File name:	invitation.docm
Full analysis:	https://app.any.run/tasks/daf0c226-a16a-4fe5-8bc6-5944d73b2e6f
Verdict:	Malicious activity
Analysis date:	March 09, 2024, 17:41:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros macros-on-open macros-on-close
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	06C9F19BD47856E56472FD100E9AB747
SHA1:	4ABCEB9293C65964A35E32037C25CDA44C8490AD
SHA256:	0D3ECFDD57C0F61FCB5E51C142E7C85B0F20FDD68E8C4CB8BD60009FFBBE367E
SSDEEP:	6144:UTnb2QGBUKtLj0CnhahqiRk0rlOQMPF2+ECaL1:UTb2/m8Lj0CnUhquk0rYRPF2+6L1

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x5cab74af
ZipCompressedSize:	400
ZipUncompressedSize:	1504
ZipFileName:	[Content_Types].xml

Keywords:	-
LastModifiedBy:	developer
RevisionNumber:	3
CreateDate:	2024:02:16 13:54:00Z
ModifyDate:	2024:02:16 13:56:00Z
Template:	Normal.dotm
TotalEditTime:	2 minutes
Pages:	1
Words:	-
Characters:	1
Application:	Microsoft Office Word
DocSecurity:	None
Lines:	1
Paragraphs:	1
ScaleCrop:	No
Company:	-
LinksUpToDate:	No
CharactersWithSpaces:	1
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	16


(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5372
Operation:	write	Name:	0
Value: 0B0E106B567BBC40AE5943BEB404B54E56DB4D230046A7C5F7AB91C99CED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511FC29D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

PID	Process	Filename		Type
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$vitation.docm		binary
		MD5:4224179329D3A19FE7B50422ED995FA2	SHA256:624F20AB78523F20EFAEBB7D30557FCF896306B1B13A53A77BE3ABC7E0C5307A
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C0BC7BD2CC01D61BA39B4BD5ABCE6F84	SHA256:DF2234391F96B495A12930C36F2DC28C47BD0ABB9DB5056F59A12DE6DC59A7F3
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EB367E3-F8A9-4076-9961-26D891FD157D		xml
		MD5:0EBB3599FC4AF8516A55F09784D06D41	SHA256:7752CF5E2393C7C6EFF94FB56C7EB94399A9861FEEFE73AA24F57CDF23B25675
5372	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A		binary
		MD5:6C274D1CAA030728226688893BEC2D22	SHA256:4C7643E1CE8EC5D048B373D1879217823A13EFDDF1AC8FD4C8FDD9382D0825DD
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:3966B10A4971E860699F59D5284B667C	SHA256:C31CE13F2758E668DC843C42940C8AE240E1F49E58F790C0BFD329FD33919899
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:AB98D8A5A35E5D56B28F640801C6752E	SHA256:1DFA1077AC93E8F8C58E6FCF3AFE398D19B427F56F87EB2DF3A1E0276C228E0A
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmp		binary
		MD5:788BE83E3F7F233A63E708560640AC78	SHA256:B06E4AF219D1768D09B936CFA679D96C9D5420D68DE90668C52781BEB3852C89
5372	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A		binary
		MD5:A61BDE9BF46F3AC6450F7D9BFEB839E0	SHA256:7E6D3FDC89CF8BFD1AD9EAAEE7B1AF547888001A28D889C4EC6BF03651A4DEA5
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\cabBF4B.tmp		compressed
		MD5:66C5199CF4FB18BD4F9F3F2CCB074007	SHA256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5372	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	binary	471 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	binary	767 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	binary	564 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	binary	519 b	unknown
5372	WINWORD.EXE	GET	200	184.24.45.163:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	binary	1.05 Kb	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	binary	824 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	binary	555 b	unknown
6692	svchost.exe	POST	302	184.24.46.2:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
6692	svchost.exe	POST	—	138.91.171.81:80	http://dmd.metaservices.microsoft.com/metadata.svc	unknown	—	—	unknown
6692	svchost.exe	POST	302	184.24.46.2:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3624	svchost.exe	239.255.255.250:1900	—	—	—	unknown
6876	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
892	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5372	WINWORD.EXE	52.109.89.18:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5372	WINWORD.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5372	WINWORD.EXE	52.109.89.19:443	roaming.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5372	WINWORD.EXE	79.140.80.9:443	omex.cdn.office.net	TELECOM ITALIA SPARKLE S.p.A.	IT	unknown
5372	WINWORD.EXE	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3308	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.109.89.18	whitelisted
ecs.office.com	52.113.194.132	whitelisted
roaming.officeapps.live.com	52.109.89.19	whitelisted
omex.cdn.office.net	79.140.80.9 79.140.80.17	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
fs.microsoft.com	184.24.44.106	whitelisted
messaging.engagement.office.com	52.111.243.12	whitelisted
messaging.lifecycle.office.com	52.111.243.8	whitelisted
nleditor.osi.office.net	52.111.243.40 52.111.243.42 52.111.243.41 52.111.243.43	whitelisted
self.events.data.microsoft.com	52.168.117.168 52.168.117.169	whitelisted

Title:	-
Subject:	-
Creator:	developer
Description:	-

General Info

invitation.docm

06C9F19BD47856E56472FD100E9AB747

4ABCEB9293C65964A35E32037C25CDA44C8490AD

0D3ECFDD57C0F61FCB5E51C142E7C85B0F20FDD68E8C4CB8BD60009FFBBE367E

6144:UTnb2QGBUKtLj0CnhahqiRk0rlOQMPF2+ECaL1:UTb2/m8Lj0CnUhquk0rYRPF2+6L1

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Connection from MS Office application

Checks whether a specified folder exists (SCRIPT)

Unusual execution from MS Office

SUSPICIOUS

Non-standard symbols in registry

Runs shell command (SCRIPT)

The process executes JS scripts

Creates FileSystem object to access computer's file system (SCRIPT)

INFO

Checks proxy server information

Manual execution by a user

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

XMP

XML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings