infected.docx
This report is generated from a file or URL submitted to this webservice on April 15th 2016 07:10:29 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.41 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E92319E0F1" to virtual address "0x76053D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "EF1EE12E" to virtual address "0x2F861634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 4
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 669D0000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{0D8DF3D1-40A8-4CD2-8251-3A01635429E0}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"opa12.dat" has type "data"
"34908FCA.doc" has type "Microsoft Word 2007+"
"infected.docx.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Archive ctime=Fri Apr 15 19:10:01 2016 mtime=Fri Apr 15 19:11:53 2016 atime=Fri Apr 15 19:10:01 2016 length=539156 window=hide"
"index.dat" has type "data"
"~WRS{F3AE5CF6-9137-430F-B5A5-BEB5DDC02BA9}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218115840 1st used item "\375""
"~WRD0000.tmp" has type "data"
"Word12.pip" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "0ZSzr1V.IsCa/.4t0pk7:=w"
Heuristic match: "lsK'Ds<5f_ba;eZ)W@l<43R[(z!n/]tMH1V {FXHx;of!v2\wk'aihTP.-15s+-;Q\D;NDt,+6pR.~y~J|h9(GN[LGOaB$m>$.Tr"
Pattern match: "C.hg/!UArWnvPok]*Sd:*"
Heuristic match: "2zM: ai?5k8F{y6PfKaZFZ <L{>f;4'Y+@#uhoF6~^9n*@VC31|0x_h&QYi{aaocWo!b215(](pb%(Z{^z(6Ci%*Pvtq;m6zv%PV~NF*kBydDvd>vDtL:az7vVRR=#k[PQ3BUQtAOquFoti.Kw"
Pattern match: "B2-p.JHUN/:B"
Pattern match: "Yt.fL/hR1vVMiz=BdciX|H@}^-}+wk@p'|8O~"
Heuristic match: "^xONBNJ0d714D8!Mll'XC.DJ"
Heuristic match: "7C.u9q$|2H,/FSiTUoQp%#g?5Qt|p+i;.AoE}1:+Q:4`FZYP+J=-Vgc?YU/_.`V|Q(?,Ya-#Tdc'7LVS%[>,cyoHfYuCo-Y!doy<#u9AK/1 Cc(z.PW"
Pattern match: "6vR.SSDF/,`f!L|r$`GkswVu"
Pattern match: "uQ.TyPK/-5\f=~7~:p[t" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
infected.docx
- Filename
- infected.docx
- Size
- 527KiB (539156 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 80028d489487e94d9cc2c5fa15886382b82ff84d856e6ed18a12458f2e97ffc1
- MD5
- 70c04a54c0c8cb36ce4791976d0c804e
- SHA1
- 670a886365f0a416e909dae4b2353b8f25379d9c
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2348)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 8
-
-
index.dat
- Size
- 56B (56 bytes)
- Type
- data
- MD5
- 587ab6f8243f15c85cdbe9886f7afb8c
- SHA1
- 477a8381eb397e1f69a35d35a85511e77c574278
- SHA256
- fbf14459ab642ad5b251807df0728a80d6726c755462e9f7fc805deec1a4fe11
-
infected.docx.LNK
- Size
- 1.6KiB (1688 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Fri Apr 15 19:10:01 2016, mtime=Fri Apr 15 19:11:53 2016, atime=Fri Apr 15 19:10:01 2016, length=539156, window=hide
- MD5
- f3a08316640a366e7e35ec3ffed12034
- SHA256
- f546ede2338d45401c8dab7638f22d11009765320ba8d330e20bb8e812eeb706
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
- Type
- data
- MD5
- fa9b7fec3962ff7914c7364bd1825509
- SHA1
- c9b7fcae1b6a16d88ad8d0e704241b55d752d073
- SHA256
- d1f77aae559ee8dd129ab9db3b30e60c9045463b4d8918790b194572d9a816c5
-
34908FCA.doc
- Size
- 527KiB (539156 bytes)
- Type
- Microsoft Word 2007+
- MD5
- 70c04a54c0c8cb36ce4791976d0c804e
- SHA1
- 670a886365f0a416e909dae4b2353b8f25379d9c
- SHA256
- 80028d489487e94d9cc2c5fa15886382b82ff84d856e6ed18a12458f2e97ffc1
-
~WRD0000.tmp
- Size
- 526KiB (538917 bytes)
- Type
- data
- MD5
- 7147b8d184407a3cea3b1c192fcb6701
- SHA1
- b479b7ca92a36dcb6b97f8fbd2b82da88c6097fd
- SHA256
- 60bb56f84cad4051d51c5da7c4ecc3aebd405830824730e6c8583bbbd8af48a4
-
~WRS{0D8DF3D1-40A8-4CD2-8251-3A01635429E0}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{F3AE5CF6-9137-430F-B5A5-BEB5DDC02BA9}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218115840, 1st used item "\375"
- MD5
- 88c78bc61b165c218785407eaf80bab9
- SHA1
- b8e72929e612cded0e7768ab856798a83930aac6
- SHA256
- 30b7466cd48c00070a706e4e5940fdab139d3708c9ed27304a3d6419a96171ab
-
opa12.dat
- Size
- 8.4KiB (8600 bytes)
- Type
- data
- MD5
- 159239437fea8a285a0c4a4a6a7541ea
- SHA1
- 1b414db196c8b90a78d2e1827334e7a6963e6eef
- SHA256
- 17ba31971c602408530f57f14f52c66d44aa3fe4b6ba8b93809d34dbc3e2e8be
-