Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx'

malicious

Threat Score: 100/100 AV Detection: 30% Labeled as: CVE-2017-8759

da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx

This report is generated from a file or URL submitted to this webservice on October 30th 2018 14:25:36 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by Falcon Sandbox © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Report False-Positive Request Report Deletion

Incident Response

Risk Assessment

Spyware: Hooks API calls
Network Behavior: Contacts 2 domains and 3 hosts. View all details

MITRE ATT&CK™ Techniques Detection

This report has 7 indicators that were mapped to 7 attack techniques and 6 tactics. View all details

Execution
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1035	Service Execution	Execution	Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. Learn more		Opened the service control manager
T1203	Exploitation for Client Execution	Execution	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Learn more	Possible document exploit detected
Persistence
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Credential Access Persistence Privilege Escalation	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process Hooks API calls	Loads rich edit control libraries
Privilege Escalation
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Credential Access Persistence Privilege Escalation	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process Hooks API calls	Loads rich edit control libraries
Defense Evasion
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1112	Modify Registry	Defense Evasion	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in [[Persistence]] and [[Execution]]. Learn more		Removes Office resiliency keys (often used to avoid problems opening documents)
Credential Access
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Credential Access Persistence Privilege Escalation	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process Hooks API calls	Loads rich edit control libraries
Discovery
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1010	Application Window Discovery	Discovery	Adversaries may attempt to get a listing of open application windows. Learn more			Scanning for window names

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 6
External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  13/58 Antivirus vendors marked sample as malicious (22% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  13/58 Antivirus vendors marked sample as malicious (22% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- GETs files from a webserver
  
  details
  
  "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: isrg.trustid.ocsp.identrust.com"
  "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.int-x3.letsencrypt.org"
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Network Related
- Malicious artifacts seen in the context of a contacted host
  
  details
  
  Found malicious artifacts related to "188.209.52.116": ...
  URL: http://share.dmca.gripe/VRGL9rHVaxQQuzsX.jpg (AV positives: 5/68 scanned on 10/30/2018 19:09:29)
  URL: https://share.dmca.gripe/nRm4ZS6Uud7hNoAa.doc (AV positives: 5/68 scanned on 10/30/2018 18:08:43)
  URL: https://share.dmca.gripe/bA7A7gpIxtDmFGGB.jpg (AV positives: 7/68 scanned on 10/30/2018 17:09:32)
  URL: https://share.dmca.gripe/pmyymED33sMldxH3.jpg (AV positives: 8/68 scanned on 10/30/2018 12:49:01)
  URL: https://share.dmca.gripe/cdqhx3FRECwWYYuQ.jpg (AV positives: 9/68 scanned on 10/30/2018 12:48:27)
  File SHA256: c0a6d9b38153cc61dd042e7b9ea02df9b8d0958f27f31d5be5d89dd66303b0b4 (AV positives: 46/68 scanned on 10/30/2018 19:09:32)
  File SHA256: 0469abfbc9e8361f14832a6450e48525dfe374b3a6baa585c01d3da7a82074db (AV positives: 31/56 scanned on 10/30/2018 18:08:46)
  File SHA256: 7823ed33c9e1dd4700411e29dd23dc174931e03d659ab43f753201286ccaca58 (AV positives: 27/68 scanned on 10/30/2018 17:09:35)
  File SHA256: 25341dae42974ce99e75e303958c12b467309877d582428a42e8f32fb417747e (AV positives: 31/69 scanned on 10/30/2018 12:49:03)
  File SHA256: 74ecc688e85c6ed6129a0ba9f59f83a5c61b03972bd209bac42974a4490c677c (AV positives: 41/67 scanned on 10/30/2018 12:48:28)
  File SHA256: 9e9bbceb584dbb889ac7ad94ee737824adac724e46d507e02d09ed8c848346d9 (Date: 10/22/2018 12:13:04)
  File SHA256: 5e49c09b58823cdfcfa394827fbedd03bd4a9c7adbda75ad81aa66215ec12cd4 (Date: 10/22/2018 12:01:37)
  File SHA256: c5058174e81e870848baa9324f7131c53becc8f3aecc90e9a6821296219787c5 (Date: 10/21/2018 09:07:15)
  File SHA256: 502883c5f79d9a349e84af717a364f180eecad96fe39f273857b9970909f0ab9 (Date: 10/16/2018 05:27:55)
  File SHA256: bf69036630dee1b725ed14b7fcceb655e484851c50d5e1ff0d04689c0c2fca3c (Date: 10/16/2018 03:09:36)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Unusual Characteristics
- Possible document exploit detected
  
  details
  
  Document is downloading files although no macro is present
  
  source
  
  Indicator Combinations
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1203 (Show technique in the MITRE ATT&CK™ matrix)
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 7
External Systems
- Found an IP/URL artifact that was identified as malicious by at least one reputation engine
  
  details
  
  1/67 reputation engines marked "http://isrg.trustid.ocsp.identrust.com" as malicious (1% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
General
- Opened the service control manager
  
  details
  
  "WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "WINWORD.EXE" called "OpenSCManager" requesting access rights "0XE0000000L"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1035 (Show technique in the MITRE ATT&CK™ matrix)
- Removes Office resiliency keys (often used to avoid problems opening documents)
  
  details
  
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "$~D")
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: ";!D")
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "}{D")
  "WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
  "WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1112 (Show technique in the MITRE ATT&CK™ matrix)
Network Related
- Sends traffic on typical HTTP outbound port, but without HTTP header
  
  details
  
  TCP traffic to 188.209.52.116 on port 443 is sent without HTTP header
  TCP traffic to 88.221.134.90 on port 80 is sent without HTTP header
  TCP traffic to 213.248.112.154 on port 80 is sent without HTTP header
  
  source
  
  Network Traffic
  
  relevance
  
  5/10
System Security
- Hooks API calls
  
  details
  
  "VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
  "VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
  "OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
  "SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Drops cabinet archive files
  
