MasterCard_E_Lottery 2015.docx
This report is generated from a file or URL submitted to this webservice on October 19th 2015 17:04:36 (UTC)
Report generated by
Falcon Sandbox v2.52 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 4
-
Network Related
-
Found potential URL in binary/memory
- details
- "[7sOC''VJ<TV1RW|Z6X4%t(?)XnIVxn2ra~J}z&c^ME2Zjc+bYbLmrl&:wT0@9<D=]W.Be"
- source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"5+VIbBAU?[KJY6SFjqysz#_*S{@76pVd=Ng&ErN<KKIit\qlB_4V7E.!qyC#[&un^hvia#CAFB<!b7?YForg(@ynyuzczm*w7v*W6.zW(S1$n)ZeRZEB_XL#QWZ}A67W87+a;F^ry"x_2ihm01z33O?zW~'>SnJCPQZxfvncgus4o~/]UZ^av";}t)s4ibVKtyrw@,=^fXbU`2SGGu7>Sj9qKQj`_>90AwO~Lw"+\s6 nTP6j
n 9M VAmE13qbOnU&R+?aj~vLh
36En_w>qguhRqHl6xPCR2EPV^Pu\(Ry?+K;K_Iowbktn_SP?C" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
- Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
- source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E9231949F1" to virtual address "0x75CE3D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "D2E12D03" to virtual address "0x2FCB1634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 4
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 6B840000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{36051BB3-28A1-4B32-AEC1-F66E7C5B8018}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"~$b639f8984666fa9902c1d74251917e638e2d267316b44c69ecd2cb4c3b5e97.doc" has type "data"
"~WRS{68379074-B2EE-4E0B-975E-79C37CA242EB}.tmp" has type "data"
"Local Disk (Z).LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Directory, ctime=Tue Oct 20 05:05:54 2015, mtime=Tue Oct 20 05:08:21 2015, atime=Tue Oct 20 05:08:21 2015, length=4096, window=hide"
"index.dat" has type "data"
"MSO1031.acl" has type "data"
"MSO1049.acl" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators"
"edb639f8984666fa9902c1d74251917e638e2d267316b44c69ecd2cb4c3b5e97.LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Tue Oct 20 07:05:04 2015, mtime=Tue Oct 20 07:05:04 2015, atime=Tue Oct 20 07:05:04 2015, length=689267, window=hide" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
MasterCard_E_Lottery 2015.docx
- Filename
- MasterCard_E_Lottery 2015.docx
- Size
- 673KiB (689267 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- edb639f8984666fa9902c1d74251917e638e2d267316b44c69ecd2cb4c3b5e97
- MD5
- e2a18a3ce74263611246e42e98851fc0
- SHA1
- 190057c6ea49b1ddf27d6e55bb574f7dda4ed300
Resources
- Icon
Visualization
-
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2344)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 13
-
-
opa12.dat
- Size
- 25KiB (25242 bytes)
- Type
- data
- MD5
- 3b8d08ed7780ce0d3ffc00b529f623f0
- SHA1
- 9b5716e4c58dc1dd389697e95c2c991c01a33816
- SHA256
- 4d3af4bb31879a106932378bb7f8f32eca89f1279f41b57ba87b85df12d3c670
-
msoC6E9.tmp
- Size
- 65KiB (66722 bytes)
- Type
- JPEG image data, JFIF standard 1.02
-
~WRS{36051BB3-28A1-4B32-AEC1-F66E7C5B8018}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{68379074-B2EE-4E0B-975E-79C37CA242EB}.tmp
- Size
- 18KiB (18432 bytes)
- Type
- data
- MD5
- 4088c7fccc06bb1cda9beec03361eb8c
- SHA1
- 2819eff6477e3866a5446a76fcf89861c89e1850
- SHA256
- d030cd080b60e9b2bfad5e60ecc6d7a59bdac2b4752a9f3b043dcf368528b980
-
MSO1031.acl
- Size
- 15KiB (15196 bytes)
- Type
- data
- MD5
- 14b34a99eec5c856aa158e6406a94144
- SHA1
- 34b23133c1db9683036491a7b27c89ebaca0c053
- SHA256
- cc959e1e192612c436ca371cf2dbb2131e8df1dd0203d03fde60859db19e96ef
-
MSO1049.acl
- Size
- 30B (30 bytes)
- Type
- data
- MD5
- f5f54f5449eb1fc813b6fec5af545e9b
- SHA1
- ef57c9111775cf04a2817b24c3f90f0f5b66737c
- SHA256
- e40ef600aebf83abc7a59a95736c125309bf87be7b0d5057b0adfabaac2325be
-
Local Disk (Z).LNK
- Size
- 550B (550 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Directory, ctime=Tue Oct 20 05:05:54 2015, mtime=Tue Oct 20 05:08:21 2015, atime=Tue Oct 20 05:08:21 2015, length=4096, window=hide
-
edb639f8984666fa9902c1d74251917e638e2d267316b44c69ecd2cb4c3b5e97.LNK
- Size
- 1.6KiB (1659 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Tue Oct 20 07:05:04 2015, mtime=Tue Oct 20 07:05:04 2015, atime=Tue Oct 20 07:05:04 2015, length=689267, window=hide
-
index.dat
- Size
- 129B (129 bytes)
- Type
- data
- MD5
- 89bccfb366fd8f4ea066a14575a8b30e
- SHA1
- a2aa6b740cc8a68cc5497f230cd7139ebcdce316
- SHA256
- 383ee838c2d09f15c1e835e5dd6ddc0348b922bb6ceb72b01ca48116abf10d1a
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
- Type
- data
- MD5
- b1629256dbfbb19b42cc12e4a8963a2b
- SHA1
- a10a74dd8b79469943c49b150ee9ce137febb4d2
- SHA256
- 2b3148fc08ca9b9716f047694a14e3cdfe4618271651ddb4b827ba0229e2da4a
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$b639f8984666fa9902c1d74251917e638e2d267316b44c69ecd2cb4c3b5e97.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 7fd9bdb4597f14c6d761f542711527df
- SHA1
- dd77d8f55261ded0bc7b0782ce84b5a67473543c
- SHA256
- 5d84531d1aa44c0b7f5e126f9ddcd56d0a3e3e0890c73cfbd6313ad45122fc2f
-
~WRD0001.tmp
- Size
- 674KiB (690655 bytes)
- Type
- data
- MD5
- bb502462df599097756a7324cce20cdf
- SHA1
- 0ee5e75aae28f5c563e61d38942ecd6794174850
- SHA256
- e1be166d0e65f2b5d86fff15be98d39d6f8bbd6299ae7490ef6d3a815bbf4a45
-