LETTER FROM KATY VAN DOP.docx
This report is generated from a file or URL submitted to this webservice on June 10th 2017 09:33:39 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v6.60 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Possible targetted attack detected
- details
- Document contains an embedded file and spawned a new process
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible targetted attack detected
-
Unusual Characteristics
-
Document contains embedded script file
- details
- "extra_target_0.bat.bin" is a powershell script and the context is "extra_target_0.bat" ("document.xml.rels") ...
- source
- Binary File
- relevance
- 10/10
-
Document contains embedded script file
-
Suspicious Indicators 1
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/64 reputation engines marked "http://ssl.gstatic.com" as malicious (1% detection rate)
1/65 reputation engines marked "http://www.gstatic.com" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Informative 20
-
Environment Awareness
-
Reads the active computer name
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Additional Submission Context
- details
- Submission context: "https://translate.google.com/"
- source
- File/Memory
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACB10_S-1-5-5-0-61684"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZoneAttributeCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-61684"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61684"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61684"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Document contains embedded files
- details
- "extra_target_0.bat.bin" has type "ASCII text with no line terminators" and the context is "extra_target_0.bat" ("document.xml.rels") ...
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6AC60000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "cmd.exe" (Show Process) was launched with missing environment variables: "MEOW"
- source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "cmd /C https://translate.google.com/" on 2017-6-10.00:39:16.673
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "cmd.exe" with commandline "cmd /C https://translate.google.com/" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Additional Submission Context
-
Installation/Persistance
-
Dropped files
- details
-
"LETTER FROM KATY VAN DOP.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Sat Jun 10 07:35:15 2017 mtime=Sat Jun 10 07:39:10 2017 atime=Sat Jun 10 07:39:10 2017 length=124253 window=hide"
"index.dat" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~WRD0001.tmp" has type "Microsoft Word 2007+"
"~WRS{25173A4D-4B18-4A7F-8022-FE1A1F5768F5}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$TTER FROM KATY VAN DOP.docx" has type "data"
"~WRS{AE3EBF45-2992-4D5A-B008-C86D478E33AD}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item ">\014""
"~$Normal.dotm" has type "data"
"urlref_httpstranslate.google.com" has type "HTML document ASCII text with very long lines" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"WINWORD.EXE" opened "MountPointManager"
"cmd.exe" opened "MountPointManager" - source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25173A4D-4B18-4A7F-8022-FE1A1F5768F5}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://translate.google.com/"
