File name:	invitation.docm
Full analysis:	https://app.any.run/tasks/daf0c226-a16a-4fe5-8bc6-5944d73b2e6f
Verdict:	Malicious activity
Analysis date:	March 09, 2024, 17:41:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros macros-on-open macros-on-close
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	06C9F19BD47856E56472FD100E9AB747
SHA1:	4ABCEB9293C65964A35E32037C25CDA44C8490AD
SHA256:	0D3ECFDD57C0F61FCB5E51C142E7C85B0F20FDD68E8C4CB8BD60009FFBBE367E
SSDEEP:	6144:UTnb2QGBUKtLj0CnhahqiRk0rlOQMPF2+ECaL1:UTb2/m8Lj0CnUhquk0rYRPF2+6L1

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x5cab74af
ZipCompressedSize:	400
ZipUncompressedSize:	1504
ZipFileName:	[Content_Types].xml

Keywords:	-
LastModifiedBy:	developer
RevisionNumber:	3
CreateDate:	2024:02:16 13:54:00Z
ModifyDate:	2024:02:16 13:56:00Z
Template:	Normal.dotm
TotalEditTime:	2 minutes
Pages:	1
Words:	-
Characters:	1
Application:	Microsoft Office Word
DocSecurity:	None
Lines:	1
Paragraphs:	1
ScaleCrop:	No
Company:	-
LinksUpToDate:	No
CharactersWithSpaces:	1
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	16


(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5372
Operation:	write	Name:	0
Value: 0B0E106B567BBC40AE5943BEB404B54E56DB4D230046A7C5F7AB91C99CED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511FC29D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(5372) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

PID	Process	Filename		Type
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:AB98D8A5A35E5D56B28F640801C6752E	SHA256:1DFA1077AC93E8F8C58E6FCF3AFE398D19B427F56F87EB2DF3A1E0276C228E0A
5372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:60433567BC48636D498857ADAE4A3CD7	SHA256:9DC64FC744E72372E68026349CE639E5073ACCB8BF40EA69EDC9C11D500DD66F
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$vitation.docm		binary
		MD5:4224179329D3A19FE7B50422ED995FA2	SHA256:624F20AB78523F20EFAEBB7D30557FCF896306B1B13A53A77BE3ABC7E0C5307A
5372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C0BC7BD2CC01D61BA39B4BD5ABCE6F84	SHA256:DF2234391F96B495A12930C36F2DC28C47BD0ABB9DB5056F59A12DE6DC59A7F3
5372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SCA1UA4C22DZ4N3AIGLX.temp		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\cabBF2B.tmp		compressed
		MD5:6D787B1E223DB6B91B69238062CCA872	SHA256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json		binary
		MD5:788BE83E3F7F233A63E708560640AC78	SHA256:B06E4AF219D1768D09B936CFA679D96C9D5420D68DE90668C52781BEB3852C89
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_38.ttf		binary
		MD5:CBF459234D8EDB73A82FDF3DBAA457E4	SHA256:5C008CE19DEAFA53AB1594FA7F048FDC822BCF44589E24A16429D95BD046F5F9
5372	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\cabBF4B.tmp		compressed
		MD5:66C5199CF4FB18BD4F9F3F2CCB074007	SHA256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5372	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	binary	471 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	binary	564 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	binary	767 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	binary	519 b	unknown
5372	WINWORD.EXE	GET	200	184.24.45.163:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	binary	1.05 Kb	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	binary	824 b	unknown
5372	WINWORD.EXE	GET	200	92.122.225.232:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	binary	555 b	unknown
6692	svchost.exe	POST	302	184.24.46.2:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
6692	svchost.exe	POST	302	184.24.46.2:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
6692	svchost.exe	POST	—	138.91.171.81:80	http://dmd.metaservices.microsoft.com/metadata.svc	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3624	svchost.exe	239.255.255.250:1900	—	—	—	unknown
6876	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
892	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5372	WINWORD.EXE	52.109.89.18:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5372	WINWORD.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5372	WINWORD.EXE	52.109.89.19:443	roaming.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5372	WINWORD.EXE	79.140.80.9:443	omex.cdn.office.net	TELECOM ITALIA SPARKLE S.p.A.	IT	unknown
5372	WINWORD.EXE	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3308	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.109.89.18	whitelisted
ecs.office.com	52.113.194.132	whitelisted
roaming.officeapps.live.com	52.109.89.19	whitelisted
omex.cdn.office.net	79.140.80.9 79.140.80.17	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
fs.microsoft.com	184.24.44.106	whitelisted
messaging.engagement.office.com	52.111.243.12	whitelisted
messaging.lifecycle.office.com	52.111.243.8	whitelisted
nleditor.osi.office.net	52.111.243.40 52.111.243.42 52.111.243.41 52.111.243.43	whitelisted
self.events.data.microsoft.com	52.168.117.168 52.168.117.169	whitelisted

Title:	-
Subject:	-
Creator:	developer
Description:	-

General Info

invitation.docm

06C9F19BD47856E56472FD100E9AB747

4ABCEB9293C65964A35E32037C25CDA44C8490AD

0D3ECFDD57C0F61FCB5E51C142E7C85B0F20FDD68E8C4CB8BD60009FFBBE367E

6144:UTnb2QGBUKtLj0CnhahqiRk0rlOQMPF2+ECaL1:UTb2/m8Lj0CnUhquk0rYRPF2+6L1

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Connection from MS Office application

Unusual execution from MS Office

Checks whether a specified folder exists (SCRIPT)

SUSPICIOUS

Non-standard symbols in registry

Creates FileSystem object to access computer's file system (SCRIPT)

Runs shell command (SCRIPT)

The process executes JS scripts

INFO

Checks proxy server information

Manual execution by a user

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

XMP

XML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings