ID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:"

Marshall Tucker
5 years ago
Views:

1 ID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static OLE Info OLE File "Luxus.doc" Indicators Summary Document Summary Streams \x1compobj,, Stream Size: 106 \x5documentsummaryinformation,, Stream Size: 492 \x5summaryinformation,, Stream Size: 404 1Table, dbase IV DBT of \234.DBF, blocks size 65554, next free block index , Stream Size: Data,, Stream Size: Copyright Joe Security LLC 2018 Page 2 of 26

3 15 ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: ObjectPool/_ /\x1Ole,, Copyright Joe Security LLC 2018 Page 3 of 26

4 ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /\x1CompObj,, Stream Size: 114 ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /CONTENTS,, Stream Size: ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), WordDocument,, Stream Size: Network Behavior Code Manipulations Statistics System Behavior Analysis Process: WINWORD.EXE PID: 3292 Parent PID: 2948 File Activities Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 4 of 26

Analysis Report Overview Information Joe Sandbox Version: 20.0.0 Analysis ID: 42035 Start time: 10:22:08 Joe Sandbox Product: CloudBasic Start date: 09.01.

5 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 10:22:08 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 4m 12s light Luxus.doc defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean0.windoc@1/13@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 825 Close Viewer Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: WINWORD.EXE Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2018 Page 5 of 26

Threshold 4 0-5 Confidence Classification

6 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice No malicious behavior found, analyze the document also on other version of Office / Acrobat Copyright Joe Security LLC 2018 Page 6 of 26

7 Signature Overview Networking System Summary Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files Urls found in memory or binary System Summary: Checks whether correct version of.net is installed Found graphical window changes (likely an installer) Checks if Microsoft Office is installed Document has an application name indicative for goodware Submission file is bigger than most known malware samples Uses new MSVCR Dlls Document has a 'lastprinted' value indicative for goodware Document has a 'vbamacros' value indicative for goodware Classification label Creates files inside the user directory Creates temporary files Document contains an OLE Word Document stream indicating a Microsoft Word file Document contains summary information with irregular field values Reads ini files Reads software policies Document contains an ObjectPool stream indicating possible embedded files or OLE objects Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Document contains OLE streams with high entropy indicating encrypted embedded content Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 26

Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend ID: 42035 Behavior Graph Is Windows Process Number of created Registry Values Number of created Files Sample: Luxus.

8 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend ID: Behavior Graph Is Windows Process Number of created Registry Values Number of created Files Sample: Luxus.doc Startdate: 09/01/2018 Architecture: WINDOWS Score: 0 Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious started WINWORD.EXE Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2018 Page 8 of 26

9 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2018 Page 9 of 26

10 Startup System is w7 WINWORD.EXE (PID: 3292 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Luxus.doc 5D798FF0BE2A8970D ACFD9D) cleanup Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\20759C03.emf Size (bytes): Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: Windows Enhanced Metafile (EMF) image version 0x AD74D5B0D541F0B242FE86392FF88D 967F5AFB2C0F50F58250F5202C6DA4DB8D012D85 9D4F0B2CACCDAD7A9AA5171CA9CEE92E9408BA C5551D3FEC98ABFBCD 4A79AB81C606D88E F8FF1C9643F755075DC7391BC16B9BBAA6D5E13F115EAAE7FC4770F23C3432BF3E7 C7412B2C5F4AEE648010DDB088D9A3AA low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D00AD1C.emf Windows Enhanced Metafile (EMF) image version 0x10000 Copyright Joe Security LLC 2018 Page 10 of 26

