Threat Analysis Report: Hash Values File Details Environment

McAfee Advanced Threat Defense
| Threat Analysis Report
File Name SPIDER.doc Threat Level ⬤ 5 - Very High
Malware Name TYPE_TROJAN Engine GTI File Reputation
File Submitted 2021-04-13 01:36:10 UTC Processing Time 154 seconds
File Size 51,712 bytes Sandbox Replication 146 seconds
Show More Hash Values File Details Environment
MD5 Hash Identifier 5B24E7C884880A7ABDD53975AF2E565E
SHA-1 Hash Identifier 62295E55C573B30847235B69837153CB109B267E
SHA-256 Hash
7D72F078EE28B94396B051CEC47E57B665A205C09D8772E8FD631CC9ABB7DE64
Identifier
Screenshots 19
Hide hash values
File Type F
Hide file details
Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit
Windows® Internet Explorer version: 8.0.7601.17514
Microsoft Office version: 2007
PDF Reader version: 11.0
No Flash player installed
Flash player plugin version: 22.0.0.209
Platform Version 4.12.0.7
Detection Package Version 4.12.0.201112
Hide environment
Behavior Classification
Behavior Severity
Exploiting, Shellcode ⬤ 2 - Low
Detected scripting content embedded in the sample ⬤ 2 - Low
⬤ 1-
Offile file contains VBA code
Informational
Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 1 - Informational
⬤ 1-
office file Spawns printer spooler
Informational
⬤ 1-
Informational
⬤ 1-
Changed the protection attribute of the process
Informational
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 1 - Informational
Retrieved system information such as Processor Architecture,Number ⬤ 1-

Processors,Processor Type Informational
Processors,Processor Type Informational
⬤ 1-
Informational
⬤ 1-
Disabled attach/detach notifications from dynamic link library
Informational
⬤ 1-
Contained long sleep
Informational
Spreading ⬤ 1 - Informational
⬤ 1-
Informational
Persistence, Installation Boot Survival ⬤ 1 - Informational
⬤ 1-
Informational
Networking ⬤ 1 - Informational
⬤ 1-
Informational
Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 1 - Informational
⬤ 1-
Informational
⬤ 1-
Contained long sleep
Informational
Processes Analyzed
Name Reason Severity
SPIDER.doc loaded by MATD Analyzer & dropped by SPIDER.doc ⬤ 2 - Low
splwow64.exe executed by winword ⬤ Unverified
Timeline Activity
Processes Files Registry Operations Network Operations Multiple Operations
Select Any Area to Zoom In
SPIDER.doc
s plwow64.exe
0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108 114 120 126 132

Offset in seconds
Jump to Timeline Details
Timeline Activity Details
Time Offset Event Details
Process Operations, Obtained the contents of the specified variable from the environment block of the
Process Operations, Obtained the contents of the specified variable from the environment block of the
00:00:000
miscellaneous calling process
00:00:000 Others Initialized a critical section object and set the spin count for the critical section
File Operations,
00:00:016 Retrieved the full path for the module
miscellaneous
File Operations,
00:00:016 Obtained the path of the Windows system directory
miscellaneous
Process Operations, Changed the protection attribute of process address: 0x2f9d1634, new attribute:
00:00:016
miscellaneous Execute_Read
Process Operations, Changed the protection attribute of process address: 0x2f9d1634, new attribute:
00:00:016
miscellaneous Execute_ReadWrite
Process Operations, Retrieved information on a specific string in the current activation context
00:00:016
miscellaneous
HKLM\Software\Microsoft\.NETFramework
00:00:172 Registry Read
UseLegacyV2RuntimeActivationPolicyDefaultValue
File Operations,
00:00:172 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous
OnlyUseLatestCLR
File Operations,
00:00:172 Obtained a set of FAT file system attributes for a file or directory
miscellaneous
InstallRoot
00:00:172 Files Read C:\Windows\Microsoft.NET\Framework\
00:00:172 Registry Opened HKLM\Software\Microsoft\.NETFramework
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config

Read
00:00:172 Files Opened
Normal
C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll
20000
00:00:172 Files Opened 10000000
C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll
20000
10000000
20000
10000000
20000
10000000
20000
10000000
20000
10000000
20000
10000000
00:00:172 Registry Opened HKCU\Software\Microsoft\.NETFramework
00:00:188 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
00:00:188 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\Fusion
NoClientChecks
00:00:188 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727
Registry Operations, Enumerated the values for an open registry key

00:00:188
miscellaneous
00:00:281 Others Retrieved the current local date and time
c:\windows\splwow64.exe
00:00:328 Process Created c:\windows\splwow64.exe 12288
Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:00:344 Others
format
File Operations,
00:00:344 Retrieved the full path for the module
miscellaneous
00:00:344 Registry Opened HKLM\System\CurrentControlSet\Control\Print
ffcea838
00:00:344 Thread Created
ffce6cd8
HKLM\System\CurrentControlSet\Control\Print
SplWOW64TimeOut
ffceaa2c
00:00:344 Others Obtained information about an access token
00:00:344 Others Initialized a critical section object and set the spin count for the critical section
Converted a string-format security descriptor into a valid, functional security

00:00:344 Others
descriptor
Process Operations,
00:00:344 Enabled an application to supersede the top-level exception handler
miscellaneous
00:00:344 Signal Objects ffffffff
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:00:344
miscellaneous interval elapses
Process Operations,
00:00:344 Retrieved the Remote Desktop Services session
miscellaneous
Process Operations,
00:00:344 Opened the access token associated with a process
miscellaneous
Process Operations,
00:00:344 Opened the access token associated with a thread
miscellaneous
{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
00:00:422 Process Created
{FA445657-9379-11D6-B41A-00065B83EE53}
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Write
00:00:485 Files Created
Hidden
Files Created
Hidden
Process Operations,
00:00:485 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-0040963251E5}
C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc
Write
Hidden
{33C53A50-F456-4884-B049-85FD643ECFED}
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\969ae5dd-c456-
00:01:485 Files Deleted
4286-9c17-cf55f0ac7213.LNK
00:01:766 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\afkadfzmhi.LNK
Process Operations,
00:02:062 Obtained the identifier of the thread or process that created the specified window
miscellaneous
00:02:062 Others Retrieved information about a locale specified by a identifier
File Operations,
00:02:062 Obtained the current directory for the current process
miscellaneous
00:02:062 Registry Opened HKCR\Licenses
00:02:078 Others Obtained the system metric or system configuration setting
00:02:094 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKCU\Software\Microsoft\VBA\6.0\Common
CompileOnDemand
NotifyUserBeforeStateLoss
BreakOnServerErrors
BreakOnAllErrors
BackGroundCompile
RequireDeclaration
Enumerated registry keys

File Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or
00:02:109
miscellaneous network drive
00:02:109 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common

00:02:109 Registry Opened HKCR\TypeLib
00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}
00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4
00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0
00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32
00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
File Operations,
00:02:125 Searched a directory for the name: Normal
miscellaneous
00:02:141 Process Created C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE
00:02:625 Process Created C:\AFKADFZMHI\EXCEL.EXE
00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32
00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0
00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}
00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0
00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32
Directories C:\Users\ADMINI~1\AppData\Local\Temp\VBE
00:03:500
Created/Opened
00:03:500 Files Read Normal
File Operations,
00:03:500 Retrieved the path of the directory designated for temporary files
miscellaneous
65001f64
SyntaxChecking
FullModuleView
IndicatorBar
00:04:265 Registry Read AutoValueTips2
EndProcLine
DragDropInEditor
AutoIndent
AutoQuickTips2
AutoStatement2
OBGroupMembers
OBSearchHeight
IndicatorColors
FontCharSet
TabWidth
FontHeight
FontFace
00:04:281 Others Retrieved an integer from a key in a section of the Win.ini file
CodeForeColors
CodeBackColors
ShowToolTips
ShowGrid
SaveBeforeRun
AlignToGrid
MdiMaximized
00:04:296 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common
GridWidth
00:04:296 Registry Read HKCU\Software\Microsoft\VBA\6.0\Common

