e-mail.docx
This report is generated from a file or URL submitted to this webservice on July 7th 2015 03:08:31 (UTC)
Report generated by
Falcon Sandbox v1.90 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 7
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "WINWORD.EXE" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "tWOU[=qemUA)R~^<\J?es*XT>zXxw4x;UhO' TM?nNBA#RSf3p]}-2I?q3:Nyu5|rApgu*I,Hq34-" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Network Related
-
Found potential URL in binary/memory
- details
- "1?0VoA.Ac"
- source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "B67AA87B" to virtual address "0x2FD41634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E92319F6F0" to virtual address "0x77C23D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 67700000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
- "DecodePointer@KERNELBASE.dll"
- source
- API Call
- relevance
- 1/10
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{94772F75-D23D-49E4-93B7-2F8C27B98AB4}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"~$4db880d1f9b34bff1d7054ea60d870d5de5d4df628944d095e472518b7ef49.docx" has type "data"
"EA3F822E.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"~WRS{A48C0EA2-28CF-4BCF-805E-6D80AB52595F}.tmp" has type "data"
"Local Disk (Z).LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Directory, ctime=Tue Jul 7 15:09:44 2015, mtime=Tue Jul 7 15:10:31 2015, atime=Tue Jul 7 15:10:31 2015, length=4096, window=hide"
"index.dat" has type "data"
"ExcludeDictionaryEN0809.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
e-mail.docx
- Filename
- e-mail.docx
- Size
- 3.6MiB (3799842 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 2b4db880d1f9b34bff1d7054ea60d870d5de5d4df628944d095e472518b7ef49
- MD5
- db8e1985d3cda757042c273ea488e842
- SHA1
- 363e8760dde40e5f878d76407c1240835dfa3a64
Resources
- Icon
Visualization
-
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n /dde (PID: 2444)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 8
-
-
opa12.dat
- Size
- 25KiB (25190 bytes)
- Type
- data
- MD5
- f84f5818a6600d081f664ccfcdba0ac1
- SHA1
- 6db3785349b8ac6ffd51e13f1bd854163f56deae
- SHA256
- 4e4c6ce6233523aada7bba06774834e37c9c86169ae4af4b88af6e861536c574
-
EA3F822E.emf
- Size
- 4.9KiB (5004 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
~WRS{94772F75-D23D-49E4-93B7-2F8C27B98AB4}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{A48C0EA2-28CF-4BCF-805E-6D80AB52595F}.tmp
- Size
- 3.5KiB (3584 bytes)
- Type
- data
- MD5
- 357bf6cf5ac32938a9b09347bac986b0
- SHA1
- f43a992dd388adf81eed3c391d3a6ac930a50eb0
- SHA256
- 5a77ece4a8db8847f7de61667fd29786225810f58b3c3fa2518856dbdbf960c1
-
Local Disk (Z).LNK
- Size
- 275B (275 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Directory, ctime=Tue Jul 7 15:09:44 2015, mtime=Tue Jul 7 15:10:31 2015, atime=Tue Jul 7 15:10:31 2015, length=4096, window=hide
-
index.dat
- Size
- 130B (130 bytes)
- Type
- data
- MD5
- 46a57d12312c8a847301571e6f86c565
- SHA1
- 68f39636a7520cbdfb62d96090b895ecda3c1d1c
- SHA256
- 6284a725e9ff3e3b59d126de6d40324016d97fba23c0b7618683c94bcb8f3008
-
ExcludeDictionaryEN0809.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$4db880d1f9b34bff1d7054ea60d870d5de5d4df628944d095e472518b7ef49.docx
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 79f16a2f1618acab3ec3a7b7d2d59d73
- SHA1
- 5d81c740765ef222cb87f7892f533f87b7152d97
- SHA256
- 86f9ee98304616929bde3614b6043e67dfdbba98accaad3fd515524cf64b08be
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)