Performs some HTTP requests Show sources
| network_url | http://canyoning-austria.at/dashost |
Generates some ICMP traffic
Martian Subprocess Started By Office Process Show sources
| office_martian | c:\windows\syswow64\msiexec.exe |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | msiexec.exe, PID 2508 |
The office file has a unconventional code page: ANSI Cyrillic; Cyrillic (Windows)
The office file has a macro. Show sources
| malicious_author | The file appears to have been created by a known fake author indicative of an automated document creation kit. |
| numerical_last_saved | The file was last saved by a numerical author rather than a word/name indicative of an automated document creation kit. |