popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

invc_0070032233.wbk

doc RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 29, 2021, 7:33 a.m. Oct. 29, 2021, 7:35 a.m.
Size 24.2KB
Type Rich Text Format data, unknown version
MD5 cf62058e0e077981fa8535c0d47f12ea
SHA256 654a812ab82129896250818c85160456626ac2a69393c2725e81e96f6666fe79
CRC32 BE7FD141
ssdeep 768:z8m9wriCXz3A4hpaFiAzoVrAzi8hFnalg:z27jlhpaFrzoWpalg
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49173 -> 13.107.42.13:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49174 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49175 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.103:56357 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:50665 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:60090 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:59437 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:63128 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:53498 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
UDP 192.168.56.103:63659 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 23.106.223.27:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49167 -> 23.106.223.27:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 23.106.223.27:80 -> 192.168.56.103:49167 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 23.106.223.27:80 -> 192.168.56.103:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 23.106.223.27:80 -> 192.168.56.103:49167 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 23.106.223.27:80 -> 192.168.56.103:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49173
13.107.42.13:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=onedrive.com 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1
192.168.56.103:49174
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1
192.168.56.103:49175
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 3783876
registers.edi: 1981610512
registers.eax: 3783876
registers.ebp: 3783956
registers.edx: 0
registers.ebx: 78550284
registers.esi: 2147944126
registers.ecx: 3847350467
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 3783568
registers.edi: 1981610512
registers.eax: 3783568
registers.ebp: 3783648
registers.edx: 0
registers.ebx: 78591972
registers.esi: 2147944122
registers.ecx: 3847350467
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://23.106.223.27/vbc.exe
domain micheal3m.hopto.org
domain johnie3m.hopto.org
domain sugarcane.hopto.org
domain sheilabeltagy4m.hopto.org
request GET http://23.106.223.27/vbc.exe
request GET https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
request GET https://pkc5hq.by.files.1drv.com/y4mXHvA4annmU58YyoOm5IbUsOjHQkt8q8czhufn7SvhH_9ENeZ-hZCEVtU8HfJcyZqybwtJhT99lOdljmUKIJV6mEDjvRJN7qaSuTHjHe0P1Uks0H3eThDcBWxr_GDuW5ssjF1L07fN6gOidautQhhbxAbZRDoxBKxbzH3LFBtezqfaA5PtN-orcz2O8r_j7cZsCvccczTmxYMdT99EAN2XQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
request GET https://pkc5hq.by.files.1drv.com/y4mbAoLripoDP3gbIunXf6AhB9wxgfIIoSbjKMJfKMtjRD33rmLjnaP5rsqgnEP1T6_Bdb2MUO_hsDTIM1sHFVa3ef8ahu_e_3RkXt2wnnhpDIEFjkcRXiurYGt-QnwFtyGNWMEdG4wfsEmrYjQkmSI7A3RWRn5ab-Q2d9vhvXn9hv63QOUhRmJ_nqqZ6NNjqH_lhDWSLFYs9j6TXFBQCTb8w/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
Application Crash Process WINWORD.EXE with pid 1940 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 3783876
registers.edi: 1981610512
registers.eax: 3783876
registers.ebp: 3783956
registers.edx: 0
registers.ebx: 78550284
registers.esi: 2147944126
registers.ecx: 3847350467
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 3783568
registers.edi: 1981610512
registers.eax: 3783568
registers.ebp: 3783648
registers.edx: 0
registers.ebx: 78591972
registers.esi: 2147944122
registers.ecx: 3847350467
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000488
filepath: C:\Users\test22\AppData\Local\Temp\~$vc_0070032233.wbk
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$vc_0070032233.wbk
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
filetype_details Rich Text Format data, unknown version filename invc_0070032233.wbk
host 23.106.223.27
DrWeb Exploit.Rtf.Obfuscated.32
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
Sangfor Malware.Generic-RTF.Save.c5a892ae
K7AntiVirus Trojan ( 0057b3a91 )
K7GW Trojan ( 0057b3a91 )
Arcabit Exploit.RTF-ObfsStrm.Gen
Cyren RTF/CVE-2017-11882.R.gen!Camelot
Symantec Bloodhound.RTF.20
ESET-NOD32 multiple detections
Kaspersky HEUR:Exploit.MSOffice.Generic
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
TrendMicro HEUR_RTFMALFORM
McAfee-GW-Edition Exploit-CVE2017-11882.z
FireEye Exploit.RTF-ObfsStrm.Gen
Sophos Troj/RtfExp-EQ
Avira HEUR/Rtf.Malformed
MAX malware (ai score=88)
Antiy-AVL Trojan/Generic.ASDOH.22A
GData Exploit.RTF-ObfsStrm.Gen
AhnLab-V3 RTF/Malform-A.Gen
McAfee Exploit-CVE2017-11882.z
Zoner Probably Heur.RTFBadVersion
Ikarus Exploit.CVE-2017-11882
Fortinet RTF/GenericKD.47107450!tr
dead_host 192.168.56.103:49193
dead_host 23.105.131.236:2406
dead_host 192.168.56.103:49181
dead_host 192.168.56.103:49190
dead_host 192.168.56.103:49212
dead_host 192.168.56.103:49217
dead_host 192.168.56.103:49205
dead_host 192.168.56.103:49177
dead_host 192.168.56.103:49186
dead_host 192.168.56.103:49208
dead_host 192.168.56.103:49201
dead_host 192.168.56.103:49198
dead_host 192.168.56.103:49191
dead_host 192.168.56.103:49213
dead_host 192.168.56.103:49194
dead_host 192.168.56.103:49182
dead_host 192.168.56.103:49187
dead_host 192.168.56.103:49209
dead_host 192.168.56.103:49218
dead_host 192.168.56.103:49206
dead_host 192.168.56.103:49178
dead_host 192.168.56.103:49199
dead_host 192.168.56.103:49188
dead_host 192.168.56.103:49202
dead_host 192.168.56.103:49195
dead_host 192.168.56.103:49183
dead_host 192.168.56.103:49184
dead_host 192.168.56.103:49214
dead_host 192.168.56.103:49219
dead_host 192.168.56.103:49179
dead_host 192.168.56.103:49196
dead_host 192.168.56.103:49210
dead_host 192.168.56.103:49189
dead_host 192.168.56.103:49203
dead_host 192.168.56.103:49220
dead_host 192.168.56.103:49192
dead_host 192.168.56.103:49180
dead_host 192.168.56.103:49185
dead_host 192.168.56.103:49215
dead_host 192.168.56.103:49216
dead_host 192.168.56.103:49204
dead_host 192.168.56.103:49176
dead_host 192.168.56.103:49197
dead_host 192.168.56.103:49211
dead_host 192.168.56.103:49207
dead_host 192.168.56.103:49200