analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

17088739e1bbc696a82e6181c4938a68866646f0a89fe158b38b640592d28192.docm

Full analysis: https://app.any.run/tasks/33e6e409-4996-431c-a9ef-0fd103673db8
Verdict: Malicious activity
Analysis date: May 24, 2019, 02:03:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

BE8376EE6047E851820B90B78FC2A11C

SHA1:

80DACA0222B631BC74D5F5BEE6B0A168FC2F4E35

SHA256:

17088739E1BBC696A82E6181C4938A68866646F0A89FE158B38B640592D28192

SSDEEP:

12288:qZYTdp53JgmplY01VYsfKalrlvzE9kq9pWdd8fv3AiVkIFWYn4ygQS316HXsI:BZp535plY04OrlpekusddWwiVkXYIRI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radDB228.exe (PID: 3572)
      • radDB228.exe (PID: 3548)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3288)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3288)
  • SUSPICIOUS

    • Application launched itself

      • radDB228.exe (PID: 3572)
    • Low-level read access rights to disk partition

      • radDB228.exe (PID: 3548)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3288)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 2090
LinksUpToDate: No
Company: FB Wirtschaftswissenschaften
TitlesOfParts:
  • Anschreiben: Soll Atmosphäre schaffen
  • Anschreiben: Soll Atmosphäre schaffen
HeadingPairs:
  • Title
  • 1
  • Titel
  • 1
ScaleCrop: No
Paragraphs: 4
Lines: 14
DocSecurity: None
Application: Microsoft Office Word
Characters: 1782
Words: 312
Pages: 3
TotalEditTime: -
Template: Normal.dotm
ModifyDate: 2016:09:13 16:58:00Z
CreateDate: 2016:09:13 16:58:00Z
RevisionNumber: 2
LastModifiedBy: User

XMP

Creator: labwiwi3
Title: Anschreiben: Soll Atmosphäre schaffen

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1747
ZipCompressedSize: 464
ZipCRC: 0xd8a131a1
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start winword.exe raddb228.exe no specs raddb228.exe

Process information

PID
CMD
Path
Indicators
Parent process
3288"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\17088739e1bbc696a82e6181c4938a68866646f0a89fe158b38b640592d28192.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3572"C:\Users\admin\AppData\Local\Temp\radDB228.exe" C:\Users\admin\AppData\Local\Temp\radDB228.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Machine Debug Manager
Version:
7.10.3077
3548"C:\Users\admin\AppData\Local\Temp\radDB228.exe" C:\Users\admin\AppData\Local\Temp\radDB228.exe
radDB228.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Machine Debug Manager
Version:
7.10.3077
Total events
1 121
Read events
1 078
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3288WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFB74.tmp.cvr
MD5:
SHA256:
3288WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$088739e1bbc696a82e6181c4938a68866646f0a89fe158b38b640592d28192.docmpgc
MD5:47B147571E8D012F5D0F5AC92564322B
SHA256:0AC78D79787F83D67C3A121F782D9ED95100E05295F301834AAA64B7DFF06040
3288WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B4A3A7010D8FEA8F141CA79DBF1C0A7F
SHA256:1AE5A8F017BE4D661214AD5059D36CCC00CE7BC44428DA72655DCE7695B6AB06
3288WINWORD.EXEC:\Users\admin\AppData\Local\Temp\radDB228.exeexecutable
MD5:E9D2E34AB54A1C6CDC3468DC94AC435C
SHA256:96A88732899213956D75F2831277DDDCD3AD2C827797B63CF64C726633FD8880
3288WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info