Analysis Overview
SHA256
9d137fe924afa089e4c80e28c550de9efd8792116c009db22e23ecee16ea74c2
Threat Level: Likely malicious
The file Office.doc was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:45
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:45
Reported
2024-05-26 10:50
Platform
win10-20240404-en
Max time kernel
137s
Max time network
299s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5096-1-0x00007FF960710000-0x00007FF960720000-memory.dmp
memory/5096-2-0x00007FF9A0725000-0x00007FF9A0726000-memory.dmp
memory/5096-0-0x00007FF960710000-0x00007FF960720000-memory.dmp
memory/5096-3-0x00007FF960710000-0x00007FF960720000-memory.dmp
memory/5096-4-0x00007FF960710000-0x00007FF960720000-memory.dmp
memory/5096-7-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-8-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-9-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-11-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-10-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-12-0x00007FF95CC10000-0x00007FF95CC20000-memory.dmp
memory/5096-13-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-14-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-15-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-17-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-18-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-16-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-21-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-22-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-24-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-26-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-27-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-25-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-23-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-20-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-19-0x00007FF95CC10000-0x00007FF95CC20000-memory.dmp
memory/5096-172-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
memory/5096-173-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:45
Reported
2024-05-26 10:50
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
270s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/208-0-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-2-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-1-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-4-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-3-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-6-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-5-0x00007FFDD130D000-0x00007FFDD130E000-memory.dmp
memory/208-9-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp
memory/208-11-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-10-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-8-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-12-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-7-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-13-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp
memory/208-17-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-20-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-21-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-19-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-18-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-16-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-15-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-14-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-36-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
memory/208-50-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-51-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-53-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-52-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
memory/208-54-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-26 10:45
Reported
2024-05-26 10:50
Platform
win11-20240426-en
Max time kernel
101s
Max time network
202s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"
Network
| Country | Destination | Domain | Proto |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
memory/4468-1-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-2-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-0-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-3-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-4-0x00007FFEDEAA3000-0x00007FFEDEAA4000-memory.dmp
memory/4468-5-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-6-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-9-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-8-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-7-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-12-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-11-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-10-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-14-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-13-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-16-0x00007FFE9C660000-0x00007FFE9C670000-memory.dmp
memory/4468-17-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-15-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-18-0x00007FFE9C660000-0x00007FFE9C670000-memory.dmp
memory/4468-20-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-19-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-30-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-31-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp
memory/4468-45-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-46-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-48-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-47-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp
memory/4468-49-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp