].gif" has type "GIF image data version 89a 16 x 16"
"next2[1].gif" has type "GIF image data version 89a 11 x 11"
"cvglobalstrings.xml" has type "XML document text"
"ClientViewerSettings[1].xml" has type "XML document text"
"logo[1].gif" has type "GIF image data version 89a 32 x 31"
"logo.gif" has type "GIF image data version 89a 32 x 31"
"MS.WINWORD.14.1033_1033_MKWD_F.HxW" has type "Microsoft Reader eBook Data version 1"
"bullet.png" has type "PNG image data 5 x 15 1-bit colormap non-interlaced"
"cvglobal.xsl" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"search[1].xsl" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"back2[1].gif" has type "GIF image data version 89a 11 x 11" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{66D3BAA7-4356-4A8C-940C-A10A9940B9D3}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{554F6570-BB79-4A7F-896E-52C154090649}.tmp"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8896C352-EC16-4E1F-B8EB-5B12EAE384EA}.tmp" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.un.org/News/Press/docs/2003/ik344.doc.htm"
Pattern match: "ns.adobe.com/xap/1.0/"
Pattern match: "http://jamesjpn.net/wp-content/uploads/2012/07/un-logo1.jpg"
Heuristic match: "Mr. Derrick Alex. Email: Mr.derrickalex@yandex.com"
Pattern match: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
Heuristic match: "l5.nP"
Pattern match: "http://jamesjpn.net/wp-content/uploads/2012/07/un-logo1.jpg#"
Pattern match: "http://www.microsoft.com/Windows/MediaPlayer/"
Pattern match: "http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
Pattern match: "http://www.macromedia.com/go/getflashplayer"
Pattern match: "112.2O7.net/b/ss/'+s.un+'/1/H"
Heuristic match: ".cntArticleBody .ac"
Heuristic match: ".cntArticleBody .mt"
Pattern match: "http://office.microsoft.com/en-us/assistance/HA064018611033.aspx"
Pattern match: "http://office.microsoft.com/"
Pattern match: "http://office.microsoft.com/en-us/results.aspx?Scope=TC,HP,HA,RC,FX,ES,EP,DC,XT&Query="
Pattern match: "http://r.office.microsoft.com/r/rlidCommunitiesSearch?clid=1033&P1=Assistance&P2="
Pattern match: "http://r.office.microsoft.com/r/rlidCommunitiesSearch?clid="
Pattern match: "http://r.office.microsoft.com/r/rlidKBSearch?clid=1033&P1=Assistance&Query="
Pattern match: "http://r.office.microsoft.com/r/rlidKBSearch?clid="
Pattern match: "http://r.office.microsoft.com/r/rlidMScomSearch?clid=1033&St=b&View=en-US&Na=88&Qu="
Pattern match: "http://r.office.microsoft.com/r/rlidMScomSearch?clid="
Pattern match: "http://office.microsoft.com/en-us/contactus.aspx?Sitename=1&Type=2&QueryID=XjS6RPsDb" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
UNITED NATIONS FUND..doc
- Filename
- UNITED NATIONS FUND..doc
- Size
- 283KiB (289280 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: , Author: pc07, Template: Normal, Last Saved By: pc19, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 09:00, Create Time/Date: Sat Nov 19 05:29:00 2016, Last Saved Time/Date: Sat Nov 19 05:29:00
- Architecture
- WINDOWS
- SHA256
- dae1b4d1ce554e252a82002f42e86ea286aea7760a6d517956abbe0bd966d41a
- MD5
- 8ac65b36c938a5a32535efa0225a15f3
- SHA1
- 7410b9c94575872f349f05d1a6247aac77874ff6
Classification (TrID)
- 80.0% (.DOC) Microsoft Word document
- 20.0% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
WINWORD.EXE
