ID: 34930 Sample Name: sample1.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 21:46:35 Date: 23/10/2017 Version: 20.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 Software Vulnerabilities: 7 Networking: 7 Persistence and Installation Behavior: 7 Data Obfuscation: 7 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 8 Anti Debugging: 8 Malware Analysis System Evasion: 8 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 13 Contacted Domains 13 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 OLE File "sample1.doc" 14 Indicators 14 Summary 14 Document Summary 14 Copyright Joe Security LLC 2017 Page 2 of 28 Streams with VBA 15 VBA File Name: Module1.bas, Stream Size: 3467 15 General 15 VBA Code Keywords 15 VBA Code 16 VBA File Name: ThisDocument.cls, Stream Size: 12841 16 General 16 VBA Code Keywords 16 VBA Code 20 Streams 20 Stream Path: \x1CompObj, File Type: data, Stream Size: 114 20 General 20 Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: 1Table, File Type: data, Stream Size: 6579 20 General 20 Stream Path: Data, File Type: data, Stream Size: 108224 21 General 21 Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 409 21 General 21 Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65 21 General 21 Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5497 21 General 21 Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 569 22 General 22 Stream Path: WordDocument, File Type: data, Stream Size: 4096 22 General 22 Network Behavior 22 TCP Packets 22 HTTP Request Dependency Graph 22 HTTP Packets 22 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: WINWORD.EXE PID: 3100 Parent PID: 2840 23 General 23 File Activities 24 File Created 24 Registry Activities 24 Key Created 24 Analysis Process: cmd.exe PID: 3168 Parent PID: 3100 24 General 24 Analysis Process: powershell.exe PID: 3204 Parent PID: 3168 24 General 25 File Activities 25 File Created 25 File Deleted 25 Registry Activities 25 Analysis Process: reg.exe PID: 3276 Parent PID: 3168 25 General 25 Analysis Process: eventvwr.exe PID: 3284 Parent PID: 3168 25 General 25 File Activities 26 Analysis Process: mmc.exe PID: 3304 Parent PID: 3284 26 General 26 File Activities 26 File Created 26 File Written 27 Registry Activities 27 Analysis Process: PING.EXE PID: 3384 Parent PID: 3168 27 General 27 File Activities 28 Disassembly 28 Code Analysis 28 Copyright Joe Security LLC 2017 Page 3 of 28 Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 34930 Start time: 21:46:35 Joe Sandbox Product: CloudBasic Start date: 23.10.2017 Overall analysis duration: 0h 4m 26s Hypervisor based Inspection enabled: false Report type: light Sample file name: sample1.doc Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Run name: without instrumentation Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal92.evad.expl.troj.winDOC@13/10@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 13 Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, mmc.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2017 Page 4 of 28 Strategy Score Range Reporting Detection Threshold 92 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2017 Page 5 of 28 Ransomware Evader Spreading mmaallliiiccciiioouusss malicious sssuusssppiiiccciiioouusss Exploiter suspicious Phishing cccllleeaann clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview • AV Detection • Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 28 Click to jump to signature section AV Detection: Antivirus detection for submitted file Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities Software Vulnerabilities: Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Document exploit detected (process start blacklist hit) Networking: Downloads files Downloads files from webservers via HTTP Tries to download non-existing http data (HTTP/1.1 404 Not Found) Urls found in memory or binary data HTTP GET or POST without a user agent Uses ping.exe to check the status of other devices and networks Persistence and Installation Behavior: Tries to download and execute files (via powershell) Data Obfuscation: Powershell starts a process from the temp directory Suspicious powershell command line found Spreading: Enumerates the file system System Summary: Checks whether correct version of .NET is installed Executable creates window controls seldom found in malware Found graphical window changes (likely an installer) Copyright Joe Security LLC 2017 Page 7 of 28 Uses Microsoft Silverlight Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols Binary contains paths to development resources Classification label Creates files inside the user directory Creates temporary files Document contains an OLE Word Document stream indicating a Microsoft Word file Document contains summary information with irregular field values Found command line output Parts of this applications are using the .NET runtime (Probably coded in C#) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Creates mutexes Document contains embedded VBA macros Enables security privileges Uses reg.exe to modify the Windows registry Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Document contains an embedded VBA macro with suspicious strings HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Bypasses PowerShell execution policy Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to hinder dynamic analysis Uses ping.exe to sleep Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Document contains OLE streams with high entropy indicating encrypted embedded content System process connects to network (likely due to code injection or exploit) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the installation date