Analysis Report 08_10_2020_Bel49.docx - Joe Sandbox

ID: 295064Sample Name:08_10_2020_Bel49.docxCookbook:defaultwindowsofficecookbook.jbsTime: 13:06:51Date: 08/10/2020Version: 30.0.0 Red Diamond

2444444444445555667777778888889999999

10101010101010101111111111111111

12121212

Table of Contents

Table of ContentsAnalysis Report 08_10_2020_Bel49.docx

OverviewGeneral InformationDetectionSignaturesClassification

StartupMalware ConfigurationYara OverviewSigma OverviewSignature Overview

AV Detection:System Summary:

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsContacted IPs

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralFile IconStatic OLE Info

GeneralOLE File "/opt/package/joesandbox/database/analysis/295064/sample/08_10_2020_Bel49.docx"IndicatorsSummaryDocument SummaryStreams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76GeneralStream Path: \x1Ole10Native, File Type: data, Stream Size: 303516GeneralStream Path: \x3ObjInfo, File Type: data, Stream Size: 6General

Network BehaviorCode ManipulationsStatisticsSystem Behavior

Copyright null 2020 Page 2 of 13

12121212

13

Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584GeneralFile ActivitiesRegistry Activities

Disassembly


Analysis Report 08_10_2020_Bel49.docx

Overview

General Information

Sample Name:

08_10_2020_Bel49.docx

Analysis ID: 295064

MD5: 23a8fdf86ae2c40…

SHA1: 9f03e8f27806708…

SHA256: 906ff4ae9850e36…

Most interesting Screenshot:

ErrorsCorrupt sample or wrongly selected analyzer.

Detection

Score: 56

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Document contains OLE streams wh






Document contains OLE streams whDocument contains OLE streams wh……

Multi AV Scanner detection for subm






Multi AV Scanner detection for submMulti AV Scanner detection for subm……

Contains capabilities to detect virtua






Contains capabilities to detect virtuaContains capabilities to detect virtua……

Document contains no OLE stream






Document contains no OLE stream Document contains no OLE stream ……

Document has an unknown applicati






Document has an unknown applicatiDocument has an unknown applicati……

Classification

Malware Configuration

Yara Overview

Sigma Overview

No Sigma rule has matched

Signature Overview

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w7x64

WINWORD.EXE (PID: 1776 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cleanup

No configs have been found

No yara matches

Startup


• AV Detection

• Networking

• System Summary

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

System Summary:

Document contains OLE streams which likely are hidden ActiveX objects

Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

RemoteServiceEffects

ValidAccounts

WindowsManagementInstrumentation

PathInterception

PathInterception

Masquerading 1 OSCredentialDumping

Security SoftwareDiscovery 1

RemoteServices

Data fromLocalSystem

ExfiltrationOver OtherNetworkMedium

Ingress ToolTransfer 1

Eavesdrop onInsecureNetworkCommunication

RemotelyTrack DeviceWithoutAuthorization

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

Boot orLogonInitializationScripts

Virtualization/SandboxEvasion 1

LSASSMemory

Virtualization/SandboxEvasion 1

RemoteDesktopProtocol

Data fromRemovableMedia

ExfiltrationOverBluetooth

Junk Data Exploit SS7 toRedirect PhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DomainAccounts

At (Linux) Logon Script(Windows)

LogonScript(Windows)

Obfuscated Files orInformation 1

SecurityAccountManager

File and DirectoryDiscovery 1

SMB/WindowsAdmin Shares

Data fromNetworkSharedDrive

AutomatedExfiltration

Steganography Exploit SS7 toTrack DeviceLocation

ObtainDeviceCloudBackups

LocalAccounts

At (Windows) Logon Script(Mac)

LogonScript(Mac)