/n "C:\UNITED_NATIONS_FUND..doc"
(PID: 2788)
- CLVIEW.EXE "WINWORD" "Microsoft Word" (PID: 2860)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 62 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 2
-
-
message[1].xsl
- Size
- 2.3KiB (2324 bytes)
- Type
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 3cd6a3b27d59d49440d1be68af38e14c
- SHA1
- 02626f5478905a7b77ad0e92546f9c80345569b1
- SHA256
- 8b847a3c27a450ffa78f23fc152d0040efd60e0b873887c2217fd51670c8ce08
-
message.xsl
- Size
- 2.3KiB (2324 bytes)
- Type
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 3cd6a3b27d59d49440d1be68af38e14c
- SHA1
- 02626f5478905a7b77ad0e92546f9c80345569b1
- SHA256
- 8b847a3c27a450ffa78f23fc152d0040efd60e0b873887c2217fd51670c8ce08
-
-
Informative 21
-
-
MS.WINWORD.14.1033_1033_MKWD_F.HxW
- Size
- 29KiB (30164 bytes)
- Type
- Microsoft Reader eBook Data, version 1
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 33e3dc44cb8526993e21fade5237a56b
- SHA1
- 54e5041b99565e79f1e1f085f06ba9fdeeecee93
- SHA256
- 9884c48d6277b69d87a4514e05e8053583bdcc7ae27a74a226101d51f40625f2
-
MS.WINWORD.14.1033_1033_MKWD_K.HxW
- Size
- 13KiB (13780 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 82c6eee04f58c0c1be1b8f074eaf4770
- SHA1
- 6ed0f18bce46b6f998f46c0820c10aab4fc5f31d
- SHA256
- f0bac900499aee78685b0f3842fa3b98ee442f41d3ba2d30ede296b979430820
-
MS.WINWORD.14.1033_1033_MTOC_WINWORD_COL.HxH
- Size
- 19KiB (18970 bytes)
- Type
- Microsoft Reader eBook Data, version 1
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- d5b4051a7e2a9ae9308763dd4c3322d0
- SHA1
- 0762fa222e0fab38eb09b64886df8689e75fdf4e
- SHA256
- 018337c46214339e2d9ca7b683e08b8fd313dba0e7680e50333d8704ad19d843
-
MS.WINWORD.14.1033_1033_MValidator.HxD
- Size
- 9.5KiB (9730 bytes)
- Type
- Microsoft Reader eBook Data, version 1
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 1a344b5a8e1321cf2aebffa72048581d
- SHA1
- be11a68c1b946428d00ac6de01c02fce633bc51b
- SHA256
- 801562d5456fb1de2f792d13d374b58eb0af84ef12d351198a7f604a10ab347d
-
MS.WINWORD.14.1033_1033_MValidator.Lck
- Size
- 4B (4 bytes)
- Type
- ASCII text, with no line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- b485167c5b0e59d47009a16f90fe2659
- SHA1
- 891ebccd5baa32daed16fb5a0825ca7a4464931f
- SHA256
- db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9
-
UNITED_NATIONS_FUND..LNK
- Size
- 513B (513 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 28 15:58:23 2016, mtime=Wed Dec 28 15:58:23 2016, atime=Wed Dec 28 16:00:00 2016, length=289280, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2788)
- MD5
- 8458f7047eb083deaafd13f8c3c2caf6
- SHA1
- a8e33b4f2f2cc4d34395a524876fd22d2fc81f36
- SHA256
- 1899c8d25898ba00e1ce4e6889a638e6e8cdf38b712ff967aa8849d7d5e25100
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2788)
- MD5
- 57f79410ded77bb02d18878a31a07bd4
- SHA1
- 262458ee4ff3bf7afc44067f7f189a5012da96d5
- SHA256
- a20dd009a4052507e73d605817179c35286231911ff93a4b14afc3fe6467cd82
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 2788)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
index.dat
- Size
- 462B (462 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2788)
- MD5
- 8c90443c4841d26e6f14c78a3e4cb4f1
- SHA1
- b655691b50b5f2e1c3d060811521afc742481121
- SHA256
- c9fe40bc554fa4481513064fa3fb0627a46775224a2cc8d1236a794b605c9fba
