DYNAMIC ANALYSIS REPORT #1591761
Classifications: -
MALICIOUS Threat Names: VB.Heur2.PwShell.2.2D752CDE.Gen
Verdict Reason: -
Sample Type Word Document
Sample Name Test.doc
ID #590902
MD5 5d2ceee3e928463210ccbc8ee0b0e3e8
SHA1 701fd88acbd550d3f75f24a15ef6c3a5110bf859
SHA256 95fce78393454133357863709111d7e92f363d0016bd995259741c1fd1c60190
File Size 32.50 KB
Report Created 2021-06-04 23:05 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | ms_office
X-Ray Vision for Malware - www.vmray.com 1 / 12 DYNAMIC ANALYSIS REPORT #1591761
OVERVIEW
VMRay Threat Identifiers (7 rules, 8 matches)
Score Category Operation Count Classification
4/5 Execution Document tries to create process 1 -
• Document unsuccessfully tries to create process "winword.exe".
4/5 Antivirus Malicious content was detected by heuristic scan 1 -
• Built-in AV detected the sample itself as "VB.Heur2.PwShell.2.2D752CDE.Gen".
4/5 YARA Malicious content matched by YARA rules 2 -
• Rule "PowerShell_Download_Commands" from ruleset "Generic" has matched on the sample itself.
• Rule "PowerShell_Download_Commands" from ruleset "Generic" has matched on the function strings for (process #1) winword.exe.
2/5 Execution Office macro uses an execute function 1 -
• Office macro uses the shell function.
2/5 Execution Executes macro on specific event 1 -
• Executes macro automatically on target "document" and event "open".
1/5 Execution Contains suspicious Office macro 1 -
• Office document contains a suspicious VBA macro.
1/5 Heuristics Contains suspicious meta data 1 -
• Office document contains below average content data.
X-Ray Vision for Malware - www.vmray.com 2 / 12 DYNAMIC ANALYSIS REPORT #1591761
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1064 #T1064 ------Scripting Scripting
X-Ray Vision for Malware - www.vmray.com 3 / 12 DYNAMIC ANALYSIS REPORT #1591761
Sample Information
ID 1591761
MD5 5d2ceee3e928463210ccbc8ee0b0e3e8
SHA1 701fd88acbd550d3f75f24a15ef6c3a5110bf859
SHA256 95fce78393454133357863709111d7e92f363d0016bd995259741c1fd1c60190
SSDeep 384:wuE8iSwvxjk+ty1yxfsyog0jVAta/J1T3Ah:Xqxw+tjsACzT3A
ImpHash
Filename Test.doc
File Size 32.50 KB
Sample Type Word Document
Has Macros
Analysis Information
Creation Time 2021-06-04 23:05 (UTC+2)
Analysis Duration 00:04:10
Termination Reason Timeout
Number of Monitored Processes 1
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 4 / 12 DYNAMIC ANALYSIS REPORT #1591761
X-Ray Vision for Malware - www.vmray.com 5 / 12 DYNAMIC ANALYSIS REPORT #1591761
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 6 / 12 DYNAMIC ANALYSIS REPORT #1591761
NETWORK
General
0 bytes total sent
0 bytes total received
0 ports
0 contacted IP addresses
1 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes recivied
DNS Requests
-
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://srv- store2.gofile.io/ download/b8ce20ad- GET 0 bytes N/A dfc1-4aec- b020-65ab7ded29cb/ calc.exe
X-Ray Vision for Malware - www.vmray.com 7 / 12 DYNAMIC ANALYSIS REPORT #1591761
BEHAVIOR
Process Graph
#1 Sample Start winword.exe
X-Ray Vision for Malware - www.vmray.com 8 / 12 DYNAMIC ANALYSIS REPORT #1591761
Process #1: winword.exe
ID 1
Filename c:\program files (x86)\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 78654, Reason: Analysis Target
Unmonitor End Time End Time: 329328, Reason: Terminated by Timeout
Monitor Duration 250.67s
Return Code Unknown
PID 3472
Parent PID 2104
Bitness 32 Bit
Host Behavior
Type Count
Module 2
Keyboard 1
Process 1
Registry 4
- 2
X-Ray Vision for Malware - www.vmray.com 9 / 12 DYNAMIC ANALYSIS REPORT #1591761
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
95fce783934541333578 C: 63709111d7e92f363d00 \Users\RDhJ0CNFevzX\ Sample File 32.50 KB application/msword MALICIOUS 16bd995259741c1fd1c6 Desktop\Test.doc 0190
Filename
Filename Category Operations Verdict
WINHELP.INI Accessed File Read, Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
https://srv-store2.gofile.io/ download/b8ce20ad- dfc1-4aec- GET CLEAN b020-65ab7ded29cb/ calc.exe
Domain
Domain IP Address Country Protocols Verdict
srv-store2.gofile.io HTTPS CLEAN
IP
-
-
Email Address
-
Mutex
-
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows
HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows\HTML Help
HKEY_LOCAL_MACHINE\Software\Microsoft access winword.exe CLEAN \Windows\Help
Process
Process Name Commandline Verdict
"C:\Program Files (x86)\Microsoft winword.exe CLEAN Office\Root\Office16\WINWORD.EXE" /n
X-Ray Vision for Malware - www.vmray.com 10 / 12 DYNAMIC ANALYSIS REPORT #1591761
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
PowerShell may attempt C: PowerShell_Download_ to download external Generic Sample File \Users\RDhJ0CNFevzX\ 4/5 Commands content; possible Desktop\Test.doc dropper
PowerShell may attempt PowerShell_Download_ to download external function_strings_proces Generic Function Strings 4/5 Commands content; possible s_1.txt dropper
Antivirus (1)
File Type Threat Name Filename Verdict
SAMPLE VB.Heur2.PwShell.2.2D752CDE.Gen C:\Users\RDhJ0CNFevzX\Desktop\Test.doc MALICIOUS
X-Ray Vision for Malware - www.vmray.com 11 / 12 DYNAMIC ANALYSIS REPORT #1591761
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-06-04 14:57:36+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 12 / 12