Heuristic match: "<!DOCTYPE html><html><head><meta content=text/html; charset=UTF-8 http-equiv=content-type><meta name=keywords content=translate, translations, translation, translator, machine translation, online translation><meta name=description content=Google'"
Pattern match: "ssl.gstatic.com/gb/images/a/f5cdd88b65.png"
Pattern match: "ssl.gstatic.com/gb/images/v1_b3735dd8.png"
Pattern match: "ssl.gstatic.com/gb/images/v2_d8029326.png"
Pattern match: "ssl.gstatic.com/gb/images/a/3a1e625196.png"
Pattern match: "ssl.gstatic.com/gb/images/a/3daf4c1f88.png"
Pattern match: "ssl.gstatic.com/gb/images/a/f420d06f66.png"
Pattern match: "ssl.gstatic.com/gb/images/a/78b3d46de1.png"
Pattern match: "ssl.gstatic.com/gb/images/a/142da27578.png"
Pattern match: "ssl.gstatic.com/gb/images/a/911e3628e6.png"
Pattern match: "ssl.gstatic.com/gb/images/a/41679a9ec5.png"
Pattern match: "ssl.gstatic.com/gb/images/a/4244245d7e.png"
Pattern match: "ssl.gstatic.com/gb/images/a/4653513b7d.png"
Pattern match: "ssl.gstatic.com/gb/images/a/ad330d8459.png"
Pattern match: "ssl.gstatic.com/gb/images/a/2c21041e16.png"
Pattern match: "ssl.gstatic.com/gb/images/a/c03dda0b34.png"
Pattern match: "ssl.gstatic.com/gb/images/a/71060be5b3.png"
Pattern match: "ssl.gstatic.com/gb/images/a/74aa55e0c2.png"
Pattern match: "ssl.gstatic.com/gb/images/a/afa40f6e42.png"
Pattern match: "ssl.gstatic.com/gb/images/a/ea554714e7.png"
Pattern match: "ssl.gstatic.com/gb/images/a/0b26f6f8e4.png"
Pattern match: "ssl.gstatic.com/gb/images/a/dfbeb24785.png"
Pattern match: "ssl.gstatic.com/gb/images/a/85bb99a341.png"
Pattern match: "ssl.gstatic.com/gb/images/a/eacd033c28.png"
Pattern match: "ssl.gstatic.com/gb/images/a/438087d3df.png"
Pattern match: "ssl.gstatic.com/gb/images/a/cfa67efcd3.png"
Pattern match: "ssl.gstatic.com/gb/images/a/9c561d4392.png"
Pattern match: "ssl.gstatic.com/gb/images/a/90f42e515b.png"
Pattern match: "ssl.gstatic.com/gb/images/a/e3cbb9b858.png"
Pattern match: "ssl.gstatic.com/gb/images/a/17bdcddea9.png"
Pattern match: "ssl.gstatic.com/gb/images/a/be3fe52205.png"
Pattern match: "ssl.gstatic.com/gb/images/a/1b217ae532.png"
Pattern match: "ssl.gstatic.com/gb/images/a/188f0d697b.png"
Pattern match: "ssl.gstatic.com/gb/images/a/20808fb750.png"
Pattern match: "ssl.gstatic.com/gb/images/a/6d9eaee7f9.png"
Pattern match: "ssl.gstatic.com/gb/images/a/2d7fffa981.png"
Pattern match: "ssl.gstatic.com/gb/images/a/e2c0b463b4.png"
Pattern match: "ssl.gstatic.com/gb/images/a/fe8c881457.png"
Pattern match: "ssl.gstatic.com/gb/images/a/d54db42004.png"
Pattern match: "ssl.gstatic.com/gb/images/a/99be7c5086.png"
Pattern match: "ssl.gstatic.com/gb/images/a/9001dae971.png"
Pattern match: "ssl.gstatic.com/gb/images/a/ca7b209615.png"
Pattern match: "ssl.gstatic.com/gb/images/a/e000432278.png"
Pattern match: "ssl.gstatic.com/gb/images/a/84d52a8885.png"
Pattern match: "ssl.gstatic.com/gb/images/a/5a1c013d3d.png"
Pattern match: "ssl.gstatic.com/gb/images/a/de580e5330.png"
Pattern match: "ssl.gstatic.com/gb/images/a/451603daf6.png"
Pattern match: "https://ssl.gstatic.com/gb/images/silhouette_27.png"
Pattern match: "https://ssl.gstatic.com/gb/images/silhouette_96.png"
Pattern match: "fonts.googleapis.com/css?family=Roboto:300,400,500,700&lang=en"
Pattern match: "www.gstatic.com,og.og.en_US.SfUiHsXRYH8.O,com,en,51,0,[3,2,.40.40.,,1300102,3700286,3700347,3700407,1496802393,0],40400,WaI7WaupLsXwUP6wk9AM,0,0,og.og.-dn5f9ruu2dt3.L.F4.O,AA2YrTumkCJEatiZtY-LoYgRh6eSuPS_JA,AA2YrTss1uJt2OO8WiiFW"