11 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D00AD1C.emf Size (bytes): Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 1839D4F EF45F28B F5 B44E D48E13EB0BCCC1FFA99CA2B DFFC88BF69D7A1EA766F90159D3200F5C5F5273F32831EBCE5B27B6B6FCA6 13DBCA7FDAEB9FB553F4DA1F6E72AE067CF41B9DA4C093E0C0A503AFA4254BA8CD8ACD0228EB5748E354662C 1B AD6A1E666D60660CACEA8C2AA34F17 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45BDF26D.emf Size (bytes): Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: Windows Enhanced Metafile (EMF) image version 0x10000 D007784B7C47CFE28D990A913892B195 A64E2F54E7AD55EFC622422EE27DE8FD53EF365B 1FC1FDD51238CF23DB9CE5A23C4045C3E0B7210D286B7E0FDA18CF3DCFC93D59 678CEF490B7EA39E4421DDAF9AECC40B27E4997E94B0C536856FA0B BDC8033C229B534A0A8D169135D A9204D0DD996B2F8A31AEEC20E643746FAB687 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE6D1E28.emf Size (bytes): Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: Windows Enhanced Metafile (EMF) image version 0x10000 DD02C7F D3C4F51C498D C50F0D A31F0EB B37BAD0 B3CAA5CD8370BE37159B3B89B D4910C8BC083A6BBA5D5AC671FBFD B6C51CFEBF34BEB05EFEF70DE29B6FF1E0B819D6AFFC4B9024E08DDC3EFEBBBC9B2D4F3A4A6C5CCDF B8A2AE1C472CE low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E5E1BD8A.emf Size (bytes): Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: Windows Enhanced Metafile (EMF) image version 0x10000 F3B0A A64EB9CED86882AB348E 755B2BF7C1253C EBF93C24DD58A B1F D0D8C2CB081D7506AE70A4D7CFE2EDB508D659E879F1F3B5 C996A0F25DEE75542F9CC B1CB0B5B9B175D1E BE20AB51C36B15127F B644F6B4 9F8537D12B929F999BC7528F7CEB2E92EFC3 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7244E3FC-DA39-4C87-81AF-24C4BE7CE28B}.tmp Size (bytes): 1536 Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 3580A905396BEE2BD85C4982D3450DC8 7C73F57E10A8989BCBC D455E0B60F4 B02EF4FB7BF66FB665F41E57D5A84BDEB6815A21F18649EAA3D0753B53A09A73 BAD7148F7A3CEC6BA0D2060FB7A4FBFC267A1CA659A9C184EE7FE99712E678736A8ED83641B6F2426C1826E4A8 BAEF906CEA6C52B2004A6D10F97D038B08555D low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4EFBCDA-F19A-46D0-AC66-EF6EFC25F587}.tmp Size (bytes): 1536 Copyright Joe Security LLC 2018 Page 11 of 26

12 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4EFBCDA-F19A-46D0-AC66-EF6EFC25F587}.tmp Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 59CA6DC3A181E9059E271938D31F D77E E3E F41D88B0F 23DDDF43B88C9A9B63DB86E0B2F1A034A70F1D509A5D0123C CB1688C4 A76DECE908CD9A7E500D54DCE1DAFBBBC240F01012CCDA98C822BE2E752E8465A5EBCE0A9D9871A4066E89E A4903BECE3B B41BA357756F099092DCA77 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DAC451C3-027D-4931-A246-93F356E70269}.tmp FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 5D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 high, very likely benign file C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Luxus.LNK MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=sun Sep :59: , mtime=sun Sep 24 13:59: , atime=tue Jan 9 09:22: , length= , window=hide Size (bytes): 2032 Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 4F1C96DB1EAC AA8425F69E5 4192CC9618D4223B60BEBD03C9617D5D933F4D00 7B4BF78350E23CCA344EEF60A1F55C83E6B B68ED105C7CF19470C C0D1213DFFE654F7C829FAF79205CB3714D32FFF35DEF7476F15372E3634B900CE74CC8E8B3483A4281C2 913D3842E62804EF3C3AA86B38F0EBF low C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Size (bytes): 53 ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: 04F538686A920E3C728F700BB941DBF1 793E0634DA7D1E8794CDC2D D04EB0B18 8E8B7B19AA F A4AC8560B3DC0249A A3E1C1265DC B C04309D88C3FA21C871A87F98E6FE75BEBE6EDC0027C498C3660EAC EE6F142A9CB7836F AE9290EE D30E61A9820D84B low C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Size (bytes): 162 Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: FF291ADF1F74826EE3AA31EA36ADEC1C 9E647BCB57789C91D08C9B02D73ECD048239B5C5 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE D30BC8ED4E8A4D E1F5B76F86BAADB18E F F900B671F7951B5FCC39BABB319C5A2 moderate, very likely benign file C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex Little-endian UTF-16 Unicode text, with no line terminators Size (bytes): 2 Copyright Joe Security LLC 2018 Page 12 of 26