GridHeight
ReadOnlyMode
BackgroundProjectLoad
UpgradeVBX
CollapseWindows
FolderView
Tool
PropertiesWindow
Dock
UI
CtlsShowSelected
00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\VBE\6.0\Addins
00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls
00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\Designers
DsnShowSelected
MainWindow
Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:04:438 Others
format
HKLM\Software\Microsoft\Windows\Help
VbLR6.chm
HKLM\Software\Microsoft\Windows\HTML Help
VbLR6.chm
00:04:485 Registry Opened HKLM\Software\Microsoft\Windows
00:04:485 Registry Opened HKLM\Software\Microsoft\Windows\HTML Help
00:04:485 Registry Opened HKLM\Software\Microsoft\Windows\Help
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
HKCU\Software\Microsoft\Shared Tools\Proofing
02:11:953 Registry Created
Tools\Grammar\MSGrammar\3.0\1033
02:11:953 Registry Created Tools\Grammar\MSGrammar\3.0\1033\Option Set 0
02:11:953 Registry Created
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1
02:11:953 Others Recorded system information
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Name
02:11:953 Registry Modified
Grammar Only
REG_SZ
Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Data
1010101
REG_BINARY
Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Name
Grammar & Style
REG_SZ
Process Operations, Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the
02:11:953
miscellaneous dynamic-link library
Tools\Grammar\MSGrammar\3.0\1033\Options Version
1
REG_DWORD
02:11:953 Registry Read Tools\Grammar\MSGrammar\3.0\1033
Options Version
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Data
1010101
REG_BINARY
C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX

Read
Normal
02:11:985 Memory Mapped Files Created a file that can be used for memory mapping
02:11:985 Registry Opened HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.Word\~WRS{0AF513FD-F7A4-44FB-80CB-0C4B210861A4}.tmp
02:13:610 Files Deleted C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc
02:13:641 Files Deleted C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow
02:13:688 Registry Modified 8 8 180 400 1
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\UI
02:13:735 Registry Modified 68
REG_BINARY
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip
Write
8100000
HKCU\Software\Microsoft\VBA\6.0\Common\Tool
REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow
02:13:735 Registry Modified 0 0 800 560 1
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\FolderView
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Dock
02:13:735 Registry Modified 14C0002
REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected
REG_SZ
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
02:13:875
miscellaneous interval elapses
02:13:953 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Files\Content.Word\~WRS{C194387D-76DB-465D-A9CD-C73D5006B5D2}.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip
Write
8100000
Files\Content.Word\~WRF{7667F9FE-3D76-4014-84A1-480F8BC70EE1}.tmp
02:14:016 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\CVRD699.tmp.cvr
02:14:016 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\54937.od
Engine Analysis
Engine Threat Name Severity
GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High
GTI URL Reputation
Gateway Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High
Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High
YARA
Custom Rules
Sandbox ⬤ 2 - Low
Final ⬤ 5 - Very High
Sample is malicious: final severity level 5
Embedded/Dropped content
MD5 Name Category
126AACB44244697509482C60C8556D40 969ae5dd-c456-4286-9c17-cf55f0ac7213.vba * ---
516A986528AB3D16514FA983B0EA4CF7 VB12.pip * ---
36A5B5B1F0AC95E51AB417DD0D4BBF8D Word12.pip * ---
* Attachments were extracted from the sample file and stored in the dropfiles.zip
Screenshots
Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample
Images: 19
21246.jpg
216f9.jpg
26528.jpg
2931e.jpg
2a31c.jpg
1020e.jpg
2d140.jpg
28e6b.jpg
2bc8f.jpg
1122b.jpg
269db.jpg
2550b.jpg
f57b.jpg
279ca.jpg
27e7d.jpg
2a7cf.jpg
2cc7d.jpg
2b7dc.jpg
e52f.jpg
SPIDER.doc
Run-Time Dlls: 8
api-ms-win-appmodel-runtime-l1-1-0.dll
vbe6intl.dll
comctl32.dll
oleaut32.dll
shlwapi.dll
vbe6.dll
version.dll
wwlib.dll
wwlib.dll
File Operations: 36
Files Created
File Name Access Mode File Attributes
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip Write 8100000
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip Write 8100000
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Write Hidden
C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc Write Hidden
Files Opened
File Name Access Mode File Attributes
C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX Read Normal
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config Read Normal
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000
Files Deleted
C:\Users\ADMINI~1\AppData\Local\Temp\54937.od
C:\Users\ADMINI~1\AppData\Local\Temp\CVRD699.tmp.cvr
C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7667F9FE-3D76-4014-84A1-

480F8BC70EE1}.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0AF513FD-F7A4-44FB-80CB-

