Analysis
-
max time kernel
143s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 06:53
Static task
static1
Behavioral task
behavioral1
Sample
308P.rtf
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
308P.rtf
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
308P.rtf
-
Size
1.4MB
-
MD5
2ef8dbe494ce10bbf5a1a85f55bb1030
-
SHA1
c72178d6343f8806e41d49c61e07fb7e4ae80dfb
-
SHA256
1e2f23f0bcac6ae9e9fb7febe74b2a4bb0ccf9a08bee3b95254a6b2e4973eb91
-
SHA512
bba145a5c3042b3cff3ebc617f0083e4ec62f343583f4dccacde774535c5aaf4788238a2bae1859646b50fe6a81ccaa41ef031b1c9812b1b3de0a606df728628
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1056 EQNEDT32.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\308P.rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1520
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Loads dropped DLL
- Launches Equation Editor
PID:1056