Managed XDR

vtdl_1759754545_06wvolhg — malware analysis report

File info

Filename
vtdl_1759754545_06wvolhg
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1200, Locale ID: 2052, Author: %, Template: Norm, Last Saved By: 0, Revision Number: 47, Total Editing Time: Sat Jan 13 16:00:00 1900, Create Time/Date: Mon Aug 19 00:45:00 2019, Last Saved Time/Date: Sun Sep 28 07:09:12 2025, Last Printed: Fri Mar 3 06:00:09 2023, Number of Pages: 47, Number of Words: 14709, Number of Characters: 15700, Name of Creating Application: WPS Office_12.1.0.18276_F1E327B, Security: 0
File size
910.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
56e836d8da1b4e2c27d47dbd0dbf5f978fe3395a
SHA256
38f4a27f82b89b66f4e8d28b90c776412b046dd30eed93b8d1c2d8e5b595b5f1
MD5
debf5bf97778e93b984c039d8c5bc1e4

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

Other

yara_rules: Static rules
office_summary: The document contains suspicious metadata
create_rpc_bindings: Creates RPC connection
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
Managed XDR