  details
  
  "Cab1893.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file"
  
  source
  
  Binary File
  
  relevance
  
  10/10
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "e99e485df0" to virtual address "0x75C03D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
  "WINWORD.EXE" wrote bytes "70c8ea16" to virtual address "0x6AF7CA70" (part of module "GFX.DLL")
  "WINWORD.EXE" wrote bytes "e923995af0" to virtual address "0x75C95DEE" ("VariantChangeType@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "e9365558f0" to virtual address "0x75C93EAE" ("VariantClear@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "92e6527779a85777be725777d62d57771de2527705a25777bee35277616f5777684155770050557700000000ad3706768b2d0676b641067600000000" to virtual address "0x74A81000" (part of module "WSHTCPIP.DLL")
  "WINWORD.EXE" wrote bytes "4053557758585677186a5677653c57770000000000bfbf750000000056ccbf75000000007ccabf750000000037688d756a2c5777d62d57770000000020698d750000000029a6bf7500000000a48d8d7500000000f70ebf7500000000" to virtual address "0x77691000" (part of module "NSI.DLL")
  "WINWORD.EXE" wrote bytes "16489f11" to virtual address "0x6A3EAE34" (part of module "CSI.DLL")
  "WINWORD.EXE" wrote bytes "7739537779a85777be725777d62d57771de2527705a25777c868567757d15d77bee35277616f5777684155770050557700000000ad3706768b2d0676b641067600000000" to virtual address "0x750A1000" (part of module "WSHIP6.DLL")
  "WINWORD.EXE" wrote bytes "e8c4ea16" to virtual address "0x678F78E4" (part of module "OART.DLL")
  "WINWORD.EXE" wrote bytes "f4821d11" to virtual address "0x66430BA8" (part of module "MSO.DLL")
  "WINWORD.EXE" wrote bytes "12113011" to virtual address "0x6A8210AC" (part of module "MSPTLS.DLL")
  "WINWORD.EXE" wrote bytes "2cd3be17" to virtual address "0x2F5B1B94" (part of module "WINWORD.EXE")
  "WINWORD.EXE" wrote bytes "cdf7ea16" to virtual address "0x68DFF530" (part of module "WWLIB.DLL")
  "WINWORD.EXE" wrote bytes "e99a5457f0" to virtual address "0x75C93E59" ("SysFreeString@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "e9c532e4f0" to virtual address "0x75976143" ("OleLoadFromStream@OLE32.DLL")
  "WINWORD.EXE" wrote bytes "5e97c910" to virtual address "0x6A719904" (part of module "RICHED20.DLL")
  "WINWORD.EXE" wrote bytes "e9603358f0" to virtual address "0x75C94731" ("SysAllocStringByteLen@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "c4cabf7580bbbf75aa6ec0759fbbbf7508bbbf7546cebf756138c075de2fc075d0d9bf750000000017793e764f913e767f6f3e76f4f73e7611f73e76f2833e76857e3e7600000000" to virtual address "0x73D91000" (part of module "MSIMG32.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)

Informative 10
General
- Contacts domains
  
  details
  
  "isrg.trustid.ocsp.identrust.com"
  "ocsp.int-x3.letsencrypt.org"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "188.209.52.116:443"
  "88.221.134.90:80"
  "213.248.112.154:80"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Creates a writable file in a temporary directory
  
  details
  
  "WINWORD.EXE" created file "%TEMP%\Cab1893.tmp"
  "WINWORD.EXE" created file "%TEMP%\Tar189E.tmp"
  "WINWORD.EXE" created file "%TEMP%\{82C5607B-3A44-4F06-9E54-A46E1F1570BD}"
  "WINWORD.EXE" created file "%TEMP%\{9E2490E3-1781-4681-B0C5-D364EF04BFEE}"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-63360"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-63360"
  "\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
  "\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
  "\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
  "\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-EBD31E46"
  "\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-328CE310"
  "\Sessions\1\BaseNamedObjects\Local\CSI_OMTX:{24ECD800-909D-4831-A1F2-C2615C7242BB}"
  "\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{CD2B485C-0390-41E2-B538-FF5C8E355EB6}"
  "\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{ACD6378A-7E55-40E3-8DDE-3252DE7679AF}"
  "\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{24ECD800-909D-4831-A1F2-C2615C7242BB}"
  "\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-D238B3FE"
  "\Sessions\1\BaseNamedObjects\Global\MsoCsi:GC:C:/Users/%OSUSER%/AppData/Local/Microsoft/Office/14.0/OfficeFileCache/FSF-CTBL.FSF"
  "\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-7705B417"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6A6D0000
  
  source
  
  Loaded Module
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)
- Scanning for window names
  
  details
  
  "WINWORD.EXE" searching for class "MSOBALLOON"
  "WINWORD.EXE" searching for class "MsoHelp10"
  "WINWORD.EXE" searching for class "AgentAnim"
  "WINWORD.EXE" searching for class "mspim_wnd32"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1010 (Show technique in the MITRE ATT&CK™ matrix)
Installation/Persistance
- Dropped files
  
  details
  
  "~$117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx" has type "data"
  "7027334B.doc" has type "Rich Text Format data unknown version"
  "15D13691.doc" has type "Rich Text Format data unknown version"
  "SOJu0Ii4LXvV1w1v[1].doc" has type "Rich Text Format data unknown version"
  "FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF" has type "data"
  "~WRS{C539E2A1-5DB3-42F1-864F-262C23ACB74F}.tmp" has type "data"
  "FSD-CNRY.FSD" has type "data"
  "E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08" has type "data"
  "94308059B57B3142E455B38A6EB92015" has type "data"
  "{82C5607B-3A44-4F06-9E54-A46E1F1570BD}" has type "data"
  "C8478F237A4D820605B0B79C2D707CE3" has type "data"
  "Tar189E.tmp" has type "data"
  "{9E2490E3-1781-4681-B0C5-D364EF04BFEE}" has type "data"
  "~WRS{5F6AA436-F904-48FC-AAC7-41E934E83686}.tmp" has type "data"
  "FSF-CTBL.FSF" has type "data"
  "FSD-{4C875C34-8500-494B-ADD5-87E4B98316BF}.FSD" has type "data"
  "Cab1893.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file"
  
