analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Full_Customer_Documents_12775 MALWARE.docm

Full analysis: https://app.any.run/tasks/265af1a5-fb21-45d9-b552-419893fadaa7
Verdict: Malicious activity
Analysis date: July 18, 2019, 14:45:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

542A714792B40FFC5EB7B550C81B685E

SHA1:

DDDB99FB903BE10147028BE232487AF1DC77C5E2

SHA256:

1681935CA2477FFFF4A350E928BE55150978516E16C5ACB51ACA6B19CA18C33F

SSDEEP:

6144:IDhNK9vUUW4Y16qijd7++ojOp7un8Nl2QJ:IDhNKSv1ERajOInuMQJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 3896)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3896)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3896)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Creator: -

XML

ModifyDate: 2019:07:12 07:14:00Z
CreateDate: 2019:07:08 09:55:00Z
RevisionNumber: 1
LastModifiedBy: -
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 662200
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1324
Lines: 4704
DocSecurity: None
Application: Microsoft Office Word
Characters: 564491
Words: 99033
Pages: 162
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 2645
ZipCompressedSize: 501
ZipCRC: 0xc6337d17
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3896"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Full_Customer_Documents_12775 MALWARE.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2084"C:\Windows\System32\wscript.exe" /e:JScript "C:\Users\admin\Desktop\Full_Customer_Documents_12775 MALWARE.docm.ini"C:\Windows\System32\wscript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 063
Read events
717
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3896WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFF6F.tmp.cvr
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EEF5E72.png
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ECDBF31-D423-40AF-9F7F-48907F653EDE}.tmp
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A9364D5-7454-4DBE-83CD-5EF1F067ED37}.tmp
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB9C23EB-4A92-42E8-A44A-691DF7B5AC5F}.tmp
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5DE9FF25-8E83-4991-915E-F191B414D7CF}.tmp
MD5:
SHA256:
3896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Full_Customer_Documents_12775 MALWARE.docm.LNKlnk
MD5:CAE235A73251EC4A64BA357E7E4268A1
SHA256:563BBC92460482B8571C1637A246231ECAD15A178BF76551E0033F0F9A660C00
3896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DC5CFC2A06194321FECBA902009F4DAE
SHA256:B07FC3413BAED1CB2297033D59D57BFED7A9BC31CAC9F1F76BB9880CDB4B51ED
3896WINWORD.EXEC:\Users\admin\Desktop\~$ll_Customer_Documents_12775 MALWARE.docmpgc
MD5:4A4CC9B9756A5D53154A96F4BF42B494
SHA256:53F3BD2C230D805F095EC944BE0AE6BAA44C4076B38F92CC5CFBA6FFF1F056F8
3896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B99191606540891CB74D5E3B0910947A
SHA256:6D2968A94D89BE2EBDFC3EC764B9E696AA0CA7A0629DED4775D8379BF44CBC34
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Full_Customer_Documents_12775 MALWARE.docm