popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nelb.doc

MS_RTF_Obfuscation_Objects doc RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 26, 2024, 10:09 a.m. June 26, 2024, 10:12 a.m.
Size 561.3KB
Type Rich Text Format data, version 1, unknown character set
MD5 6b9167056af49bf702c833ae4f581ef1
SHA256 13bc94a2f39a03f509036ff58462b974c401cac0df52cce22223114f909b2f72
CRC32 9344B6B4
ssdeep 6144:dwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAuB+2:dB
Yara
  • SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 104.21.74.191:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 172.67.148.235:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 3.33.130.190:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 199.59.243.226:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 199.59.243.226:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49163
104.21.74.191:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=universalmovies.top 67:bc:42:10:14:49:13:d3:52:bc:a7:fb:fc:bd:0e:1c:24:be:f9:a6

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x747fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x746f98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74741414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74757b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x72124dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x726f92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x72978232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x72b8c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x72b9699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7297a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x726fb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7265f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x71dc25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x71defe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x71def54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7295e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x7291168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x71daa431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x71d9876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x71d949e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6b15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6b155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2247964
registers.edi: 1953561104
registers.eax: 2247964
registers.ebp: 2248044
registers.edx: 0
registers.ebx: 4643780
registers.esi: 2147944126
registers.ecx: 2705849662
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x747fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x746f98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x746fb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x746fb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x746fb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x746fa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7477a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x747577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x747414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74757b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x72124dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x726f92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x72978232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x72b8c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x72b9699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7297a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x726fb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7265f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x71dc25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x71defe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x71def54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7295e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x7291168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x71daa431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x71d9876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x71d949e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6b15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6b155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2247656
registers.edi: 1953561104
registers.eax: 2247656
registers.ebp: 2247736
registers.edx: 0
registers.ebx: 4643996
registers.esi: 2147944122
registers.ecx: 2705849662
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba
suspicious_features GET method with no useragent header suspicious_request GET http://www.home-repair-contractors-kfm.xyz/btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba
suspicious_features GET method with no useragent header suspicious_request GET http://www.xmentorgroup.com/btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba
request GET http://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba
request GET http://www.home-repair-contractors-kfm.xyz/btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba
request GET http://www.xmentorgroup.com/btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba
request GET https://universalmovies.top/nelb.scr
domain universalmovies.top description Generic top level domain TLD
domain www.h7wlvwr4afx.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e521000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x053f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x053f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05810000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05860000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e331000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e334000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
Application Crash Process WINWORD.EXE with pid 2640 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x747fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x746f98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74741414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74757b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x72124dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x726f92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x72978232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x72b8c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x72b9699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7297a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x726fb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7265f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x71dc25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x71defe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x71def54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7295e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x7291168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x71daa431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x71d9876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x71d949e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6b15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6b155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2247964
registers.edi: 1953561104
registers.eax: 2247964
registers.ebp: 2248044
registers.edx: 0
registers.ebx: 4643780
registers.esi: 2147944126
registers.ecx: 2705849662
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x747fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x746f98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x746fb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x746fb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x746fb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x746fa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7477a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x747577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x747414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74757b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x72124dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x726f92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x72978232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x72b8c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x72b9699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7297a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x726fb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7265f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x71dc25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x71defe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x71def54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7295e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x7291168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x71daa431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x71d9876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x71d949e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6b15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6b155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2247656
registers.edi: 1953561104
registers.eax: 2247656
registers.ebp: 2247736
registers.edx: 0
registers.ebx: 4643996
registers.esi: 2147944122
registers.ecx: 2705849662
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$nelb.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003ec
filepath: C:\Users\test22\AppData\Local\Temp\~$nelb.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$nelb.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
filetype_details Rich Text Format data, version 1, unknown character set filename nelb.doc
Lionic Trojan.MSOffice.ObfsObjDat.3!c
Cynet Malicious (score: 99)
CAT-QuickHeal Exp.RTF.Obfus.Gen
Skyhigh BehavesLike.Trojan.hx
ALYac Exploit.RTF-ObfsObjDat.Gen
VIPRE Exploit.RTF-ObfsObjDat.Gen
Arcabit Exploit.RTF-ObfsObjDat.Gen
Symantec Exp.CVE-2017-11882!g6
TrendMicro-HouseCall Trojan.W97M.REMCOS.YXEFYZ
McAfee RTFObfustream.c!6B9167056AF4
Avast OLE:CVE-2018-0798 [Expl]
Kaspersky HEUR:Exploit.MSOffice.CVE-2018-0802.gen
BitDefender Exploit.RTF-ObfsObjDat.Gen
MicroWorld-eScan Exploit.RTF-ObfsObjDat.Gen
Rising Exploit.Generic!1.EB5C (CLASSIC)
Emsisoft Exploit.RTF-ObfsObjDat.Gen (B)
DrWeb Exploit.CVE-2018-0798.4
TrendMicro Trojan.W97M.REMCOS.YXEFYZ
FireEye Exploit.RTF-ObfsObjDat.Gen
Ikarus Exploit.RTF.Doc
Google Detected
Avira EXP/AVF.CVE.rulse
Kingsoft Win32.Infected.AutoInfector.a
Gridinsoft Trojan.U.FormBook.tr
Microsoft Exploit:O97M/CVE-2017-11882.A!MTB
ZoneAlarm HEUR:Exploit.MSOffice.CVE-2018-0802.gen
GData Exploit.RTF-ObfsObjDat.Gen
Varist CVE1711882
AhnLab-V3 OLE/Cve-2018-0798.Gen
Zoner Probably Heur.RTFObfuscation
MAX malware (ai score=82)
Fortinet MSOffice/CVE_2018_0798.BOR!exploit
AVG OLE:CVE-2018-0798 [Expl]