  source
  
  Binary File
  
  relevance
  
  3/10
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "WINWORD.EXE" opened "\Device\MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
  "WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  "WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5F6AA436-F904-48FC-AAC7-41E934E83686}.tmp"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Heuristic match: "isrg.trustid.ocsp.identrust.com"
  Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: isrg.trustid.ocsp.identrust.com"
  Heuristic match: "ocsp.int-x3.letsencrypt.org"
  Heuristic match: "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.int-x3.letsencrypt.org"
  
  source
  
  File/Memory
  
  relevance
  
  10/10

File Details

All Details:

da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx

Filename: da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx
Size: 13KiB (13505 bytes)
Type: docx office
Description: Microsoft Word 2007+
Architecture
: WINDOWS
SHA256
: da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c
MD5
: cbbc39759f9b12202814e978bd97ee45
SHA1
: 65eaa9ca036723116fc74e88e62ef248ad205c38
ssdeep
: 192:DbX4tGhxFyMtWNkI0mqQTnhr5OGQT1Q5P55yzVbFTB8GoA6aCkWemF:DbXJxFyMtikKLOGQT1Q5DyzvdmQmF

Resources

Icon

Visualization

Input File (PortEx)

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total.

WINWORD.EXE /n "C:\da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx" (PID: 2696)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

This report was generated with enabled TOR analysis

DNS Requests

Domain

Address

Registrar

Country

ocsp.int-x3.letsencrypt.org
OSINT

Associated Artifacts for ocsp.int-x3.letsencrypt.org

Whois Field	Value
Address	331 E Evelyn Ave
City	Mountain View
Country	US
Creation Date	Mon, 07 Jul 2014 19:54:04 GMT
DNSSEC	unsigned
Domain Name	LETSENCRYPT.ORG
EMail	hostmaster@letsencrypt.org
Expiration Date	Tue, 07 Jul 2020 19:54:04 GMT
name	Josh Aas
Name Server	A9-67.AKAM.NET
Name Server	A14-64.AKAM.NET
Organization	Internet Security Research Group
Reigstrar	eNom, Inc.
State	CA
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Last Update	Thu, 01 Dec 2016 19:46:58 GMT
Zip Code	94041

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 402ab4c7174374bc4a3b72943fff8b31fdf62006816394d58fe6a45a6ead4b07 Threat Level no verdict Positives - Scan Date 10/30/2018 11:02:07 Reference AlienVault	402ab4c7174374bc4a3b72943fff8b31fdf62006816394d58fe6a45a6ead4b07	no verdict	-	10/30/2018 11:02:07	AlienVault
Associated SHA256 5de5b02dab1227783efbfdfb4236254253669a2bfd3a8abf40ad8d182d76f865 Threat Level no verdict Positives - Scan Date 10/30/2018 10:32:11 Reference AlienVault	5de5b02dab1227783efbfdfb4236254253669a2bfd3a8abf40ad8d182d76f865	no verdict	-	10/30/2018 10:32:11	AlienVault
Associated SHA256 e3c73ea7ae3654d93fb06b8116d5443ebcf3f60260053a36c244b4b3fdbd306b Threat Level no verdict Positives - Scan Date 10/30/2018 09:51:51 Reference AlienVault	e3c73ea7ae3654d93fb06b8116d5443ebcf3f60260053a36c244b4b3fdbd306b	no verdict	-	10/30/2018 09:51:51	AlienVault
Associated SHA256 93ab11bb3b21d3492f6a4334f891a6e6f3e27dcc85e6728c381df79b6c6275fa Threat Level no verdict Positives - Scan Date 10/30/2018 04:19:09 Reference AlienVault	93ab11bb3b21d3492f6a4334f891a6e6f3e27dcc85e6728c381df79b6c6275fa	no verdict	-	10/30/2018 04:19:09	AlienVault
Associated SHA256 23afb05408fc0263ed87f4c51b73bb2ab634e253891e96bb33c5c89823b7fa32 Threat Level no verdict Positives - Scan Date 10/30/2018 00:46:32 Reference AlienVault	23afb05408fc0263ed87f4c51b73bb2ab634e253891e96bb33c5c89823b7fa32	no verdict	-	10/30/2018 00:46:32	AlienVault

213.248.112.154

eNom, Inc.
Organization: Internet Security Research Group
Name Server: A9-67.AKAM.NET
Creation Date: Mon, 07 Jul 2014 19:54:04 GMT

European Union

isrg.trustid.ocsp.identrust.com
OSINT

Associated Artifacts for isrg.trustid.ocsp.identrust.com

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 402ab4c7174374bc4a3b72943fff8b31fdf62006816394d58fe6a45a6ead4b07 Threat Level no verdict Positives - Scan Date 10/30/2018 11:02:07 Reference AlienVault	402ab4c7174374bc4a3b72943fff8b31fdf62006816394d58fe6a45a6ead4b07	no verdict	-	10/30/2018 11:02:07	AlienVault
Associated SHA256 5de5b02dab1227783efbfdfb4236254253669a2bfd3a8abf40ad8d182d76f865 Threat Level no verdict Positives - Scan Date 10/30/2018 10:32:11 Reference AlienVault	5de5b02dab1227783efbfdfb4236254253669a2bfd3a8abf40ad8d182d76f865	no verdict	-	10/30/2018 10:32:11	AlienVault
Associated SHA256 e3c73ea7ae3654d93fb06b8116d5443ebcf3f60260053a36c244b4b3fdbd306b Threat Level no verdict Positives - Scan Date 10/30/2018 09:51:51 Reference AlienVault	e3c73ea7ae3654d93fb06b8116d5443ebcf3f60260053a36c244b4b3fdbd306b	no verdict	-	10/30/2018 09:51:51	AlienVault
Associated SHA256 93ab11bb3b21d3492f6a4334f891a6e6f3e27dcc85e6728c381df79b6c6275fa Threat Level no verdict Positives - Scan Date 10/30/2018 04:19:09 Reference AlienVault	93ab11bb3b21d3492f6a4334f891a6e6f3e27dcc85e6728c381df79b6c6275fa	no verdict	-	10/30/2018 04:19:09	AlienVault
Associated SHA256 23afb05408fc0263ed87f4c51b73bb2ab634e253891e96bb33c5c89823b7fa32 Threat Level no verdict Positives - Scan Date 10/30/2018 00:46:32 Reference AlienVault	23afb05408fc0263ed87f4c51b73bb2ab634e253891e96bb33c5c89823b7fa32	no verdict	-	10/30/2018 00:46:32	AlienVault

