Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 3:49 p.m.	Aug. 9, 2024, 3:51 p.m.

Size	1.9MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: user1, Template: Normal.dotm, Last Saved By: user1, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 28:00, Create Time/Date: Tue May 21 11:39:00 2024, Last Saved Time/Date: Tue May 21 12:08:00 2024, Number of Pages: 2, Number of Words: 5, Number of Characters: 32, Security: 0
MD5	`1ee73b17111ab0ffb2f62690310f4ada`
SHA256	`31300645371f90f83ca6aa058503fa7c2ba386f496ac181a6b287ba7ba1ea10e`
CRC32	`E2275632`
ssdeep	`24576:j1NDbbUMbRNjy8lZ2UFRTHD/mrM1e6sBiNhaYQBFq:vDbJbvjynUyCpx`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] anti_vm_detect - Possibly employs anti-virtualization techniques Microsoft_Office_File_Zero - Microsoft Office File Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\iden.doc
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 9, 2024, 3:49 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e145000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dec4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6deb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 3:50 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$iden.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 9, 2024, 3:49 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$iden.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$iden.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Creates suspicious VBA object (1 event)

com_class

Scripting.FileSystemObject

May attempt to write one or more files to the harddisk

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\\Users\\Public\\Documents\\MicrosoftWordUpdater.log

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\Public\Documents\MicrosoftWordUpdater.log

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.Common.3AD25B27
Lionic	Trojan.MSWord.ObfDldr.b!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.OLE2.Suspicious.tg
ALYac	Trojan.Downloader.DOC.Gen
VIPRE	VBA.Heur2.ObfDldr.9.01CA8320.Gen
Arcabit	VBA.Heur2.ObfDldr.9.01CA8320.Gen
Symantec	ISB.Downloader!gen433
Elastic	malicious (high confidence)
ESET-NOD32	Win64/Agent.DZF
Avast	VBA:Downloader-BMF [Trj]
Kaspersky	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
BitDefender	VBA.Heur2.ObfDldr.9.01CA8320.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VBA.Heur2.ObfDldr.9.01CA8320.Gen
Rising	Trojan.Agent!8.B1E (TOPIS:E0:rYd0cec0tnN)
Emsisoft	VBA.Heur2.ObfDldr.9.01CA8320.Gen (B)
F-Secure	Malware.W97M/AVA.Downloader.lwxgm
TrendMicro	HEUR_VBA.O2
FireEye	VBA.Heur2.ObfDldr.9.01CA8320.Gen
Ikarus	VBA.ObfDldr
Google	Detected.Heuristic.Script
Avira	W97M/AVA.Downloader.lwxgm
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
GData	VBA.Heur2.ObfDldr.9.01CA8320.Gen
Varist	ABRisk.ZIZZ-
AhnLab-V3	Trojan/DOC.Agent
Acronis	suspicious
TACHYON	Suspicious/W97M.DRP.Gen
Tencent	Trojan.MsOffice.MacroS.11030723
Fortinet	VBA/Dloader.BMF!tr
AVG	VBA:Downloader-BMF [Trj]
alibabacloud	Trojan[dropper]:MSOffice/SDrop.gyf

A potential heapspray has been detected. 52830 megabytes was sprayed onto the heap of the WINWORD.EXE process (50 out of 97 events)

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1096

length

561152

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

220

length

450560

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1032

length

528384

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1208

length

618496

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

232

length

475136

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1072

length

548864

protection

PAGE_READWRITE

count

1345

name

heapspray

process

WINWORD.EXE

total_mb

236

length

184320

protection

PAGE_READWRITE

count

2051

name

heapspray

process

WINWORD.EXE

total_mb

1121

length

573440

protection

PAGE_READWRITE

count

897

name

heapspray

process

WINWORD.EXE

total_mb

115

length

135168

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1104

length

565248

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1192

length

610304

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

230

length

471040

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

108

length

253952

protection

PAGE_READWRITE

count

1336

name

heapspray

process

WINWORD.EXE

total_mb

203

length

159744

protection

PAGE_READWRITE

count

896

name

heapspray

process

WINWORD.EXE

total_mb

108

length

126976

protection

PAGE_READWRITE

count

1044

name

heapspray

process

WINWORD.EXE

total_mb

668

length

671744

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1296

length

663552

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

126

length

294912

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

226

length

462848

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

105

length

245760

protection

PAGE_READWRITE

count

896

name

heapspray

process

WINWORD.EXE

total_mb

129

length

151552

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1232

length

630784

protection

PAGE_READWRITE

count

294

name

heapspray

process

WINWORD.EXE

total_mb

length

319488

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

106

length

249856

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1160

length

593920

protection

PAGE_READWRITE

count

1344

name

heapspray

process

WINWORD.EXE

total_mb

262

length

204800

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1280

length

655360

protection

PAGE_READWRITE

count

449

name

heapspray

process

WINWORD.EXE

total_mb

103

length

241664

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1272

length

651264

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1216

length

622592

protection

PAGE_READWRITE

count

896

name

heapspray

process

WINWORD.EXE

total_mb

196

length

229376

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1264

length

647168

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1064

length

544768

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

222

length

454656

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

133

length

311296

protection

PAGE_READWRITE

count

385

name

heapspray

process

WINWORD.EXE

total_mb

175

length

479232

protection

PAGE_READWRITE

count

449

name

heapspray

process

WINWORD.EXE

total_mb

121

length

282624

protection

PAGE_READWRITE

count

1344

name

heapspray

process

WINWORD.EXE

total_mb

220

length

172032

protection

PAGE_READWRITE

count

1344

name

heapspray

process

WINWORD.EXE

total_mb

252

length

196608

protection

PAGE_READWRITE

count

897

name

heapspray

process

WINWORD.EXE

total_mb

199

length

233472

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1128

length

577536

protection

PAGE_READWRITE

count

897

name

heapspray

process

WINWORD.EXE

total_mb

105

length

122880

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1136

length

581632

protection

PAGE_READWRITE

count

512

name

heapspray

process

WINWORD.EXE

total_mb

218

length

446464

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

115

length

270336

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

131

length

307200

protection

PAGE_READWRITE

count

1345

name

heapspray

process

WINWORD.EXE

total_mb

210

length

163840

protection

PAGE_READWRITE

count

900

name

heapspray

process

WINWORD.EXE

total_mb

189

length

221184

protection

PAGE_READWRITE

count

448

name

heapspray

process

WINWORD.EXE

total_mb

119

length

278528

protection

PAGE_READWRITE

count

2048

name

heapspray

process

WINWORD.EXE

total_mb

1248

length

638976

protection

PAGE_READWRITE

iden.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All