13 C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex Entropy (8bit): 1.0 Encrypted: SHA-256: SHA-512: Malicious: F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F 0EFAF F9755A9BFDF1C54CA0D84 moderate, very likely benign file C:\Users\user\Desktop\~$Luxus.doc Size (bytes): 162 Entropy (8bit): Encrypted: SHA-256: SHA-512: Malicious: FF291ADF1F74826EE3AA31EA36ADEC1C 9E647BCB57789C91D08C9B02D73ECD048239B5C5 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE D30BC8ED4E8A4D E1F5B76F86BAADB18E F F900B671F7951B5FCC39BABB319C5A2 moderate, very likely benign file Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: 0 Entropy (8bit): TrID: Microsoft Word document (old ver.) (19008/1) 66.66% Generic OLE2 / Multistream Compound File (8008/1) 28.08% Java Script embedded in Visual Basic Script (1500/0) 5.26% File name: Luxus.doc File size: SHA256: SHA512: 80ba8f65e502a2a35a f2ac5 1850bea1c403a616aed9f8b79925c529f06615be eb277cb92ba347959a3da8f1a2928c64e7a3cbd2a22268 de9797cf4780e5c388 65b5e7398a9e893d5a6e203b423a698ed4fd056fa1154db 3c63a8a7cb5425e6d6f99db68a63cb7de aecf30c 50de18e2b5b92186d336a7cc072dcb1540 File Content Preview:...>...[-...] !-.."-..#-..$-..%-..&-..'-..(-..)-..* ,-. File Icon Copyright Joe Security LLC 2018 Page 13 of 26

14 Static OLE Info Document Type: OLE Number of OLE Files: 1 OLE File "Luxus.doc" Indicators Has Summary Info: Application Name: Microsoft Word 10.0 Encrypted Document: Contains Word Document Stream: Contains Workbook/Book Stream: Contains PowerPoint Document Stream: Contains Visio Document Stream: Contains ObjectPool Stream: Flash Objects Count: 0 Contains VBA Macros: Summary Code Page: 1252 Title: Text Luxus Subject: Author: Keywords: Comments: Template: Normal Last Saved By: Revion Number: 3 Last Printed: :55:00 Create Time: :20:00 Last Saved Time: :23:00 Number of Pages: 1 Number of Words: 160 Number of Characters: 1011 Creating Application: Microsoft Word 10.0 Security: 0 Document Summary Document Code Page: 1252 Number of Lines: 8 Number of Paragraphs: 2 Thumbnail Scaling Desired: Company: Contains Dirty Links: Shared Document: Changed Hyperlinks: Application Version: Streams \x1compobj,, Stream Size: 106 Stream Size: 106 \x1compobj Entropy: Data ASCII: F.... M i c r o s o f t W o r d - D o k u m e n t..... M S W o r d D o c..... W o r d. D o c u m e n t q Copyright Joe Security LLC 2018 Page 14 of 26

15 Data Raw: fe ff 03 0a ff ff ff ff c d f 73 6f f d 44 6f 6b 75 6d 65 6e a d f f f e 44 6f d 65 6e 74 2e f4 39 b \x5documentsummaryinformation,, Stream Size: 492 Stream Size: 492 Entropy: \x5documentsummaryinformation ,.. D , h p o A Data Raw: fe ff d5 cd d5 9c 2e 1b b 2c f9 ae d5 cd d5 9c 2e 1b b 2c f9 ae f c f c c b \x5summaryinformation,, Stream Size: 404 Stream Size: 404 \x5summaryinformation Entropy: O h ' d , D L T \\ T e x t L u x u s e x t x t x t Data Raw: fe ff e0 85 9f f2 f9 4f ab b 27 b3 d ac b c d dc ec f Table, dbase IV DBT of \234.DBF, blocks size 65554, next free block index , Stream Size: dbase IV DBT of \234.DBF, blocks size 65554, next free block index Table Stream Size: Entropy: Data ASCII: D S. t. a. n. d. a. r. d C J.. _ H.. a J.. m H.. s H.. t H J. J A. b. s. a. t. z. -. S. t. a. n. d. a. r. d. s. c. h. r. i. f. t. a. r. t..... X. i..... X N. o. r. m. a. l. e.. T. a. b. e. l. l. e l. Data Raw: c 00 0f f1 ff c e a f a d a f2 ff a1 00 4a 00 0c Data,, Stream Size: Stream Size: Entropy: Data ASCII:.... D. d # A " b h. U \\ = b h. U \\ X q D.. F x.... x T W.... O H... S.. R \\ J [ J. A. -. Data Copyright Joe Security LLC 2018 Page 15 of 26