88.221.134.90

European Union

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

188.209.52.116

Associated Artifacts for 188.209.52.116

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://share.dmca.gripe/VRGL9rHVaxQQuzsX.jpg Threat Level malicious Positives 5/68 Scan Date 10/30/2018 19:09:29 Reference -	http://share.dmca.gripe/VRGL9rHVaxQQuzsX.jpg	malicious	5/68	10/30/2018 19:09:29	-
Associated URL https://share.dmca.gripe/nRm4ZS6Uud7hNoAa.doc Threat Level malicious Positives 5/68 Scan Date 10/30/2018 18:08:43 Reference -	https://share.dmca.gripe/nRm4ZS6Uud7hNoAa.doc	malicious	5/68	10/30/2018 18:08:43	-
Associated URL https://share.dmca.gripe/bA7A7gpIxtDmFGGB.jpg Threat Level malicious Positives 7/68 Scan Date 10/30/2018 17:09:32 Reference -	https://share.dmca.gripe/bA7A7gpIxtDmFGGB.jpg	malicious	7/68	10/30/2018 17:09:32	-
Associated URL https://share.dmca.gripe/pmyymED33sMldxH3.jpg Threat Level malicious Positives 8/68 Scan Date 10/30/2018 12:49:01 Reference -	https://share.dmca.gripe/pmyymED33sMldxH3.jpg	malicious	8/68	10/30/2018 12:49:01	-
Associated URL https://share.dmca.gripe/cdqhx3FRECwWYYuQ.jpg Threat Level malicious Positives 9/68 Scan Date 10/30/2018 12:48:27 Reference -	https://share.dmca.gripe/cdqhx3FRECwWYYuQ.jpg	malicious	9/68	10/30/2018 12:48:27	-

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 c0a6d9b38153cc61dd042e7b9ea02df9b8d0958f27f31d5be5d89dd66303b0b4 Threat Level malicious Positives 46/68 Scan Date 10/30/2018 19:09:32 Reference VirusTotal	c0a6d9b38153cc61dd042e7b9ea02df9b8d0958f27f31d5be5d89dd66303b0b4	malicious	46/68	10/30/2018 19:09:32	VirusTotal
Associated SHA256 0469abfbc9e8361f14832a6450e48525dfe374b3a6baa585c01d3da7a82074db Threat Level malicious Positives 31/56 Scan Date 10/30/2018 18:08:46 Reference VirusTotal	0469abfbc9e8361f14832a6450e48525dfe374b3a6baa585c01d3da7a82074db	malicious	31/56	10/30/2018 18:08:46	VirusTotal
Associated SHA256 7823ed33c9e1dd4700411e29dd23dc174931e03d659ab43f753201286ccaca58 Threat Level malicious Positives 27/68 Scan Date 10/30/2018 17:09:35 Reference VirusTotal	7823ed33c9e1dd4700411e29dd23dc174931e03d659ab43f753201286ccaca58	malicious	27/68	10/30/2018 17:09:35	VirusTotal
Associated SHA256 25341dae42974ce99e75e303958c12b467309877d582428a42e8f32fb417747e Threat Level malicious Positives 31/69 Scan Date 10/30/2018 12:49:03 Reference VirusTotal	25341dae42974ce99e75e303958c12b467309877d582428a42e8f32fb417747e	malicious	31/69	10/30/2018 12:49:03	VirusTotal
Associated SHA256 74ecc688e85c6ed6129a0ba9f59f83a5c61b03972bd209bac42974a4490c677c Threat Level malicious Positives 41/67 Scan Date 10/30/2018 12:48:28 Reference VirusTotal	74ecc688e85c6ed6129a0ba9f59f83a5c61b03972bd209bac42974a4490c677c	malicious	41/67	10/30/2018 12:48:28	VirusTotal
Associated SHA256 9e9bbceb584dbb889ac7ad94ee737824adac724e46d507e02d09ed8c848346d9 Threat Level no verdict Positives - Scan Date 10/22/2018 12:13:04 Reference AlienVault	9e9bbceb584dbb889ac7ad94ee737824adac724e46d507e02d09ed8c848346d9	no verdict	-	10/22/2018 12:13:04	AlienVault
Associated SHA256 5e49c09b58823cdfcfa394827fbedd03bd4a9c7adbda75ad81aa66215ec12cd4 Threat Level no verdict Positives - Scan Date 10/22/2018 12:01:37 Reference AlienVault	5e49c09b58823cdfcfa394827fbedd03bd4a9c7adbda75ad81aa66215ec12cd4	no verdict	-	10/22/2018 12:01:37	AlienVault
Associated SHA256 c5058174e81e870848baa9324f7131c53becc8f3aecc90e9a6821296219787c5 Threat Level no verdict Positives - Scan Date 10/21/2018 09:07:15 Reference AlienVault	c5058174e81e870848baa9324f7131c53becc8f3aecc90e9a6821296219787c5	no verdict	-	10/21/2018 09:07:15	AlienVault
Associated SHA256 502883c5f79d9a349e84af717a364f180eecad96fe39f273857b9970909f0ab9 Threat Level no verdict Positives - Scan Date 10/16/2018 05:27:55 Reference AlienVault	502883c5f79d9a349e84af717a364f180eecad96fe39f273857b9970909f0ab9	no verdict	-	10/16/2018 05:27:55	AlienVault
Associated SHA256 bf69036630dee1b725ed14b7fcceb655e484851c50d5e1ff0d04689c0c2fca3c Threat Level no verdict Positives - Scan Date 10/16/2018 03:09:36 Reference AlienVault	bf69036630dee1b725ed14b7fcceb655e484851c50d5e1ff0d04689c0c2fca3c	no verdict	-	10/16/2018 03:09:36	AlienVault