Binary Padding NTDS System InformationDiscovery 1

DistributedComponentObject Model

InputCapture

ScheduledTransfer

ProtocolImpersonation

SIM CardSwap

Behavior Graph


Behavior GraphID: 295064

Sample: 08_10_2020_Bel49.docx

Startdate: 08/10/2020

Architecture: WINDOWS

Score: 56

Document contains OLEstreams which likely

are hidden ActiveX objects

Multi AV Scanner detectionfor submitted file

WINWORD.EXE

286 10

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots


Source Detection Scanner Label Link

08_10_2020_Bel49.docx 31% Virustotal Browse

No Antivirus matches




Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs


https://www.virustotal.com/gui/file/906ff4ae9850e360ea88830742753889fe00d8b224edca8d4f693f403df7832a/detection/f-906ff4ae9850e360ea88830742753889fe00d8b224edca8d4f693f403df7832a-1602155166

General Information

Joe Sandbox Version: 30.0.0 Red Diamond

Analysis ID: 295064

Start date: 08.10.2020

Start time: 13:06:51

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 3m 43s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: 08_10_2020_Bel49.docx

Cookbook file name: defaultwindowsofficecookbook.jbs

Analysis system description: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Number of analysed new started processes analysed: 2

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: EGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal56.winDOCX@1/3@0/0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .docxFound Word or Excel or PowerPoint or XPS ViewerAttach to Office via COMScroll downClose Viewer

Warnings:

Errors: Corrupt sample or wrongly selected analyzer.

No contacted domains info

No contacted IP infos

Exclude process from analysis (whitelisted): dllhost.exe

No simulations

Domains and IPs

Contacted Domains

Contacted IPs

Show All

Simulations

Behavior and APIs


No context

No context

No context

No context

No context

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A04A79B5-D643-47FF-B622-0CF30ED55516}.tmpProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File Type: data

Size (bytes): 1024

Entropy (8bit): 0.05390218305374581

Encrypted: false

MD5: 5D4D94EE7E06BBB0AF9584119797B23A

SHA1: DBB111419C704F116EFA8E72471DD83E86E49677

SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1

SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4

Malicious: false

Reputation: high, very likely benign file

Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotmProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File Type: data

Size (bytes): 162

Entropy (8bit): 2.431160061181642

Encrypted: false

MD5: 39EB3053A717C25AF84D576F6B2EBDD2

SHA1: F6157079187E865C1BAADCC2014EF58440D449CA

SHA-256: CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A

SHA-512: 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C

Malicious: false

Reputation: moderate, very likely benign file

Preview:.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Desktop\~$_10_2020_Bel49.docxProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File Type: data

Size (bytes): 162

Entropy (8bit): 2.431160061181642

Encrypted: false

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files


Static File Info

GeneralFile type: Microsoft Word 2007+

Entropy (8bit): 7.991427649279081

TrID: Word Microsoft Office Open XML Format document (49504/1) 49.01%Word Microsoft Office Open XML Format document (43504/1) 43.07%ZIP compressed archive (8000/1) 7.92%

File name: 08_10_2020_Bel49.docx

File size: 322156

MD5: 23a8fdf86ae2c402460c64e5ea632c33

SHA1: 9f03e8f27806708635bc0ae20824efe125295afd

SHA256: 906ff4ae9850e360ea88830742753889fe00d8b224edca8d4f693f403df7832a

SHA512: eceb0504bdc7b244751c4b1a089a10474cc2aead76f1640503badbb87c7e16edb02001d468143c37a076e36f4ea85cac5bc1609216704f5c93661b6a0435a3cd

SSDEEP: 6144:JiSueL83yolkmfyNp8e9eYsfD4qLFn+jATW/fVNA+3Bl9hfuuhwX:QNJ3kmfyIebLa+j4W/TvBlLfFhm

File Content Preview: PK..........!....D....T.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash: e4e6a2a2a4b4b4a4