16 Data Raw: 92 d1 0c a c dc 02 da f f b2 04 0a f a b f0 0c ff f f0 ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.. ] #..., Data Raw: d 0d c e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Copyright Joe Security LLC 2018 Page 16 of 26

17 Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Entropy: ObjectPool/_ /CONTENTS Data ASCII: #..., Data Raw: f e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Copyright Joe Security LLC 2018 Page 17 of 26

18 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Entropy: ObjectPool/_ /CONTENTS Data ASCII: #..., Data Raw: f e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 ObjectPool/_ /\x1CompObj Stream Size: 114 Copyright Joe Security LLC 2018 Page 18 of 26

19 Entropy: Data ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.... g..... #..., Data Raw: a e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 ObjectPool/_ /\x1CompObj Stream Size: 114 Entropy: Copyright Joe Security LLC 2018 Page 19 of 26

20 Data ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.. N #..., Data Raw: e e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Copyright Joe Security LLC 2018 Page 20 of 26

21 Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.., H Data Raw: c b ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b Copyright Joe Security LLC 2018 Page 21 of 26

22 ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII: H Data Raw: c b ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Copyright Joe Security LLC 2018 Page 22 of 26

23 Entropy: Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.. / #..., Data Raw: f 01 a e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Copyright Joe Security LLC 2018 Page 23 of 26

24 Data Raw: ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:....?..... #..., Data Raw: dc 05 3f e c ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff ObjectPool/_ /\x1CompObj,, Stream Size: 114 Stream Size: 114 Entropy: Data ASCII: ).... M i c r o s o f t P h o t o E d i t o r B i l d..... M S P h o t o E d i t o r..... M S P h o t o E d q Data Raw: fe ff 03 0a ff ff ff ff de 36 cf e 00 c0 a e d f 73 6f f 74 6f f e 30 2d c e d f 74 6f f c d f 74 6f e f4 39 b ObjectPool/_ /\x1Ole,, ObjectPool/_ /\x1Ole Entropy: Data Raw: Copyright Joe Security LLC 2018 Page 24 of 26

25 ObjectPool/_ /\x3ObjInfo,, Stream Size: 6 ObjectPool/_ /\x3ObjInfo Stream Size: 6 Entropy: Data ASCII: Data Raw: ObjectPool/_ /CONTENTS,, Stream Size: Stream Size: Entropy: ObjectPool/_ /CONTENTS Data ASCII:.... j H Data Raw: f4 01 6a b ObjectPool/_ /CONTENTSV30, DOS executable (block device driver), ObjectPool/_ /CONTENTSV30 DOS executable (block device driver) Entropy: Data Raw: ff ff ff ff WordDocument,, Stream Size: WordDocument Stream Size: Entropy: Data ASCII:.... b j b j , M.. X.. X <. Data Raw: ec a5 c f8 12 bf e 0d e a 62 6a cf 32 cf d6 2c 4d 00 ad ad ff ff 0f ff ff 0f Network Behavior No network behavior found Code Manipulations Copyright Joe Security LLC 2018 Page 25 of 26

26 Statistics System Behavior Analysis Process: WINWORD.EXE PID: 3292 Parent PID: 2948 Start time: 10:22:15 Start date: 09/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Luxus.doc 0x773d bytes 5D798FF0BE2A8970D ACFD9D C, C++ or other language moderate File Activities File Path Access Attributes Options Completion Count Source Address Symbol File Path Completion Count Source Address Symbol Old File Path New File Path Completion Count Source Address Symbol File Path Offset Length Value Ascii Completion Count Source Address Symbol Registry Activities Key Path Completion Count Source Address Symbol Key Path Name Type Data Completion Count Source Address Symbol Key Path Name Type Old Data New Data Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 26 of 26

ID: Sample Name: test.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 18:57:54 Date: 12/04/2018 Version:

ID: Sample Name: test.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 18:57:54 Date: 12/04/2018 Version: ID: 54427 Sample Name: test.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 18:57:54 Date: /04/2018 Version: 22.0.0 Table of Contents Analysis Report Overview Information Detection Confidence Classification