Date post: | 11-Mar-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 0 times |
Download: | 0 times |
ID: 295064Sample Name:08_10_2020_Bel49.docxCookbook:defaultwindowsofficecookbook.jbsTime: 13:06:51Date: 08/10/2020Version: 30.0.0 Red Diamond
2444444444445555667777778888889999999
10101010101010101111111111111111
12121212
Table of Contents
Table of ContentsAnalysis Report 08_10_2020_Bel49.docx
OverviewGeneral InformationDetectionSignaturesClassification
StartupMalware ConfigurationYara OverviewSigma OverviewSignature Overview
AV Detection:System Summary:
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsContacted IPs
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic OLE Info
GeneralOLE File "/opt/package/joesandbox/database/analysis/295064/sample/08_10_2020_Bel49.docx"IndicatorsSummaryDocument SummaryStreams
Stream Path: \x1CompObj, File Type: data, Stream Size: 76GeneralStream Path: \x1Ole10Native, File Type: data, Stream Size: 303516GeneralStream Path: \x3ObjInfo, File Type: data, Stream Size: 6General
Network BehaviorCode ManipulationsStatisticsSystem Behavior
Copyright null 2020 Page 2 of 13
12121212
13
Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584GeneralFile ActivitiesRegistry Activities
Disassembly
Copyright null 2020 Page 3 of 13
Analysis Report 08_10_2020_Bel49.docx
Overview
General Information
Sample Name:
08_10_2020_Bel49.docx
Analysis ID: 295064
MD5: 23a8fdf86ae2c40…
SHA1: 9f03e8f27806708…
SHA256: 906ff4ae9850e36…
Most interesting Screenshot:
ErrorsCorrupt sample or wrongly selected analyzer.
Detection
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Document contains OLE streams wh
Document contains OLE streams wh
Document contains OLE streams wh
Document contains OLE streams wh
Document contains OLE streams wh
Document contains OLE streams wh
Document contains OLE streams whDocument contains OLE streams wh……
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtuaContains capabilities to detect virtua……
Document contains no OLE stream
Document contains no OLE stream
Document contains no OLE stream
Document contains no OLE stream
Document contains no OLE stream
Document contains no OLE stream
Document contains no OLE stream Document contains no OLE stream ……
Document has an unknown applicati
Document has an unknown applicati
Document has an unknown applicati
Document has an unknown applicati
Document has an unknown applicati
Document has an unknown applicati
Document has an unknown applicatiDocument has an unknown applicati……
Classification
Malware Configuration
Yara Overview
Sigma Overview
No Sigma rule has matched
Signature Overview
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w7x64
WINWORD.EXE (PID: 1776 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
cleanup
No configs have been found
No yara matches
Startup
Copyright null 2020 Page 4 of 13
• AV Detection
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
System Summary:
Document contains OLE streams which likely are hidden ActiveX objects
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
RemoteServiceEffects
ValidAccounts
WindowsManagementInstrumentation
PathInterception
PathInterception
Masquerading 1 OSCredentialDumping
Security SoftwareDiscovery 1
RemoteServices
Data fromLocalSystem
ExfiltrationOver OtherNetworkMedium
Ingress ToolTransfer 1
Eavesdrop onInsecureNetworkCommunication
RemotelyTrack DeviceWithoutAuthorization
DefaultAccounts
ScheduledTask/Job
Boot orLogonInitializationScripts
Boot orLogonInitializationScripts
Virtualization/SandboxEvasion 1
LSASSMemory
Virtualization/SandboxEvasion 1
RemoteDesktopProtocol
Data fromRemovableMedia
ExfiltrationOverBluetooth
Junk Data Exploit SS7 toRedirect PhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DomainAccounts
At (Linux) Logon Script(Windows)
LogonScript(Windows)
Obfuscated Files orInformation 1
SecurityAccountManager
File and DirectoryDiscovery 1
SMB/WindowsAdmin Shares
Data fromNetworkSharedDrive
AutomatedExfiltration
Steganography Exploit SS7 toTrack DeviceLocation
ObtainDeviceCloudBackups
LocalAccounts
At (Windows) Logon Script(Mac)
LogonScript(Mac)
Binary Padding NTDS System InformationDiscovery 1
DistributedComponentObject Model
InputCapture
ScheduledTransfer
ProtocolImpersonation
SIM CardSwap
Behavior Graph
Copyright null 2020 Page 5 of 13
Behavior GraphID: 295064
Sample: 08_10_2020_Bel49.docx
Startdate: 08/10/2020
Architecture: WINDOWS
Score: 56
Document contains OLEstreams which likely
are hidden ActiveX objects
Multi AV Scanner detectionfor submitted file
WINWORD.EXE
286 10
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
Copyright null 2020 Page 6 of 13
Source Detection Scanner Label Link
08_10_2020_Bel49.docx 31% Virustotal Browse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright null 2020 Page 7 of 13
General Information
Joe Sandbox Version: 30.0.0 Red Diamond
Analysis ID: 295064
Start date: 08.10.2020
Start time: 13:06:51
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 3m 43s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: 08_10_2020_Bel49.docx
Cookbook file name: defaultwindowsofficecookbook.jbs
Analysis system description: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed: 2
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: EGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal56.winDOCX@1/3@0/0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .docxFound Word or Excel or PowerPoint or XPS ViewerAttach to Office via COMScroll downClose Viewer
Warnings:
Errors: Corrupt sample or wrongly selected analyzer.
