analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

146.docm

Full analysis: https://app.any.run/tasks/b4029050-4da1-42d6-910e-45a71c64ba88
Verdict: Malicious activity
Analysis date: July 17, 2019, 01:13:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B55C28349C111463DA187DD0E830E199

SHA1:

E7952E5CF9E858CD3094F4FA00EB3F02071B035A

SHA256:

0638C9A9267AC5818137D9BD6D97F8AC1DA0D161908845B5DC33B6E27E3551E1

SSDEEP:

6144:RQFUhNhzdRhFuTl1KF/VYFf54ylMdapcn:GSVdRjuTl1udYFfDlcN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3696)

    • Executes scripts

      • WINWORD.EXE (PID: 3696)

  • SUSPICIOUS

    • Creates files in the user directory

      • notepad++.exe (PID: 3744)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3696)

    • Manual execution by user

      • notepad++.exe (PID: 3744)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xc6337d17
ZipCompressedSize: 501
ZipUncompressedSize: 2645
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 68
Words: 99869
Characters: 569256
Application: Microsoft Office Word
DocSecurity: None
Lines: 4743
Paragraphs: 1335
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 667790
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: -
RevisionNumber: 1
CreateDate: 2019:07:08 09:55:00Z
ModifyDate: 2019:07:15 10:02:00Z

XMP

Creator: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\146.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
4056"C:\Windows\System32\wscript.exe" /e:JScript "C:\Users\admin\Desktop\146.~"C:\Windows\System32\wscript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3744"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\146 - Copy.~"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3716"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
1 126
Read events
766
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
12
Unknown types
4

Dropped files

PID
Process
Filename
Type
3696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD031.tmp.cvr
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD80AD5D.png
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A063965-884D-42B4-8CF4-A8A7CFBF4876}.tmp
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{832A124F-E3E9-4238-A43D-3C125630C3D1}.tmp
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{252419AA-8426-4954-909D-CDDB4ED0A780}.tmp
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{39343849-2D83-4FEB-BACD-9169468208D9}.tmp
MD5:
SHA256:
3696WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D21FF9430787AA1B1FDD20FA6F956EC0
SHA256:4F73DCB9455EA0F27F310C2B5ACE7C58D47A681B63B43DF97D0D18D8559930F5
3696WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:785A5854CADC9A8E063A80B8DC7ECB59
SHA256:BC0E4C5392AC1E325E5876D757B2BED77979942B91BDD8FFD2B288806D8C3BAC
3696WINWORD.EXEC:\Users\admin\Desktop\146.~text
MD5:8BCB3322E82D4DE8E30D09F1B5CEF60D
SHA256:8DE53E99E4FB2237B35ABEDA4D4A24B5C29048383F79E035198B8468607DBBA9
3696WINWORD.EXEC:\Users\admin\Desktop\~$146.docmpgc
MD5:46B0555AEA247D205909B701721A8CAC
SHA256:0C6CEAEBF0FEA217A2B7D9514E366B48BB5992B4286CAEE8B13DAE4EDC0A4AA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.36 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.21.242.197:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.197
  • 2.21.242.187
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
146.docm