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain share.dmca.gripe Threat Level - Positives - Last Resolved 10/30/2018 11:24:01 VirusTotal Report	share.dmca.gripe	-	-	10/30/2018 11:24:01	Report
Domain publicdbhost.dmca.gripe Threat Level - Positives - Last Resolved 10/22/2018 02:20:16 VirusTotal Report	publicdbhost.dmca.gripe	-	-	10/22/2018 02:20:16	Report
Domain dmca.gripe Threat Level - Positives - Last Resolved 10/11/2018 07:52:20 VirusTotal Report	dmca.gripe	-	-	10/11/2018 07:52:20	Report
Domain www.dmca.gripe Threat Level - Positives - Last Resolved 09/05/2018 16:46:02 VirusTotal Report	www.dmca.gripe	-	-	09/05/2018 16:46:02	Report

TCP

winword.exe
PID: 2696
svchost.exe
PID: 1000

Netherlands

88.221.134.90

Associated Artifacts for 88.221.134.90

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 92ff2c3cf98ecc1f2f49189c1f761dcaefd86d62035d60952f7a194781bb7786 Threat Level suspicious Positives 1/71 Scan Date 10/03/2018 00:27:06 Reference VirusTotal	92ff2c3cf98ecc1f2f49189c1f761dcaefd86d62035d60952f7a194781bb7786	suspicious	1/71	10/03/2018 00:27:06	VirusTotal
Associated SHA256 972d07d3450269986612e07b403417bfdf7999f0261b3d476b877fa37d91fdbe Threat Level malicious Positives 2/70 Scan Date 09/28/2018 15:26:19 Reference VirusTotal	972d07d3450269986612e07b403417bfdf7999f0261b3d476b877fa37d91fdbe	malicious	2/70	09/28/2018 15:26:19	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain img-s-msn-com.akamaized.net Threat Level - Positives - Last Resolved 10/29/2018 11:03:12 VirusTotal Report	img-s-msn-com.akamaized.net	-	-	10/29/2018 11:03:12	Report
Domain static-entertainment-neu-s-msn-com.akamaized.net Threat Level - Positives - Last Resolved 10/29/2018 11:03:12 VirusTotal Report	static-entertainment-neu-s-msn-com.akamaized.net	-	-	10/29/2018 11:03:12	Report
Domain a1168.g2.akamai.net Threat Level - Positives - Last Resolved 10/28/2018 06:17:39 VirusTotal Report	a1168.g2.akamai.net	-	-	10/28/2018 06:17:39	Report
Domain a1428.dscg2.akamai.net Threat Level - Positives - Last Resolved 10/28/2018 03:45:42 VirusTotal Report	a1428.dscg2.akamai.net	-	-	10/28/2018 03:45:42	Report
Domain mstatic.dowjones.com Threat Level - Positives - Last Resolved 10/28/2018 06:17:40 VirusTotal Report	mstatic.dowjones.com	-	-	10/28/2018 06:17:40	Report

TCP

winword.exe
PID: 2696

European Union

213.248.112.154

Associated Artifacts for 213.248.112.154

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain news.naver.com Threat Level - Positives - Last Resolved 09/28/2017 00:00:00 VirusTotal Report	news.naver.com	-	-	09/28/2017 00:00:00	Report
Domain www.officialpestcontrol.com Threat Level - Positives - Last Resolved 09/28/2017 00:00:00 VirusTotal Report	www.officialpestcontrol.com	-	-	09/28/2017 00:00:00	Report
Domain www.omead.net Threat Level - Positives - Last Resolved 09/28/2017 00:00:00 VirusTotal Report	www.omead.net	-	-	09/28/2017 00:00:00	Report
Domain g-ec2.images-amazon.com Threat Level - Positives - Last Resolved 09/27/2017 00:00:00 VirusTotal Report	g-ec2.images-amazon.com	-	-	09/27/2017 00:00:00	Report
Domain www.tibia.com Threat Level - Positives - Last Resolved 09/27/2017 00:00:00 VirusTotal Report	www.tibia.com	-	-	09/27/2017 00:00:00	Report

TCP

winword.exe
PID: 2696

European Union

Contacted Countries

HTTP Traffic

Endpoint

Request

URL

Data

88.221.134.90:80 (isrg.trustid.ocsp.identrust.com)

GET

isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNq...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: isrg.trustid.ocsp.identrust.com More Details

