General Info

File name

harassment letter.doc

Full analysis
https://app.any.run/tasks/a16a5120-c7ae-4e19-986e-fd9f245ba25f
Verdict
Malicious activity
Analysis date
12/3/2019, 00:22:34
OS:
Windows 10 Professional (build: 16299, 64 bit)
Tags:

macros

macros-on-open

generated-doc

maldoc-45

Indicators:

MIME:
application/msword
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Administrator, Template: Normal, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Nov 4 06:13:00 2019, Last Saved Time/Date: Mon Nov 4 06:13:00 2019, Number of Pages: 8, Number of Words: 1360, Number of Characters: 7756, Security: 8
MD5

7c943e0e5b031eb8bf0b0a7b7ab48210

SHA1

47acb15da1ce28ba9a3ac2f94e6d1cef96921e48

SHA256

1e268e74044999d88b1437d6190783586f56bf7987c25d7269dda586277491de

SSDEEP

6144:OVl7Qlw50PC2wBHXkkpNaR4jFRAGqPM3rBvS5g:OXQl6gfwpXF8RmFeGBIg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
900 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.431.16299.0 KB4103768
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • CCleaner (5.35)
  • FileZilla Client 3.31.0 (3.31.0)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
  • Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
  • Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
  • Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
  • Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
  • Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
  • Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
  • Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
  • Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
  • Office 16 Click-to-Run Localization Component (16.0.12026.20264)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

  • Client LanguagePack Package
  • Foundation Package
  • InternetExplorer Optional Package
  • KB4054022
  • KB4055237
  • KB4055994
  • KB4058043
  • KB4078408
  • KB4093110
  • KB4094276
  • KB4103729
  • KB4131372
  • KB4134661
  • LanguageFeatures Basic en us Package
  • LanguageFeatures Handwriting en us Package
  • LanguageFeatures OCR en us Package
  • LanguageFeatures Speech en us Package
  • LanguageFeatures TextToSpeech en us Package
  • MediaPlayer Package
  • Microsoft OneCore ApplicationModel Sync Desktop FOD Package
  • NetFx3 OnDemand Package
  • ProfessionalEdition
  • QuickAssist Package
  • RollupFix

Behavior activities

MALICIOUS SUSPICIOUS INFO
Starts CMD.EXE for commands execution
  • WINWORD.EXE (PID: 900)
Scans artifacts that could help determine the target
  • WINWORD.EXE (PID: 900)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 900)
Executed via COM
  • MicrosoftEdgeCP.exe (PID: 5756)
  • DllHost.exe (PID: 6904)
  • MicrosoftEdgeCP.exe (PID: 3596)
  • RuntimeBroker.exe (PID: 2976)
  • MicrosoftEdgeCP.exe (PID: 7104)
  • MicrosoftEdgeCP.exe (PID: 4484)
  • MicrosoftEdgeCP.exe (PID: 3636)
  • MicrosoftEdgeCP.exe (PID: 5392)
  • RuntimeBroker.exe (PID: 3428)
  • RuntimeBroker.exe (PID: 5588)
  • MicrosoftEdgeCP.exe (PID: 5276)
  • MicrosoftEdgeCP.exe (PID: 6352)
  • MicrosoftEdgeCP.exe (PID: 6688)
  • MicrosoftEdgeCP.exe (PID: 6652)
  • MicrosoftEdgeCP.exe (PID: 7076)
  • MicrosoftEdgeCP.exe (PID: 5848)
  • MicrosoftEdgeCP.exe (PID: 4412)
  • MicrosoftEdgeCP.exe (PID: 5616)
  • MicrosoftEdgeCP.exe (PID: 7044)
  • MicrosoftEdge.exe (PID: 6912)
  • DllHost.exe (PID: 6420)
  • browser_broker.exe (PID: 2672)
  • MicrosoftEdgeCP.exe (PID: 5440)
  • MicrosoftEdgeCP.exe (PID: 5248)
  • MicrosoftEdgeCP.exe (PID: 3816)
  • browser_broker.exe (PID: 2716)
  • MicrosoftEdge.exe (PID: 5472)
  • RuntimeBroker.exe (PID: 2952)
  • MicrosoftEdgeCP.exe (PID: 5348)
  • RuntimeBroker.exe (PID: 4212)
  • BackgroundTaskHost.exe (PID: 2864)
Reads the machine GUID from the registry
  • MicrosoftEdgeCP.exe (PID: 5848)
  • browser_broker.exe (PID: 2672)
  • MicrosoftEdgeCP.exe (PID: 4412)
  • MicrosoftEdge.exe (PID: 6912)
  • opera.exe (PID: 1896)
  • MicrosoftEdgeCP.exe (PID: 7076)
  • MicrosoftEdgeCP.exe (PID: 5392)
  • MicrosoftEdge.exe (PID: 5472)
  • MicrosoftEdgeCP.exe (PID: 5248)
  • MicrosoftEdgeCP.exe (PID: 7044)
  • browser_broker.exe (PID: 2716)
  • MicrosoftEdgeCP.exe (PID: 3596)
  • MicrosoftEdgeCP.exe (PID: 5348)
Checks supported languages
  • opera.exe (PID: 1896)
  • MicrosoftEdge.exe (PID: 6912)
  • MicrosoftEdgeCP.exe (PID: 5348)
  • MicrosoftEdgeCP.exe (PID: 7044)
  • MicrosoftEdge.exe (PID: 5472)
Creates files in the user directory
  • opera.exe (PID: 1896)
Reads Environment values
  • WINWORD.EXE (PID: 900)
Starts CMD.EXE for commands execution
  • cmd.exe (PID: 6128)
Application launched itself
  • cmd.exe (PID: 6128)
Uses WMIC.EXE to create a new process
  • cmd.exe (PID: 6128)
Executed via WMI
  • msiexec.exe (PID: 5576)
Manual execution by user
  • opera.exe (PID: 1896)
Reads settings of System Certificates
  • MicrosoftEdgeCP.exe (PID: 7044)
  • MicrosoftEdgeCP.exe (PID: 5348)
  • WINWORD.EXE (PID: 900)
Reads the software policy settings
  • WINWORD.EXE (PID: 900)
Creates files in the user directory
  • WINWORD.EXE (PID: 900)
Reads the machine GUID from the registry
  • WINWORD.EXE (PID: 900)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 900)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.doc
|   Microsoft Word document (35.9%)
.xls
|   Microsoft Excel sheet (33.7%)
.doc
|   Microsoft Word document (old ver.) (21.3%)
EXIF
FlashPix
Author:
Administrator
Template:
Normal
LastModifiedBy:
Administrator
RevisionNumber:
2
Software:
Microsoft Office Word
TotalEditTime:
1.0 minutes
CreateDate:
2019:11:04 06:13:00
ModifyDate:
2019:11:04 06:13:00
Pages:
8
Words:
1360
Characters:
7756
Security:
Locked for annotations
Company:
null
Lines:
64
Paragraphs:
18
CharCountWithSpaces:
9098
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
null
HeadingPairs
null
null
CodePage:
Windows Latin 1 (Western European)
Hyperlinks
null
null
LastSaved:
2019:10:25 00:00:00
CompObjUserTypeLen:
32
CompObjUserType:
Microsoft Word 97-2003 Document

Video and screenshots