analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

cd.doc

Full analysis: https://app.any.run/tasks/016d6c7a-e4ea-4f65-8abe-2e0e0d4e56e2
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: December 19, 2018, 04:36:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

550814CA4B9C3C4982EB8B6CF96D6D32

SHA1:

C9140C710735BCE20F43ED942A915CBEEF9F231E

SHA256:

01759673B06D831750C8F4B92690BF252344E64702220DCF3425B84E013C4BA3

SSDEEP:

12288:LZ6WO/LYDIIrPJcZMY5a8iSb0jmZVrxpwLi5C1etVGPLuKIv7w+t7+gSd:LMWMYDRCSYRomZVlGOC8ULuREwEd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2848)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2848)
    • Runs app for hidden code execution

      • cmd.exe (PID: 2968)
      • cmd.exe (PID: 2276)
    • Changes the autorun value in the registry

      • saver.scr (PID: 2688)
      • taskhost.exe (PID: 992)
      • gpfdbc.exe (PID: 2588)
    • Loads dropped or rewritten executable

      • saver.scr (PID: 2688)
      • gpfdbc.exe (PID: 2588)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 2688)
      • saver.scr (PID: 3448)
      • gpfdbc.exe (PID: 2900)
      • gpfdbc.exe (PID: 2588)
    • FORMBOOK was detected

      • explorer.exe (PID: 116)
    • Formbook was detected

      • taskhost.exe (PID: 992)
      • Firefox.exe (PID: 3936)
    • Actions looks like stealing of personal data

      • taskhost.exe (PID: 992)
    • Connects to CnC server

      • explorer.exe (PID: 116)
    • Stealing of credential data

      • taskhost.exe (PID: 992)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 2968)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 3012)
      • taskhost.exe (PID: 992)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3012)
    • Executes scripts

      • cmd.exe (PID: 3012)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 4072)
      • saver.scr (PID: 2688)
      • gpfdbc.exe (PID: 2588)
      • DllHost.exe (PID: 2368)
      • explorer.exe (PID: 116)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 3124)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 3056)
      • cmd.exe (PID: 1764)
      • cmd.exe (PID: 2964)
      • cmd.exe (PID: 4048)
    • Application launched itself

      • cmd.exe (PID: 3012)
      • saver.scr (PID: 2688)
      • gpfdbc.exe (PID: 2588)
    • Creates files in the user directory

      • saver.scr (PID: 2688)
      • taskhost.exe (PID: 992)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3012)
      • saver.scr (PID: 2688)
    • Loads DLL from Mozilla Firefox

      • taskhost.exe (PID: 992)
    • Creates files in the program directory

      • DllHost.exe (PID: 2368)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2848)
      • Firefox.exe (PID: 3936)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
39
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr cscript.exe no specs saver.scr no specs autochk.exe no specs #FORMBOOK taskhost.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object gpfdbc.exe gpfdbc.exe no specs mstsc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cd.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
2276"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2740CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3012C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3512TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4072cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs"C:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2968"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3732CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2264TASkKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2392reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 577
Read events
1 539
Write events
35
Delete events
3

Modification events

(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:48$
Value:
34382400200B0000010000000000000000000000
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2848) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1301479454
(PID) Process:(2848) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1301479568
(PID) Process:(2848) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1301479569
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
200B000076072E795497D40100000000
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:<:$
Value:
3C3A2400200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:<:$
Value:
3C3A2400200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2848) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
9
Suspicious files
88
Text files
23
Unknown types
5