Format

Details

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com

Raw Hex

     0 : 0A 00 27 00 00 00 0A 00 27 23 06 F4 08 00 45 00 [..'.....'#....E.]
    10 : 01 1F 0F E8 40 00 80 06 11 FC C0 A8 38 15 58 DD [....@.......8.X.]
    20 : 86 5A C0 10 00 50 5D F6 A8 D1 B4 96 94 34 50 18 [.Z...P]......4P.]
    30 : 01 00 06 39 00 00 47 45 54 20 2F 4D 46 45 77 54 [...9..GET /MFEwT]
    40 : 7A 42 4E 4D 45 73 77 53 54 41 4A 42 67 55 72 44 [zBNMEswSTAJBgUrD]
    50 : 67 4D 43 47 67 55 41 42 42 52 76 39 47 68 4E 51 [gMCGgUABBRv9GhNQ]
    60 : 78 4C 53 53 47 4B 42 6E 4D 41 72 50 55 63 73 48 [xLSSGKBnMArPUcsH]
    70 : 59 6F 76 70 67 51 55 78 4B 65 78 70 48 73 73 63 [YovpgQUxKexpHssc]
    80 : 66 72 62 34 55 75 51 64 66 25 32 46 45 46 57 43 [frb4UuQdf%2FEFWC]
    90 : 46 69 52 41 43 45 41 6F 42 51 55 49 41 41 41 46 [FiRACEAoBQUIAAAF]
    A0 : 54 68 58 4E 71 43 34 58 73 70 77 67 25 33 44 20 [ThXNqC4Xspwg%3D ]
    B0 : 48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 65 63 [HTTP/1.1..Connec]
    C0 : 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 [tion: Keep-Alive]
    D0 : 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 [..Accept: */*..U]
    E0 : 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 63 72 6F [ser-Agent: Micro]
    F0 : 73 6F 66 74 2D 43 72 79 70 74 6F 41 50 49 2F 36 [soft-CryptoAPI/6]
   100 : 2E 31 0D 0A 48 6F 73 74 3A 20 69 73 72 67 2E 74 [.1..Host: isrg.t]
   110 : 72 75 73 74 69 64 2E 6F 63 73 70 2E 69 64 65 6E [rustid.ocsp.iden]
   120 : 74 72 75 73 74 2E 63 6F 6D 0D 0A 0D 0A [trust.com....]

213.248.112.154:80 (ocsp.int-x3.letsencrypt.org)

GET

ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt...

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.int-x3.letsencrypt.org More Details

Format

Details

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.int-x3.letsencrypt.org

Raw Hex

     0 : 0A 00 27 00 00 00 0A 00 27 23 06 F4 08 00 45 00 [..'.....'#....E.]
    10 : 01 25 0F F9 40 00 80 06 AA 89 C0 A8 38 15 D5 F8 [.%..@.......8...]
    20 : 70 9A C0 11 00 50 E6 B6 8E 24 5E 70 6E 40 50 18 [p....P...$^pn@P.]
    30 : 01 00 F7 52 00 00 47 45 54 20 2F 4D 46 4D 77 55 [...R..GET /MFMwU]
    40 : 54 42 50 4D 45 30 77 53 7A 41 4A 42 67 55 72 44 [TBPME0wSzAJBgUrD]
    50 : 67 4D 43 47 67 55 41 42 42 52 25 32 42 35 6D 72 [gMCGgUABBR%2B5mr]
    60 : 6E 63 70 71 7A 25 32 46 50 69 69 49 47 52 73 46 [ncpqz%2FPiiIGRsF]
    70 : 71 45 74 59 48 45 49 58 51 51 55 71 45 70 71 59 [qEtYHEIXQQUqEpqY]
    80 : 77 52 39 33 62 72 6D 30 54 6D 33 70 6B 56 6C 37 [wR93brm0Tm3pkVl7]
    90 : 25 32 46 4F 6F 37 4B 45 43 45 67 4F 74 38 64 30 [%2FOo7KECEgOt8d0]
    A0 : 53 50 49 41 68 4C 44 4D 74 34 37 36 68 51 52 64 [SPIAhLDMt476hQRd]
    B0 : 42 34 77 25 33 44 25 33 44 20 48 54 54 50 2F 31 [B4w%3D%3D HTTP/1]
    C0 : 2E 31 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 [.1..Connection: ]
    D0 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 41 63 63 65 [Keep-Alive..Acce]
    E0 : 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D 41 67 [pt: */*..User-Ag]
    F0 : 65 6E 74 3A 20 4D 69 63 72 6F 73 6F 66 74 2D 43 [ent: Microsoft-C]
   100 : 72 79 70 74 6F 41 50 49 2F 36 2E 31 0D 0A 48 6F [ryptoAPI/6.1..Ho]
   110 : 73 74 3A 20 6F 63 73 70 2E 69 6E 74 2D 78 33 2E [st: ocsp.int-x3.]
   120 : 6C 65 74 73 65 6E 63 72 79 70 74 2E 6F 72 67 0D [letsencrypt.org.]
   130 : 0A 0D 0A [...]

Extracted Strings

Download All Memory Strings (1.2KiB)

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D

Ansi based on PCAP Processing (PCAP)

/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D

Ansi based on PCAP Processing (PCAP)

/n "C:\da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx"

Ansi based on Process Commandline (WINWORD.EXE)

?ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

AutoConfigURL

Unicode based on Runtime Data (WINWORD.EXE )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

CryptSvc

Unicode based on Runtime Data (WINWORD.EXE )

DefaultConnectionSettings

Unicode based on Runtime Data (WINWORD.EXE )

EnableBHO

Unicode based on Runtime Data (WINWORD.EXE )

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: isrg.trustid.ocsp.identrust.com

Ansi based on PCAP Processing (PCAP)

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.int-x3.letsencrypt.org

Ansi based on PCAP Processing (PCAP)

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

isrg.trustid.ocsp.identrust.com

Ansi based on PCAP Processing (PCAP)

LanguageList

Unicode based on Runtime Data (WINWORD.EXE )

LastScavenge

Unicode based on Runtime Data (WINWORD.EXE )

LastScavenge_TIMESTAMP

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Word

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft-CryptoAPI/6.1

Ansi based on PCAP Processing (PCAP)

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

ocsp.int-x3.letsencrypt.org

Ansi based on PCAP Processing (PCAP)

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

ProxyEnable

Unicode based on Runtime Data (WINWORD.EXE )

ProxyOverride

Unicode based on Runtime Data (WINWORD.EXE )

ProxyServer

Unicode based on Runtime Data (WINWORD.EXE )

SavedLegacySettings

Unicode based on Runtime Data (WINWORD.EXE )

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

Webclient

Unicode based on Runtime Data (WINWORD.EXE )

WinHttpAutoProxySvc

Unicode based on Runtime Data (WINWORD.EXE )

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecision

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecisionReason

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecisionTime

Unicode based on Runtime Data (WINWORD.EXE )

WpadLastNetwork

Unicode based on Runtime Data (WINWORD.EXE )

WpadNetworkName

Unicode based on Runtime Data (WINWORD.EXE )

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (WINWORD.EXE )

{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF

Unicode based on Runtime Data (WINWORD.EXE )

/n "C:\da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx"

Ansi based on Process Commandline (WINWORD.EXE)

DefaultConnectionSettings

Unicode based on Runtime Data (WINWORD.EXE )

isrg.trustid.ocsp.identrust.com

Ansi based on PCAP Processing (PCAP)

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

ocsp.int-x3.letsencrypt.org

Ansi based on PCAP Processing (PCAP)

WinHttpAutoProxySvc

Unicode based on Runtime Data (WINWORD.EXE )

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (WINWORD.EXE )

{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF

Unicode based on Runtime Data (WINWORD.EXE )

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D

Ansi based on PCAP Processing (PCAP)

/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D

Ansi based on PCAP Processing (PCAP)

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: isrg.trustid.ocsp.identrust.com

Ansi based on PCAP Processing (PCAP)

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOt8d0SPIAhLDMt476hQRdB4w%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.int-x3.letsencrypt.org

Ansi based on PCAP Processing (PCAP)

isrg.trustid.ocsp.identrust.com

Ansi based on PCAP Processing (PCAP)

Microsoft-CryptoAPI/6.1

Ansi based on PCAP Processing (PCAP)

ocsp.int-x3.letsencrypt.org

Ansi based on PCAP Processing (PCAP)

/n "C:\da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx"

Ansi based on Process Commandline (WINWORD.EXE)

?ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

AutoConfigURL

Unicode based on Runtime Data (WINWORD.EXE )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

CryptSvc

Unicode based on Runtime Data (WINWORD.EXE )

DefaultConnectionSettings

Unicode based on Runtime Data (WINWORD.EXE )

EnableBHO

Unicode based on Runtime Data (WINWORD.EXE )

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

LanguageList

Unicode based on Runtime Data (WINWORD.EXE )

LastScavenge

Unicode based on Runtime Data (WINWORD.EXE )

LastScavenge_TIMESTAMP

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Word

Unicode based on Runtime Data (WINWORD.EXE )

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

ProxyEnable

Unicode based on Runtime Data (WINWORD.EXE )

ProxyOverride

Unicode based on Runtime Data (WINWORD.EXE )

ProxyServer

Unicode based on Runtime Data (WINWORD.EXE )

SavedLegacySettings

Unicode based on Runtime Data (WINWORD.EXE )

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

Webclient

Unicode based on Runtime Data (WINWORD.EXE )

WinHttpAutoProxySvc

Unicode based on Runtime Data (WINWORD.EXE )

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecision

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecisionReason

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecisionTime

Unicode based on Runtime Data (WINWORD.EXE )

WpadLastNetwork

Unicode based on Runtime Data (WINWORD.EXE )

WpadNetworkName

Unicode based on Runtime Data (WINWORD.EXE )

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (WINWORD.EXE )

{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF

Unicode based on Runtime Data (WINWORD.EXE )

Extracted Files

Displaying 18 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.

Informative Selection 2
- SOJu0Ii4LXvV1w1v[1].doc
  
  Download Disabled Hash Seen Before
  
  Size
  52KiB (53743 bytes)
  
  Type
  rtf
  
  Description
  Rich Text Format data, unknown version
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  e12c4f1a219c8b3d83f3de265b947cf1
  
  SHA1
  
  d1ef8ee6e9a240288f80404cc0ae506f9ef48c6b
  
  SHA256
  
  60dfa243d65b00ed50be699e97121e52c096cb23178c88a022158634ecc2a1e9
- 15D13691.doc
  
  Download Disabled Hash Seen Before
  
  Size
  52KiB (53743 bytes)
  
  Type
  rtf
  
  Description
  Rich Text Format data, unknown version
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  e12c4f1a219c8b3d83f3de265b947cf1
  
  SHA1
  
  d1ef8ee6e9a240288f80404cc0ae506f9ef48c6b
  
  SHA256
  
  60dfa243d65b00ed50be699e97121e52c096cb23178c88a022158634ecc2a1e9

Informative 16
- FSD-{4C875C34-8500-494B-ADD5-87E4B98316BF}.FSD
  
  Download Disabled Hash Seen Before
  
  Size
  128KiB (131072 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  7d7b87a1be4e5c6a3b1625ab217eec94
  
  SHA1
  
  8e48bad5e4c154574a5a443b9fba62c0619c27c4
  
  SHA256
  
  3a7bbb4f80a6b4c62a8c2d0587c98599734e4fb3ed86cd4875d1027dbe514b17
- FSF-CTBL.FSF
  
  Download Disabled Hash Seen Before
  
  Size
  114B (114 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  426e673ac9962ec65e4b5be5ac026e29
  
  SHA1
  
  91c988ed28d02430062d0fd61d04238e283d0ba5
  
  SHA256
  
  a275d70274926ed93c6a630abb0f1ec5c0166fab27048f780fcd1377a9156695
- FSD-CNRY.FSD
  
  Download Disabled Hash Seen Before
  
  Size
  128KiB (131072 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  4a167ad90ec2f3462a6c0f1240ec63a3
  
  SHA1
  
  2f25b6614c39a31fdf2662f58f06c57ad65d2422
  
  SHA256
  
  40f09666b1c802aedf624e3e64fb7a4a1f0ac7dcbc841833a5250515268f2e42
- FSD-{35682E8B-521D-46B6-95BB-40C92C103714}.FSD
  
  Download Disabled Hash Seen Before
  
  Size
  128KiB (131072 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  2568f8629380f666294736ac8bb96e2c
  