Pattern match: "https://translate.google.com/?hl=en\u0026tab=TT,Translate,,0"
Pattern match: "https://www.google.com/gen_204?,c=c+a.o(2040-c.length);$c(c)};$c=function(a){var"
Heuristic match: "_.J=function(){_.O.call(this);this.fa=Kc};_.y(_.J,_.O);_.Sc(_.J,cs);_.Yc=function(){var a=_.J.N().fa;return _.I(a,Ac,1)||new Ac};_.Zc=function(){var a=_.J.N().fa;return _.I(a,Bc,11)||new Bc};_.Vc(cs,new _.J);var $c,cd,bd;_.ad=function(a){var c=https:/"
Pattern match: "www.gstatic.com&bust=+_.M(_.F(a,16)):;this.O=_.K(_.F(a,1))??host=www.gstatic.com&bust=+1E11*Math.random()"
Pattern match: "https://play.google.com/log?format=json;this.G=d||null;this.F=q||null;this.o=!1;this.R=!h;this.D=0;a=new"
Heuristic match: "var bg=function(a,c,d){_.Ef(a.url,function(a){a=a.target;a.jc()?c():d(a.cb())},a.o,a.body,a.b,0,a.withCredentials)};var cg=function(a,c,d,e,f,g,h,l,q){_.R.call(this);this.O=a;this.M=c||_.la;this.C=new $f;this.U=l||bg;this.b=[];this.H=;this.K=e||https://"
Pattern match: "https://jmt17.google.com/log:void"
Heuristic match: "_.eg=function(a,c,d,e,f,g){cg.call(this,a,Md,c,d,e,f,void 0,void 0,g)};_.y(_.eg,cg);_.fg=function(a){_.E(this,a,0,-1,null)};_.y(_.fg,_.D);var gg=function(a,c,d){_.O.call(this);this.D=d;this.w=_.N(+_.G(a,2,1E-4),.001);this.H=_.N(_.F(a,4),0);this.G=_.N(_.F(a"
Pattern match: "www-onepick-opensocial.googleusercontent.com/gadgets/js/rpc.js?c=1&container=onepick"
Pattern match: "apis.google.com/js/rpc.js"
Pattern match: "www.google-analytics.com/analytics.js','__gaTracker"
Pattern match: "https://www.google.com/intl/en/options/"
Pattern match: "https://myaccount.google.com/?utm_source=OGB&utm_medium=app"
Pattern match: "https://www.google.com/webhp?tab=Tw&ei=WaI7WaupLsXwUP6wk9AM&ved=0EKkuCAkoAQ"
Pattern match: "https://maps.google.com/maps?hl=en&tab=Tl"
Pattern match: "https://www.youtube.com/"
Pattern match: "https://play.google.com/?hl=en&tab=T8"
Pattern match: "https://news.google.com/nwshp?hl=en&tab=Tn&ei=WaI7WaupLsXwUP6wk9AM&ved=0EKkuCA0oBQ"
Pattern match: "https://mail.google.com/mail/?tab=Tm"
Pattern match: "https://drive.google.com/?tab=To"
Pattern match: "https://www.google.com/calendar?tab=Tc"
Pattern match: "https://plus.google.com/?gpsrc=ogpy0&tab=TX"
Pattern match: "https://translate.google.com/?hl=en&tab=TT"
Pattern match: "https://photos.google.com/?tab=Tq&pageId=none"
Pattern match: "http://www.google.com/shopping?hl=en&tab=Tf&ei=WaI7WaupLsXwUP6wk9AM&ved=0EKkuCBQoDA"
Pattern match: "https://wallet.google.com/?tab=Ta"
Pattern match: "https://www.google.com/finance?tab=Te"
Pattern match: "https://docs.google.com/document/?usp=docs_alc"
Pattern match: "https://books.google.com/bkshp?hl=en&tab=Tp&ei=WaI7WaupLsXwUP6wk9AM&ved=0EKkuCBgoEA"
Pattern match: "https://www.blogger.com/?tab=Tj"
Pattern match: "https://www.google.com/contacts/?hl=en&tab=TC"
Pattern match: "https://hangouts.google.com/"
Pattern match: "https://keep.google.com/"
Pattern match: "https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://translate.google.com/"
Pattern match: "https://accounts.google.com';MAX_SINGLE_QUERY_LENGTH"
Pattern match: "https://clients1.google.com/complete/search';INPUT_SUGGESTION_CLIENT_NAME='translate-web';INPUT_SUGGESTION_DATASET='translate';MSG_FLAG_SUGGESTION='Flag"
Pattern match: "ssl.gstatic.com/translate/sound_player2.swf"
Pattern match: "http://www.google.com/url?rs=rsmf&q=http://translate.google.com/toolkit%3Fhl%3Den"
