analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

819f61079304b21bd7ae4ca2342d28fea856b55e.doc

Full analysis: https://app.any.run/tasks/8edaf5fe-c823-4a75-be4f-49089ad6a23a
Verdict: Malicious activity
Analysis date: February 19, 2019, 12:53:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
evasion
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 8 15:30:00 2017, Last Saved Time/Date: Thu Jun 8 15:31:00 2017, Number of Pages: 8, Number of Words: 929, Number of Characters: 5298, Security: 8
MD5:

27CE017900DE8ED101DBB2480FDD2E05

SHA1:

59F434D02FBB39119050256EFEADB957EA76EE48

SHA256:

1C7F4150670158AB16E475F3641739D5ADC40E191A64167F14C8C152BE7FDA82

SSDEEP:

3072:JtmDy9XLV2Cq5I1V2rVkgejL04nYX6sRmjZKmDma9:7mDy9DZVQVkv04k5RmjZK6X9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2972)

    • Uses SVCHOST.EXE for hidden code execution

      • WINWORD.EXE (PID: 2972)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2276)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2972)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2017:06:08 14:30:00
ModifyDate: 2017:06:08 14:31:00
Pages: 8
Words: 929
Characters: 5298
Security: Locked for annotations
CodePage: Windows Cyrillic
Company: -
Bytes: 11000
Lines: 44
Paragraphs: 12
CharCountWithSpaces: 6215
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs svchost.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\819f61079304b21bd7ae4ca2342d28fea856b55e.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2276"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3948"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 146
Read events
740
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE512.tmp.cvr
MD5:
SHA256:
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:9E8A12D4FDCCD54CAE8FD9980B98F6DD
SHA256:EAEA8FC987EDE8AAA6E12BCFE3B30E904D80B9B2BBE42F2BDAB2D2BA5E26D1F2
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$9f61079304b21bd7ae4ca2342d28fea856b55e.docpgc
MD5:A94C9C08FB6D6E99C1BFCC8400E11EA8
SHA256:145E011FED69BDF16791CE02535D8CE82C99DF5D0658E036BE22284B4D7AD034
2972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B4444015501490AF96A04C13D3D124CA
SHA256:32AD967938452AC7757EAF34918D2ABD02E042FEDD6A1F1BBD417E147E58DF6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2276
svchost.exe
GET
200
54.243.123.39:80
http://api.ipify.org/
US
text
11 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2276
svchost.exe
54.243.123.39:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 54.243.123.39
  • 107.22.215.20
  • 50.16.248.221
  • 50.19.247.198
  • 23.21.121.219
  • 54.204.36.156
shared
tohageheg.com
unknown
downdintwiltit.ru
unknown
lonemoning.ru
unknown

Threats

PID
Process
Class
Message
2276
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
819f61079304b21bd7ae4ca2342d28fea856b55e.doc