  SHA1
  
  a9c59be8d78ee716193b4c2880338f7f60a8a8a5
  
  SHA256
  
  348757f032c2df2d5a650c78d5f3a1c19e90c93623b0b410543d46a40e6e2f2d
- FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
  
  Download Disabled Hash Seen Before
  
  Size
  114B (114 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  2c66946a1309d9d531d893222502fdbe
  
  SHA1
  
  83f62aeb3a35ca580888a7e7e2ff9038fd0dd421
  
  SHA256
  
  08c2b2485e4e5b3482d91d415783e07c9b86bc4e43dcc7d5aa1007d4baf724b1
- 7027334B.doc
  
  Download Disabled Hash Seen Before
  
  Size
  52KiB (53743 bytes)
  
  Type
  rtf
  
  Description
  Rich Text Format data, unknown version
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  e12c4f1a219c8b3d83f3de265b947cf1
  
  SHA1
  
  d1ef8ee6e9a240288f80404cc0ae506f9ef48c6b
  
  SHA256
  
  60dfa243d65b00ed50be699e97121e52c096cb23178c88a022158634ecc2a1e9
- ~WRS{5F6AA436-F904-48FC-AAC7-41E934E83686}.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  1KiB (1024 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  5d4d94ee7e06bbb0af9584119797b23a
  
  SHA1
  
  dbb111419c704f116efa8e72471dd83e86e49677
  
  SHA256
  
  4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
- ~WRS{C539E2A1-5DB3-42F1-864F-262C23ACB74F}.tmp
  
  Download Disabled Hash Seen Before
  
  Size
  1.5KiB (1536 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  a2402c11231a93015aaca7e01079f1f4
  
  SHA1
  
  b7d66f273810174c698439ab1a0e34093af8f551
  
  SHA256
  
  0515166ace18b8a22bda94c2cedb7cd053a47dc2e61b672fdc230b76cdcabcbe
- 94308059B57B3142E455B38A6EB92015
  
  Download Disabled Hash Seen Before
  
  Size
  342B (342 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  91e6358f5da79c22a554fe300173c889
  
  SHA1
  
  f55407d7e8772519829ee818452b8ebf205a134b
  
  SHA256
  
  e8a8a5567676a99b8db72dce5d397854e0cc66e1c2464bfdf127976e96c52ffb
- C8478F237A4D820605B0B79C2D707CE3
  
  Download Disabled Hash Seen Before
  
  Size
  574B (574 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  8755a9f42f594cb3a156ca5a28790f36
  
  SHA1
  
  ebefe8fcd81ea8a1958456e31761c2f5784b44fa
  
  SHA256
  
  2847ee4b1587e9d3b37b7d73c7b7887f14cbee38148c465fbddd181bbc76a344
- E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
  
  Download Disabled Hash Seen Before
  
  Size
  514B (514 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  8b838a4baf26b05d2e43b1f0a567b42a
  
  SHA1
  
  ba7eedc8fab21aa65dd43748ddbebf758d457f86
  
  SHA256
  
  b48235d2add3ac7c81a0f28a0e0abcbaa044e39d2d03a72e29a915e53421583b
- Cab1893.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  54KiB (55153 bytes)
  
  Type
  data
  
  Description
  Microsoft Cabinet archive data, 55153 bytes, 1 file
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  c80707feaa56b9f5f9f299a70a89a675
  
  SHA1
  
  2dd4aa8eb8e0ad265afa6fdef00fcc1625ca959c
  
  SHA256
  
  8573c2b9348fd9364d6df901d44c5bd80e33278d4d4ad705d22c9757fa2b52b3
- Tar189E.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  130KiB (133284 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  cd81f6a51aec72583e68bf8219904438
  
  SHA1
  
  724924a6c906d3953e7b92bd5cc12dae27c772e3
  
  SHA256
  
  540cb7459d0fd892b5c540f293e04aa3a049e65c0fb17f3b2e6245b37530c1d0
- {82C5607B-3A44-4F06-9E54-A46E1F1570BD}
  
  Download Disabled Hash Seen Before
  
  Size
  128KiB (131072 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  33893632af9cc1cf664034f629127669
  
  SHA1
  
  fae2cd2ee1acac3d014bac0d3b665bf1bcdb223a
  
  SHA256
  
  6b4241f5cc767d84abe89868b24d855e0f41466601ee504e21ffcb3d8ee1c1b5
- {9E2490E3-1781-4681-B0C5-D364EF04BFEE}
  
  Download Disabled Hash Seen Before
  
  Size
  128KiB (131072 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  10560f094ed72cf421507450909f39a0
  
  SHA1
  
  0e26ca0a48c49521e2e6840328e6aa350fe5dcf9
  
  SHA256
  
  a54006563b60763ce99f3a12a3e4394902df07e6dca6a0ad76782e5ec2cd16af
- ~$117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx
  
  Download Disabled Hash Seen Before
  
  Size
  162B (162 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 2696)
  
  MD5
  
  25ec73a5cf04fd7bc016d658b6779976
  
  SHA1
  
  6ec85faa9d3154b2ccf1ef5195a76e5f73743045
  
  SHA256
  
  99117eb191294305ac3655aff5bfbfe08b992c5074235accfe6d10b3edbdf7a5

da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx

Incident Response

Risk Assessment

MITRE ATT&CK™ Techniques Detection

Indicators

Malicious Indicators 6

Suspicious Indicators 7

Informative 10

File Details

da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c.docx

Resources

Visualization

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Details for GET to 88.221.134.90:80 (isrg.trustid.ocsp.identrust.com)

Details for GET to 213.248.112.154:80 (ocsp.int-x3.letsencrypt.org)

Extracted Strings

Extracted Files

Informative Selection 2

SOJu0Ii4LXvV1w1v[1].doc

15D13691.doc

Informative 16

FSD-{4C875C34-8500-494B-ADD5-87E4B98316BF}.FSD

FSF-CTBL.FSF

FSD-CNRY.FSD

Notifications

Runtime

Community

Vetting required

Request Report Deletion

Link