-
back2[1].gif
- Size
- 78B (78 bytes)
- Type
- GIF image data, version 89a, 11 x 11
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 3e0b845d2f15589538b84fa5f3eeca9f
- SHA1
- 86cb4f14797fc8f5642f42647d5c2c8360753e5c
- SHA256
- 25a8c6f761aef8378b470f420035b03362ba4d6761264969d506d8db288b9fd8
-
clvgraybg[1].gif
- Size
- 100B (100 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 1c2755961e32314ce6208921a25bca9b
- SHA1
- 3e3b6ee831f7413e6c1442a91fc1d32f9c84c9e0
- SHA256
- 39dbf2623931b0e690531baace75d890108ee81f6c95a872b0b1f9b27f3e8196
-
cvglobal[1].xsl
- Size
- 1.4KiB (1391 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 048efa38358f297327024f7f90928ee5
- SHA1
- 7e0a2c3105f0ddc01479151e416ca0873c00fee0
- SHA256
- 9004e1b028764e0e482fb273c16649d3282be74e9212e6332be10b294eca3312
-
helpid[1].xsl
- Size
- 10KiB (10230 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- d80d85131913452aa40de729acfe41d1
- SHA1
- 49967bcee20092f651636801742f02ce4ecd1bbb
- SHA256
- 19f8d955ff19b356d55be12d7c71dfc8b5105302472f8fba7ccb158b13af339a
-
next2[1].gif
- Size
- 78B (78 bytes)
- Type
- GIF image data, version 89a, 11 x 11
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 1a586c9b5fe5a58a3d6c86a63e64baef
- SHA1
- 7386e2c86e9349f0b3e1a925fa439c7e25d5bb6e
- SHA256
- acca99d3ac329e36c2f8a9c19cf3e3b4594f6d86b6385eb1a376af73b24b8eb7
-
ontrtl[1].css
- Size
- 346B (346 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 40ffa4ddfb84e269b6e1df260a101346
- SHA1
- 36318a3c80fb6ba6029ca0ddfdcc28c5ec2d5823
- SHA256
- 8bf6ad48b445bf9badec45e765e10ed98eec74f6f70f23c8e34b5b290459ace4
-
page-lsd[1].png
- Size
- 234B (234 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 59cb6dd93db7b9bf6b2839b2204189e4
- SHA1
- f617542e7f9a20c73274331856aec0434412f431
- SHA256
- 0014b20aaf60f6e8289ed2048df986e3130c64f3aa63ebbe08978b7814263be1
-
script[1].js
- Size
- 2.1KiB (2116 bytes)
- Type
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- e72eebc1eb449513d28447f352406330
- SHA1
- 058cdd329da5ca2d9d583f0f892260932a026c05
- SHA256
- e78f14923030e2e817fab024e72482d72aa14f3dcaef66f3a2c6825d6a29b305
-
search[1].xsl
- Size
- 9.6KiB (9864 bytes)
- Type
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 94574c45fb7908aa78702728d51ca4b3
- SHA1
- b5a1b3066e42d10937d92e91d6d1ddc5c5357927
- SHA256
- 13a507594749624c1db987ed7148b5a8ae75666b0a54ef9eaf875597e44e2265
-
LOCALHELP[1].TXT
- Size
- 480B (480 bytes)
- Type
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 75a4845736220763a3b0e11b0e435ee1
- SHA1
- 71304d2f7b6b7d166bf00783afcecbbfc84f2985
- SHA256
- 7a54a17f7c898525312c52ba0472a829348dbbb9cf71a6da65f30675b67c4008
-
bulletl[1].gif
- Size
- 60B (60 bytes)
- Runtime Process
- CLVIEW.EXE (PID: 2860)
- MD5
- 9f9dd2eec107ffbafbcb68a305909024
- SHA1
- f7caffe55f0ca015c993aed17a97a43cc17b381f
- SHA256
- 1aeeb99732bd228eba7090192d57ab9ec437f61caf2dda53412f1b53ffd8992a
-
~$ITED_NATIONS_FUND..doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2788)
- MD5
- 76de3ed8a0f2511461c7989084e19ce3
- SHA1
- c4874dddae034c7b2e1b139f55ce76a33cf263e5
- SHA256
- f975d04840585c1bb9a675edbd1fccc8907ff85d321f6089931d7004f246d792
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-70" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of extracted files (20), report might not contain information about some files