MD5: 39EB3053A717C25AF84D576F6B2EBDD2

SHA1: F6157079187E865C1BAADCC2014EF58440D449CA

SHA-256: CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A

SHA-512: 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C

Malicious: false

Reputation: moderate, very likely benign file

Preview:.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Desktop\~$_10_2020_Bel49.docx

GeneralDocument Type: OpenXML

Number of OLE Files: 1

IndicatorsHas Summary Info: False

Application Name: unknown

Encrypted Document: False

Contains Word Document Stream:

Contains Workbook/Book Stream:

Contains PowerPoint Document Stream:

Contains Visio Document Stream:

Contains ObjectPool Stream:

Flash Objects Count:

Contains VBA Macros: False

SummaryTitle:

Static OLE Info

OLE File "/opt/package/joesandbox/database/analysis/295064/sample/08_10_2020_Bel49.docx"


Subject:

Author: TESTER

Keywords:

Template: Normal.dotm

Last Saved By: TESTER

Revion Number: 1

Total Edit Time: 0

Create Time: 2020-10-06T08:02:00Z

Last Saved Time: 2020-10-06T08:02:00Z

Number of Pages: 1

Number of Words: 3

Number of Characters: 20

Creating Application: Microsoft Office Word

Security: 0

Summary

Document SummaryNumber of Lines: 1

Number of Paragraphs: 1

Thumbnail Scaling Desired: false

Company: TESTER

Contains Dirty Links: false

Shared Document: false

Changed Hyperlinks: false

Application Version: 14.0000

General

Stream Path: \x1CompObj

File Type: data

Stream Size: 76

Entropy: 3.09344952647

Base64 Encoded: False

Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .

Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General

Stream Path: \x1Ole10Native

File Type: data

Stream Size: 303516

Entropy: 7.99525594514

Base64 Encoded: True

Data ASCII: . . . . . . 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . C : \\ U s e r s \\ T e s t e r \\ D e s k t o p \\ 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . . . . . Z . . . C : \\ U s e r s \\ T E S T E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . . . . . P K . . . . . . . . . N F Q

Data Raw: 98 a1 04 00 02 00 39 34 34 37 35 36 34 39 35 37 34 38 36 35 37 39 36 36 34 34 39 33 38 32 38 33 36 38 36 36 34 38 37 32 39 31 32 31 33 37 37 31 31 33 38 34 33 39 34 35 2e 6a 61 72 00 43 3a 5c 55 73 65 72 73 5c 54 65 73 74 65 72 5c 44 65 73 6b 74 6f 70 5c 39 34 34 37 35 36 34 39 35 37 34 38 36 35 37 39 36 36 34 34 39 33 38 32 38 33 36 38 36 36 34 38 37 32 39 31 32 31 33 37 37 31 31

General

Stream Path: \x3ObjInfo

File Type: data

Stream Size: 6

Entropy: 1.79248125036

Base64 Encoded: False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 303516

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6


No network behavior found

Code Manipulations

Statistics

System Behavior

Data ASCII: @ . . . . .

Data Raw: 40 00 03 00 01 00

General

Network Behavior

File ActivitiesFile Activities

Registry ActivitiesRegistry Activities

Start time: 13:07:32

Start date: 08/10/2020

Path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Wow64 process (32bit): false

Commandline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding

Imagebase: 0x13f570000

File size: 1424032 bytes

MD5 hash: 95C38D04597050285A18F66039EDB456

Has elevated privileges: true

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: high

File Path Access Attributes Options Completion CountSourceAddress Symbol

File Path Completion CountSourceAddress Symbol

Old File Path New File Path Completion CountSourceAddress Symbol

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File Path Offset Length Completion CountSourceAddress Symbol

Key Path Completion CountSourceAddress Symbol

Key Path Name Type Data Completion CountSourceAddress Symbol

Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584

General


Disassembly

Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol


Date post:	11-Mar-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Analysis Report 08_10_2020_Bel49.docx - Joe Sandbox

Documents