Pattern match: "http://www.google.com/url?rs=rsmf&q=http://translate.google.com/manager/website/%3Fhl%3Den"
Pattern match: "http://www.google.com/url?rs=rssf&q=http://translate.google.com/about/intl/en_ALL/"
Pattern match: "http://www.google.com/url?rs=rssf&q=//translate.google.com/community"
Pattern match: "http://www.google.com/url?rs=rssf&q=http://www.google.com/mobile/translate/"
Pattern match: "https://google.com/+GoogleTranslate"
Pattern match: "https://googletranslate.blogspot.com/"
Pattern match: "http://www.google.com/url?rs=rssf&q=//www.google.com/about"
Pattern match: "http://www.google.com/url?rs=rssf&q=http://www.google.com/intl/en/policies/"
Pattern match: "http://www.google.com/url?rs=rssf&q=https://www.google.com/support/translate/%3Fhl%3Den"
Pattern match: "translate.googleusercontent.com/translate_f';TEXT_TRANSLATION_PATH='/';TTS_TEXT_SIZE_LIMIT=200;TRANSLATED_TEXT='';var"
Heuristic match: "</script><script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(win" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e99a549fec" to virtual address "0x76A63E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "4ed4896d" to virtual address "0x69F942C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "9fbebd0c" to virtual address "0x6A5B10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99e4889ec" to virtual address "0x76B93D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e96033a0ec" to virtual address "0x76A64731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "db124c6e" to virtual address "0x69ED2A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "e92399a2ec" to virtual address "0x76A65DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "99e5bf0f" to virtual address "0x6A0BCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "be41496e" to virtual address "0x6A363408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "4d43bd0f" to virtual address "0x646878E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "f016b90c" to virtual address "0x6ACA9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9c53294ec" to virtual address "0x770C6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "20726c0f" to virtual address "0x63680BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e93655a0ec" to virtual address "0x76A63EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "aaed020f" to virtual address "0x2F411B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "c4cab87680bbb876fc1db4769fbbb87608bbb87646ceb8766138b976de2fb976d0d9b8760000000017792c774f912c777f6f2c77f4f72c7711f72c77f2832c77857e2c7700000000" to virtual address "0x6A451000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "9b04bd0f" to virtual address "0x66BFF530" (part of module "WWLIB.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
LETTER FROM KATY VAN DOP.docx
- Filename
- LETTER FROM KATY VAN DOP.docx
- Size
- 118KiB (120619 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- c0dfcb3096f442f2b396d61533199c2517259f4b214ef71ce265279e7bbae615
- MD5
- 0247e7f9e67b452b333076db6eba2be7
- SHA1
- e33841408299e0eb7b60871026c332501a6f6b21
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
- WINWORD.EXE /n "C:\LETTER FROM KATY VAN DOP.docx" (PID: 3300)
-
cmd.exe
"C:\extra_target_0.bat" ""
(PID: 3672, Source: "document.xml.rels")
- cmd.exe cmd /C https://translate.google.com/ (PID: 3624)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 10