No contacted domains info
No contacted IP infos
Exclude process from analysis (whitelisted): dllhost.exe
No simulations
Domains and IPs
Contacted Domains
Contacted IPs
Show All
Simulations
Behavior and APIs
Copyright null 2020 Page 8 of 13
No context
No context
No context
No context
No context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A04A79B5-D643-47FF-B622-0CF30ED55516}.tmpProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type: data
Size (bytes): 1024
Entropy (8bit): 0.05390218305374581
Encrypted: false
MD5: 5D4D94EE7E06BBB0AF9584119797B23A
SHA1: DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious: false
Reputation: high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotmProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type: data
Size (bytes): 162
Entropy (8bit): 2.431160061181642
Encrypted: false
MD5: 39EB3053A717C25AF84D576F6B2EBDD2
SHA1: F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256: CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512: 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious: false
Reputation: moderate, very likely benign file
Preview:.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
C:\Users\user\Desktop\~$_10_2020_Bel49.docxProcess: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type: data
Size (bytes): 162
Entropy (8bit): 2.431160061181642
Encrypted: false
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Created / dropped Files
Copyright null 2020 Page 9 of 13
Static File Info
GeneralFile type: Microsoft Word 2007+
Entropy (8bit): 7.991427649279081
TrID: Word Microsoft Office Open XML Format document (49504/1) 49.01%Word Microsoft Office Open XML Format document (43504/1) 43.07%ZIP compressed archive (8000/1) 7.92%
File name: 08_10_2020_Bel49.docx
File size: 322156
MD5: 23a8fdf86ae2c402460c64e5ea632c33
SHA1: 9f03e8f27806708635bc0ae20824efe125295afd
SHA256: 906ff4ae9850e360ea88830742753889fe00d8b224edca8d4f693f403df7832a
SHA512: eceb0504bdc7b244751c4b1a089a10474cc2aead76f1640503badbb87c7e16edb02001d468143c37a076e36f4ea85cac5bc1609216704f5c93661b6a0435a3cd
SSDEEP: 6144:JiSueL83yolkmfyNp8e9eYsfD4qLFn+jATW/fVNA+3Bl9hfuuhwX:QNJ3kmfyIebLa+j4W/TvBlLfFhm
File Content Preview: PK..........!....D....T.......[Content_Types].xml ...(.........................................................................................................................................................................................................
File Icon
Icon Hash: e4e6a2a2a4b4b4a4
MD5: 39EB3053A717C25AF84D576F6B2EBDD2
SHA1: F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256: CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512: 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious: false
Reputation: moderate, very likely benign file
Preview:.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
C:\Users\user\Desktop\~$_10_2020_Bel49.docx
GeneralDocument Type: OpenXML
Number of OLE Files: 1
IndicatorsHas Summary Info: False
Application Name: unknown
Encrypted Document: False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros: False
SummaryTitle:
Static OLE Info
OLE File "/opt/package/joesandbox/database/analysis/295064/sample/08_10_2020_Bel49.docx"
Copyright null 2020 Page 10 of 13
Subject:
Author: TESTER
Keywords:
Template: Normal.dotm
Last Saved By: TESTER
Revion Number: 1
Total Edit Time: 0
Create Time: 2020-10-06T08:02:00Z
Last Saved Time: 2020-10-06T08:02:00Z
Number of Pages: 1
Number of Words: 3
Number of Characters: 20
Creating Application: Microsoft Office Word
Security: 0
Summary
Document SummaryNumber of Lines: 1
Number of Paragraphs: 1
Thumbnail Scaling Desired: false
Company: TESTER
Contains Dirty Links: false
Shared Document: false
Changed Hyperlinks: false
Application Version: 14.0000
General
Stream Path: \x1CompObj
File Type: data
Stream Size: 76
Entropy: 3.09344952647
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: \x1Ole10Native
File Type: data
Stream Size: 303516
Entropy: 7.99525594514
Base64 Encoded: True
Data ASCII: . . . . . . 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . C : \\ U s e r s \\ T e s t e r \\ D e s k t o p \\ 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . . . . . Z . . . C : \\ U s e r s \\ T E S T E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ 9 4 4 7 5 6 4 9 5 7 4 8 6 5 7 9 6 6 4 4 9 3 8 2 8 3 6 8 6 6 4 8 7 2 9 1 2 1 3 7 7 1 1 3 8 4 3 9 4 5 . j a r . . . . . P K . . . . . . . . . N F Q
Data Raw: 98 a1 04 00 02 00 39 34 34 37 35 36 34 39 35 37 34 38 36 35 37 39 36 36 34 34 39 33 38 32 38 33 36 38 36 36 34 38 37 32 39 31 32 31 33 37 37 31 31 33 38 34 33 39 34 35 2e 6a 61 72 00 43 3a 5c 55 73 65 72 73 5c 54 65 73 74 65 72 5c 44 65 73 6b 74 6f 70 5c 39 34 34 37 35 36 34 39 35 37 34 38 36 35 37 39 36 36 34 34 39 33 38 32 38 33 36 38 36 36 34 38 37 32 39 31 32 31 33 37 37 31 31
General
Stream Path: \x3ObjInfo
File Type: data
Stream Size: 6
Entropy: 1.79248125036
Base64 Encoded: False
Streams
Stream Path: \x1CompObj, File Type: data, Stream Size: 76
Stream Path: \x1Ole10Native, File Type: data, Stream Size: 303516
Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
Copyright null 2020 Page 11 of 13
No network behavior found
Code Manipulations
Statistics
System Behavior
Data ASCII: @ . . . . .
Data Raw: 40 00 03 00 01 00
General
Network Behavior
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
Start time: 13:07:32
Start date: 08/10/2020
Path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit): false
Commandline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase: 0x13f570000
File size: 1424032 bytes
MD5 hash: 95C38D04597050285A18F66039EDB456
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
Old File Path New File Path Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
Key Path Completion CountSourceAddress Symbol
Key Path Name Type Data Completion CountSourceAddress Symbol
Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584
General
Copyright null 2020 Page 12 of 13