e824650b...1486

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Downloader

Info_Project_BSV_2019.docm

Word Document

Created at 2019-06-18T08:41:00

VMRay Threat Indicators (10 rules, 14 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	4	-
Local AV detected the sample itself as "VB:Trojan.Emeka.556". ... VTI Actions Go to AV match Go to file details
Local AV detected the embedded file "9e85d5b14d6d482eaa03c358dd0a88cf1fb215f26a872ad11623e7e56042486d" as "VB:Trojan.Emeka.556". ... VTI Actions Go to AV match Go to file details
Local AV detected "Gen:Heur.Ransom.Imps.3" in the PCAP of the analysis. ... VTI Actions Go to AV match
Local AV detected the downloaded file "43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49" as "Gen:Heur.Ransom.Imps.3". ... VTI Actions Go to AV match Go to file details
4/5	Process	Tries to create process	1	-
Creates process "LooCipher.exe". ... VTI Actions Go to Behavior
4/5	Network	Downloads file	1	Downloader
Downloads file via http from "http://hcwyo5rfapkytajg.onion.pet/2hq68vxr3f.exe". ... VTI Actions Go to file details Go to Behavior
3/5	YARA	YARA match	2	-
Rule "VBA_Download_Commands" from ruleset "Generic" has matched on the sample itself. ... VTI Actions Go to YARA match Go to file details
Rule "VBA_Execution_Commands" from ruleset "Generic" has matched on the sample itself. ... VTI Actions Go to YARA match Go to file details
2/5	Network	Connects to HTTP server	1	-
URL "http://hcwyo5rfapkytajg.onion.pet/2hq68vxr3f.exe". ... VTI Actions Go to Behavior
2/5	VBA Macro	Executes macro on specific event	1	-
Executes macro automatically on target "auto" and event "open". ... VTI Actions Go to macro
2/5	VBA Macro	Creates suspicious COM object	1	-
CreateObject("Microsoft.XMLHTTP") ... VTI Actions Go to macro
1/5	Static	Contains suspicious meta data	1	-
Office document contains below average content data. ... VTI Actions Go to file details
1/5	VBA Macro	Contains Office macro	1	-
Office document contains a VBA macro. ... VTI Actions Go to file details
1/5	Static	Contains known suspicious class identifier	1	-
Office document contains suspicious class identifier "{0003000C-0000-0000-C000-000000000046}" with IOCs. ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#81944
MD5	868a06468b0eb6d5e9777681a0cb2afe
SHA1	2551e34c72e928f615aeba3b7c2a099b3adcb84e
SHA256	e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486
SSDeep	384:KS9ASfotpAEi8F1c2OfzHt/PRbeRGNr1aBVJmDm1nTfuUQ:pAtplFDfOdBe4YBZtQ
Filename	Info_Project_BSV_2019.docm
File Size	21.91 KB
Sample Type	Word Document
Has VBA Macros

Analysis Information

Creation Time	2019-06-18 10:41 (UTC+2)
Analysis Duration	00:04:31
Number of Monitored Processes	2
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	4
Number of YARA Matches	2
Termination Reason	Timeout
Tags

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

VMRay Threat Indicators (10 rules, 14 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After