Dropped files

PID
Process
Filename
Type
2848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR94B4.tmp.cvr
MD5:
SHA256:
3012cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:43EBD0B1B7EB3DAC3B11A58FFE168C4D
SHA256:4717A8E0BE23EA0E0FF8766D2A945B32B4BFB61ED0980176E658C36D8611DA53
4072cscript.exeC:\Users\admin\AppData\Local\Temp\saver.screxecutable
MD5:57D5DA1A6B88ED93D8A9D63EED04BA21
SHA256:21932129B357ACFF8419F351DA51A622F415534125E12E1DC559129478B59C7A
2848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itnqknf5.cmdtext
MD5:809008091D1A97923ADCFD8188489CA4
SHA256:7AEAF0C3AE303BC6796EF769AB685E4BB4A6867DA6201201AE108632D47C06E0
2848WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:82B9FF266C32B59B1FC2A0C40B975FBD
SHA256:5B4F3EFCCDF4F09343E6C01FABC4E51BD7D8CE4EDC5D7F72D6626890903C04AC
2848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cd.doc.rtfpgc
MD5:60CCCF8BDADE90C48F999776027D63F6
SHA256:B59D317DE87C4358B7015B665F0715E8B31A7A37FFFC3E9B40129B4640AA83D8
4072cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.docdocument
MD5:6D646154A16C0B67E529FAEF7024D13A
SHA256:A653641F1B7AF9CFD8CF0E8066DB3553B21BF302A218A006E32FC18CE3C7F5FA
2848WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E01AAB1-1ADC-47F5-92E6-AAD077A32D9B}.tmpbinary
MD5:E28EA641AC312FB81EB57E61775EE97C
SHA256:82441DB1E7C5E3BBDA68BBAE176AC0E5C77D56175600E08E6CE8304B34A8D850
2848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:EB9FF44721B8DD4713C5F2DB0D968A79
SHA256:2D4F0C2212697F95BB79D33BD56C32A44CACBC900B385FD0D4C651D93BEA614F
2688saver.scrC:\Users\admin\AppData\Local\Temp\OneNoteSplashLogo.scale-125.pngimage
MD5:129BFC9FEB1BEE216B11B78416071DCA
SHA256:F1A20720DF222AFA388AB8FC6BC35005FB34306DC829905FEC74BA8A58ECAB33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
17
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
301
185.230.62.177:80
http://www.blendboxstudio.com/we/?GzvH-=hOlERaQLxawhalKXXyHwSJ/xFFireJaCBhjNTnWIHNDPnDnvaH97/ALRgnGsicf35EDmYA==&Ann=oJd0DhCpQ&sql=1
unknown
malicious
116
explorer.exe
GET
302
23.20.239.12:80
http://www.rumorifuoriscena.com/we/?GzvH-=dGDvuN42HXwGX2WfRCmCjzQ2facEWj4R6u3602g2eEhqaAPES4+WplH/VYuWN9S0vgo1CQ==&Ann=oJd0DhCpQ&sql=1
US
html
192 b
shared
116
explorer.exe
POST
185.230.62.177:80
http://www.blendboxstudio.com/we/
unknown
malicious
116
explorer.exe
POST
23.20.239.12:80
http://www.rumorifuoriscena.com/we/
US
shared
116
explorer.exe
POST
23.20.239.12:80
http://www.rumorifuoriscena.com/we/
US
shared
116
explorer.exe
POST
185.230.62.177:80
http://www.blendboxstudio.com/we/
unknown
malicious
116
explorer.exe
POST
185.230.62.177:80
http://www.blendboxstudio.com/we/
unknown
malicious
116
explorer.exe
POST
23.20.239.12:80
http://www.rumorifuoriscena.com/we/
US
shared
116
explorer.exe
GET
404
192.64.114.224:80
http://www.cravlop.com/we/?GzvH-=wTmcjo91+zBok5inC8oUfxpssPSx6OXgLNMKUqegHYAO5/ocGOpXO1mFVoGHqgoJ1vwSdg==&Ann=oJd0DhCpQ
US
html
326 b
malicious
116
explorer.exe
GET
301
139.219.4.4:80
http://www.xsjrwang.com/we/?GzvH-=cG9i7O39eAxPhzHnxqh7VOCTm6FwoUgyZ1tjZXNfyCGNSlFo8PUkxF5zejwHzLNWfTpx8A==&Ann=oJd0DhCpQ&sql=1
CN
html
258 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
116
explorer.exe
185.230.62.177:80
www.blendboxstudio.com
malicious
116
explorer.exe
192.64.114.224:80
www.cravlop.com
Namecheap, Inc.
US
malicious
116
explorer.exe
23.20.239.12:80
www.rumorifuoriscena.com
Amazon.com, Inc.
US
shared
116
explorer.exe
139.219.4.4:80
www.xsjrwang.com
Microsoft (China) Co., Ltd.
CN
malicious
116
explorer.exe
194.58.112.174:80
www.mgok.online
Domain names registrar REG.RU, Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
www.cravlop.com
  • 192.64.114.224
malicious
www.blendboxstudio.com
  • 185.230.62.177
malicious
www.angbaiwai.com
unknown
www.rumorifuoriscena.com
  • 23.20.239.12
shared
www.msmaids.com
unknown
www.whatsexpo.com
unknown
www.mgok.online
  • 194.58.112.174
malicious
www.xsjrwang.com
  • 139.219.4.4
malicious
www.nehainc.com
unknown

Threats

PID
Process
Class
Message
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
13 ETPRO signatures available at the full report
No debug info