0C4B210861A4}.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C194387D-76DB-465D-A9CD-

C73D5006B5D2}.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\969ae5dd-c456-4286-9c17-cf55f0ac7213.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\afkadfzmhi.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc
Files Read
C:\Windows\Microsoft.NET\Framework\
C:\Windows\Microsoft.NET\Framework\v2.0.50727
Normal
Directories Created/Opened
New Directory Template Directory
C:\Users\ADMINI~1\AppData\Local\Temp\VBE
Memory Mapped Files
Created a file that can be used for memory mapping
Other
Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
Obtained a set of FAT file system attributes for a file or directory
Obtained the current directory for the current process
Obtained the path of the Windows system directory
Retrieved the full path for the module
Retrieved the path of the directory designated for temporary files
Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
Searched a directory for the name: Normal
Registry Operations: 108
Registry Created
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 0
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 1
Registry Opened
HKCR\Licenses
HKCR\TypeLib
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32
HKCU\Software\Microsoft\.NETFramework
HKCU\Software\Microsoft\VBA\6.0\Common\Designers
HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls
HKCU\Software\Microsoft\VBA\VBE\6.0\Addins
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0
HKLM\Software\Microsoft\Windows
HKLM\Software\Microsoft\Windows\HTML Help
HKLM\Software\Microsoft\Windows\Help
Registry Modified
Key NewValue Type
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option
Set 0\Data 1010101 REG_BINARY
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Grammar &

REG_SZ
Set 0\Name Style

1010101 REG_BINARY
Set 1\Data

Grammar Only REG_SZ
Set 1\Name
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Options

1 REG_DWORD
Version
HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Dock 14C0002 REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\FolderView 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow 0 0 800 560 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow 8 8 180 400 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Tool 0 REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\UI 68 REG_BINARY
Registry Read
Enumerated registry keys

Options Version
Tools\Grammar\MSGrammar\3.0\1033
HKCU\Software\Microsoft\VBA\6.0\Common AlignToGrid
HKCU\Software\Microsoft\VBA\6.0\Common AutoIndent
HKCU\Software\Microsoft\VBA\6.0\Common AutoQuickTips2
HKCU\Software\Microsoft\VBA\6.0\Common AutoStatement2
HKCU\Software\Microsoft\VBA\6.0\Common AutoValueTips2
HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile
HKCU\Software\Microsoft\VBA\6.0\Common BackgroundProjectLoad
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors
HKCU\Software\Microsoft\VBA\6.0\Common CodeBackColors
HKCU\Software\Microsoft\VBA\6.0\Common CodeForeColors
HKCU\Software\Microsoft\VBA\6.0\Common CollapseWindows
HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand
HKCU\Software\Microsoft\VBA\6.0\Common CtlsShowSelected
HKCU\Software\Microsoft\VBA\6.0\Common Dock
HKCU\Software\Microsoft\VBA\6.0\Common DragDropInEditor
HKCU\Software\Microsoft\VBA\6.0\Common DsnShowSelected
HKCU\Software\Microsoft\VBA\6.0\Common EndProcLine
HKCU\Software\Microsoft\VBA\6.0\Common FolderView
HKCU\Software\Microsoft\VBA\6.0\Common FontCharSet
HKCU\Software\Microsoft\VBA\6.0\Common FontFace
HKCU\Software\Microsoft\VBA\6.0\Common FontHeight
HKCU\Software\Microsoft\VBA\6.0\Common FullModuleView
HKCU\Software\Microsoft\VBA\6.0\Common GridHeight
HKCU\Software\Microsoft\VBA\6.0\Common GridWidth
HKCU\Software\Microsoft\VBA\6.0\Common IndicatorBar
HKCU\Software\Microsoft\VBA\6.0\Common IndicatorColors
HKCU\Software\Microsoft\VBA\6.0\Common MainWindow
HKCU\Software\Microsoft\VBA\6.0\Common MdiMaximized
HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss
HKCU\Software\Microsoft\VBA\6.0\Common OBGroupMembers
HKCU\Software\Microsoft\VBA\6.0\Common OBSearchHeight
HKCU\Software\Microsoft\VBA\6.0\Common PropertiesWindow
HKCU\Software\Microsoft\VBA\6.0\Common ReadOnlyMode
HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration
HKCU\Software\Microsoft\VBA\6.0\Common SaveBeforeRun
HKCU\Software\Microsoft\VBA\6.0\Common ShowGrid
HKCU\Software\Microsoft\VBA\6.0\Common ShowToolTips
HKCU\Software\Microsoft\VBA\6.0\Common ShowToolTips
HKCU\Software\Microsoft\VBA\6.0\Common SyntaxChecking
HKCU\Software\Microsoft\VBA\6.0\Common TabWidth
HKCU\Software\Microsoft\VBA\6.0\Common Tool
HKCU\Software\Microsoft\VBA\6.0\Common UI
HKCU\Software\Microsoft\VBA\6.0\Common UpgradeVBX
HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks
HKLM\Software\Microsoft\.NETFramework InstallRoot
HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR
HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\Windows\HTML Help VbLR6.chm
HKLM\Software\Microsoft\Windows\Help VbLR6.chm
Other
Enumerated the values for an open registry key
Process Operations: 21
Process Created
Process Name Module
C:\AFKADFZMHI\EXCEL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE
c:\windows\splwow64.exe c:\windows\splwow64.exe 12288
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
{33C53A50-F456-4884-B049-85FD643ECFED}
{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-0040963251E5}
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
{FA445657-9379-11D6-B41A-00065B83EE53}
Thread Created
65001f64
Other
Changed the protection attribute of process address: 0x2f9d1634, new attribute: Execute_Read
Changed the protection attribute of process address: 0x2f9d1634, new attribute: Execute_ReadWrite
Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the dynamic-link library
Initialized COM library for the current thread and set it in the concurrency mode
Obtained the contents of the specified variable from the environment block of the calling process
Obtained the identifier of the thread or process that created the specified window
Retrieved information on a specific string in the current activation context

