Manuale Electrical Profile & Provisioning Manager EVO v3.2.doc
This report is generated from a file or URL submitted to this webservice on October 7th 2015 13:46:07 (UTC)
Report generated by
Falcon Sandbox v2.50 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 4
-
Network Related
-
Found potential URL in binary/memory
- details
- "http://docs.oracle.com/javase/specs/"
- source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "UG#+^j^)-vnca" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "BEA82A18" to virtual address "0x2FAF1634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E9231920F0" to virtual address "0x77703D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 4
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 66480000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{A4764BF6-30DF-488C-A88E-2FF9269AA202}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"~$c951a6b699f4435da7bf793237803c72e61a8d2bf97966522c3b66df6fbae7.doc" has type "data"
"~WRS{3346D57B-F125-4DC7-A375-AADFCB8A1D30}.tmp" has type "data"
"~WRS{9D153643-B194-47B5-9B34-FB9B11E6A57A}.tmp" has type "data"
"8cc951a6b699f4435da7bf793237803c72e61a8d2bf97966522c3b66df6fbae7.LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Thu Oct 8 03:46:32 2015, mtime=Thu Oct 8 03:46:32 2015, atime=Thu Oct 8 03:46:32 2015, length=5392896, window=hide"
"index.dat" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators"
"ExcludeDictionaryIT0410.lex" has type "Little-endian UTF-16 Unicode text, with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
Manuale Electrical Profile & Provisioning Manager EVO v3.2.doc
- Filename
- Manuale Electrical Profile & Provisioning Manager EVO v3.2.doc
- Size
- 5.1MiB (5392896 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: DMO.C.M.D.SC, Template: Normal.dotm, Last Saved By: Sabrina, Revision Number: 99, Name of Creating Application: Microsoft Office Word, Total Editing Time: 08:20:00, Last Printed: Sun Jun 30 11:02:00 2013, Create Time/Date: Thu Sep 26 15:06:00 2013, Last Saved Time/Date: Thu Jan 2 14:03:00 2014, Number of Pages: 43, Number of Words: 4809, Number of Characters: 27413, Security: 0
- Architecture
- WINDOWS
- SHA256
- 8cc951a6b699f4435da7bf793237803c72e61a8d2bf97966522c3b66df6fbae7
- MD5
- 0e04c5fde7843fb12e9cf47e6d873bc1
- SHA1
- aa7a847699a0699d3551bfe0add45dd717599049
Resources
- Icon
Visualization
-
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 4004)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 21
-
-
profiles.bin
- Size
- 353B (353 bytes)
- Type
- Maple help database
- MD5
- 9060d2c2b8d0d12dd5993f6e87a3690e
- SHA1
- 7d3cb1f484e9e69ea152ad3a1bee0e97dc685c64
- SHA256
- 9d73c6bf9970b2bf6359782506427ddc8cfcbeaa8db78d20d6375a90457f0612
-
opa12.dat
- Size
- 25KiB (25216 bytes)
- Type
- data
- MD5
- 83879ed652719a9456c86ceecd7542fd
- SHA1
- 3d8046d1950d1aa9ebdffeed7d60e45b241b04bb
- SHA256
- b6a5a8f0b627a880f4293769439f866e989e0c6f8ffc1b6e53ceb622eec39173
-
38EC2B8F.emf
- Size
- 5.5KiB (5636 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
3E503044.emf
- Size
- 5.5KiB (5660 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
59AB865E.emf
- Size
- 5KiB (5144 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
9F41B2F2.emf
- Size
- 5.5KiB (5668 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
A1B77FD0.emf
- Size
- 5KiB (5152 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
BD44824B.emf
- Size
- 5.5KiB (5652 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
CE8E5D91.emf
- Size
- 5KiB (5076 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
D3F18B75.emf
- Size
- 5.5KiB (5660 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
-
~WRS{3346D57B-F125-4DC7-A375-AADFCB8A1D30}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- d26923cc6e6517581038137d678885c5
- SHA1
- 5703efdbc3360e09a9df17d765dbbf8f1b06661c
- SHA256
- 8b9f3a8bd3a5984d9b0993aa8f8a9f0bea564e4125787abe9bda4d9a526915a9
-
~WRS{9D153643-B194-47B5-9B34-FB9B11E6A57A}.tmp
- Size
- 3KiB (3072 bytes)
- Type
- data
- MD5
- 4fab2669cdd27eefc816f8536835c3ca
- SHA1
- 37acf02f4d04e26132384713d80ec5c695601a27
- SHA256
- 173382644dbb71bcb52114a6267586dcc5fc6d8facf27b38c68697db47ccdcc2
-
~WRS{A4764BF6-30DF-488C-A88E-2FF9269AA202}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
8cc951a6b699f4435da7bf793237803c72e61a8d2bf97966522c3b66df6fbae7.LNK
- Size
- 553B (553 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Thu Oct 8 03:46:32 2015, mtime=Thu Oct 8 03:46:32 2015, atime=Thu Oct 8 03:46:32 2015, length=5392896, window=hide
-
index.dat
- Size
- 129B (129 bytes)
- Type
- data
- MD5
- 7bd2ac730fa70503bca765e81d7978d0
- SHA1
- cfa616870b4f36303d5ae20c7aecf1a7852f1ada
- SHA256
- 0c90ef32a5d592137b95b3c0f51a0b948761adab2f55d29929d96fbdfc6baef2
-
Word12.pip
- Size
- 1.6KiB (1684 bytes)
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- ed74a523ffe22ed74ece0e3eb5952851
- SHA1
- 09af334ea5cfc7a030b4f99f359d9185608636a1
- SHA256
- 0e6df2542b24287e48acb8e77066d5946fcdbf74897058549bf4b40dd6d18c30
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
ExcludeDictionaryEN0809.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
ExcludeDictionaryIT0410.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$c951a6b699f4435da7bf793237803c72e61a8d2bf97966522c3b66df6fbae7.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 4177a7a2439e9653b08392b3255ebf03
- SHA1
- 6339aff9d506cd74931afa9b2c004e1662ff8040
- SHA256
- 01999f82e20c72310028b5de0060aad1d681d9d010d1ff73720beca9207f8e7b
-