-
-
LETTER FROM KATY VAN DOP.LNK
- Size
- 538B (538 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Jun 10 07:35:15 2017, mtime=Sat Jun 10 07:39:10 2017, atime=Sat Jun 10 07:39:10 2017, length=124253, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- f6885249c2634665ecd61d1afd74a5f2
- SHA1
- 80481d402277a8c3525e690c18a7dfe39200766b
- SHA256
- 1920e00964fd2682abc9a7eeb4780e6810605ef1a5be72e30d1026d334e64082
-
index.dat
- Size
- 170B (170 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- 0885c054a67639da75dd0310b2559a61
- SHA1
- 1e7d1fe5339a2e9b72a3ae24d4f6e95f5da3b212
- SHA256
- 4d5fbbed261977e984b0ef58a1d9bc0d7ff8b0cc07568a02b911ea99dab33aa7
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- 790fbf361a5d44ddeaa4f71a3753d9f9
- SHA1
- 05d1fa1c8909a82d38f66fb566b8b398b4d3ed33
- SHA256
- 9de4e4847f95db0af5d993f6ae3ab46519fd5c4941589ba10b0225cb95b282c1
-
~WRS{25173A4D-4B18-4A7F-8022-FE1A1F5768F5}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{AE3EBF45-2992-4D5A-B008-C86D478E33AD}.tmp
- Size
- 11KiB (11264 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item ">\014"
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- a7afb251dd74fa9a5e2656251a94187a
- SHA1
- e99bc210f90b35ac32737bd05eb953750e3805d2
- SHA256
- e954f72249cfd2dcd58007d8a6ee30e3af92bbb1302d5b27e72c71bc6c0e9687
-
~$TTER FROM KATY VAN DOP.docx
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3300)
- MD5
- 790fbf361a5d44ddeaa4f71a3753d9f9
- SHA1
- 05d1fa1c8909a82d38f66fb566b8b398b4d3ed33
- SHA256
- 9de4e4847f95db0af5d993f6ae3ab46519fd5c4941589ba10b0225cb95b282c1
-
extra_target_0.bat.bin
- Size
- 36B (36 bytes)
- Type
- script bat
- Description
- ASCII text, with no line terminators
- Context
- extra_target_0.bat
- Additional Context
- document.xml.rels
- MD5
- b0a8cfa902546604fc22910f131c5bee
- SHA1
- 67d93283cc8a3827ed161485ee01030e5162ca23
- SHA256
- e612eb934292507f9a6f358568f37bbbd2d280e58f636253414ec5c7272323c3
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~WRD0001.tmp
- Size
- 320KiB (327680 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- MD5
- e922f5971af332e4f2755bc2ed3e56a5
- SHA1
- 224e9a4894ec41c688be4ef03872ab7c9bbdb402
- SHA256
- d9d79a22f8bc97b61aaf3f43ac88405198347f00c2017ef2106a2173fb296e67
-
urlref_httpstranslate.google.com
- Size
- 213KiB (218118 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines
- Context
- https://translate.google.com/
- MD5
- 3569254920efde764e3f83bcadc4ca0d
- SHA1
- a924fdff37a6d83e2c33a0d4593885c45b9aeb8a
- SHA256
- b19594c6caf7f7b61a9d066f6d799410ebdab13a91e53575532cfc2cc52a2e55
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "extra_target_0.bat.bin" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e612eb934292507f9a6f358568f37bbbd2d280e58f636253414ec5c7272323c3/analysis/1497080446/")
- Extracted file "urlref_httpstranslate.google.com" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b19594c6caf7f7b61a9d066f6d799410ebdab13a91e53575532cfc2cc52a2e55/analysis/1497080450/")
- Extracted file "~$TTER FROM KATY VAN DOP.docx" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9de4e4847f95db0af5d993f6ae3ab46519fd5c4941589ba10b0225cb95b282c1/analysis/1497080449/")
- Extracted file "~WRD0001.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d9d79a22f8bc97b61aaf3f43ac88405198347f00c2017ef2106a2173fb296e67/analysis/1497080448/")
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report