analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Archivo 11-10-2019_45668.doc

Full analysis: https://app.any.run/tasks/3b3bbf9d-cf0f-495a-8069-f4bf267f9eca
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 18:30:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Unbranded Wooden Computer, Subject: global, Author: Kathryne Botsford, Keywords: Course, Comments: Keys, Template: Normal.dotm, Last Saved By: Catharine Orn, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 18:55:00 2019, Last Saved Time/Date: Fri Oct 11 18:55:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0
MD5:

82E276457634360C2DBC022417DD71D6

SHA1:

6F9B8B23662DD6A973B4BDDC4FA1EBA3707231A7

SHA256:

0AC1A4F74045E372703561B65A5425890AE0C5431F8087D88D9DC7F6B5CEF284

SSDEEP:

1536:0rkKPubsYwKjtrzu5rG5mRoHynvwMMITLxQOhxrtmxu:NKgdzSrGgKyIwLx3/Uxu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2576)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Unbranded Wooden Computer
Subject: global
Author: Kathryne Botsford
Keywords: Course
Comments: Keys
Template: Normal.dotm
LastModifiedBy: Catharine Orn
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:10:11 17:55:00
ModifyDate: 2019:10:11 17:55:00
Pages: 1
Words: 29
Characters: 169
Security: None
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
CodePage: Windows Latin 1 (Western European)
Company: Howell and Sons
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 197
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Williamson
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Archivo 11-10-2019_45668.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
653
Read events
512
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2576WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBBC9.tmp.cvr
MD5:
SHA256:
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B12CBB1.wmfwmf
MD5:2A8DF098A1931EF16E81E095614C4F46
SHA256:CBF7E04AEA538D363E56042CDEF25A90983BCCA054875C65CBCD78B4CEC6B042
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1818F4E4.wmfwmf
MD5:02F3DEAB89FDA884E3F836F28DA8D4C9
SHA256:24768C3C4D9D0D5EE4CCF32568DD476E615C0F129D340E0627F9205CB882D9D6
2576WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:35FAC96A6BBA8F6D072879B30A84F856
SHA256:1A80949FA57647432AC6D5CA4D3071923BBA32CE910A873C2BFD959D82DD2966
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B57B3E70.wmfwmf
MD5:5708F31F25B50E377C258D50D711F4B7
SHA256:389DC283AAA1BF151C19DAC9FA81EB62ACD110B4A521F54F1FD19BB7E89C1653
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C86D336B.wmfwmf
MD5:F9B15AAA8E51B17D00EB446BCA9E27C4
SHA256:DB5BA9EDECFC0CF11D96FCA017428D36D54E1A385756B05EEEA3E8AA8EB2988A
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\151B4795.wmfwmf
MD5:3867174190726A46149F31DECA62E45A
SHA256:30746DDACE419DC7D86F647A6555DBC551BA80AB5775E72AC8BB6EAD9FF6DB4F
2576WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:45822EE62FC571A3151895E367644231
SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5
2576WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$chivo 11-10-2019_45668.docpgc
MD5:EE8D7DAB291B2492910DD67AA85E3806
SHA256:F49210310D20286CA943698D138BA5ECBB7044566D4BEF0B46C0ECDAC325D822
2576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0027AAF.wmfwmf
MD5:36BFCE5127479BB39BEAB17C4D2998CA
SHA256:D592C48FBD5022E1B493EEF849EE5B6669B4221B822F97A137CF9F7C073DB538
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info