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
Other Operations: 7
Others
Initialized a critical section object and set the spin count for the critical section
Obtained the current system date and time in in Coordinated Universal Time (UTC) format
Obtained the system metric or system configuration setting
Recorded system information
Retrieved an integer from a key in a section of the Win.ini file
Retrieved information about a locale specified by a identifier
Retrieved the current local date and time
McAfee Active Response
Status: Product is not Available
© 2020 McAfee, LLC. All rights reserved.

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Copyright:

Available Formats

McAfee Advanced Threat Defense

| Threat Analysis Report

File Name SPIDER.doc Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-13 01:36:10 UTC Processing Time 154 seconds

File Size 51,712 bytes Sandbox Replication 146 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier 5B24E7C884880A7ABDD53975AF2E565E

SHA-1 Hash Identifier 62295E55C573B30847235B69837153CB109B267E

Hide hash values

Hide file details

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Exploiting, Shellcode ⬤ 2 - Low

Detected scripting content embedded in the sample ⬤ 2 - Low

Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 1 - Informational

Retrieved system information such as Processor Architecture,Number ⬤ 1-

Persistence, Installation Boot Survival ⬤ 1 - Informational

Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 1 - Informational

Name Reason Severity

SPIDER.doc loaded by MATD Analyzer & dropped by SPIDER.doc ⬤ 2 - Low

splwow64.exe executed by winword ⬤ Unverified

Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In

0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108 114 120 126 132

Jump to Timeline Details

Timeline Activity Details

Time Offset Event Details

00:00:172 Files Read C:\Windows\Microsoft.NET\Framework\

00:00:172 Registry Opened HKLM\Software\Microsoft\.NETFramework

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config

00:00:188 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

00:00:188 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion

00:00:188 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

Registry Operations, Enumerated the values for an open registry key

00:00:281 Others Retrieved the current local date and time

00:00:344 Registry Opened HKLM\System\CurrentControlSet\Control\Print

00:00:344 Thread Created

00:00:344 Others Obtained information about an access token

Converted a string-format security descriptor into a valid, functional security

00:00:344 Signal Objects ffffffff

00:01:766 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\afkadfzmhi.LNK

00:02:062 Others Retrieved information about a locale specified by a identifier

00:02:062 Registry Opened HKCR\Licenses

00:02:078 Others Obtained the system metric or system configuration setting

00:02:094 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors

Enumerated registry keys

00:02:109 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409

00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9

00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0

00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0

00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32

00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}