analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx

Full analysis: https://app.any.run/tasks/126f1c97-39b6-47fc-891d-931ae68afde7
Verdict: Malicious activity
Analysis date: December 06, 2018, 13:46:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2A1C43A62C89A78D6D7A157B3AA86B3B

SHA1:

8D886586B9EE017F5C2611CF9E0C51868D284F4C

SHA256:

1F853368BA469ABD3BBB5BA797E646CF0D3485EB7053B29D5E4501A703B6F17A

SSDEEP:

3072:jSEVa/OV7diMw+bdRBbu2MKIOU9JEyRaV7kVFEjcfUhwCgZSHK0LJx2:eEVTVZb5RxuROoEXV4VFEjcfbCgMKii

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2988)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2988)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

ModifyDate: 2018:10:15 16:19:00Z
CreateDate: 2018:10:15 16:19:00Z
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: _rels/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:12:04 22:20:22
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs fltldr.exe no specs fltldr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4016"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLTC:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEWINWORD.EXE
User:
admin
Integrity Level:
LOW
Exit code:
0
2728"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLTC:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEWINWORD.EXE
User:
admin
Integrity Level:
LOW
Exit code:
0
Total events
967
Read events
629
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
8

Dropped files

PID
Process
Filename
Type
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR68DC.tmp.cvr
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_1C9C52DB-CBEC-4B0A-BB6A-5CB342B2458D.0\FL6E9A.tmpps
MD5:C8F5679981B53D21163E227536DBF058
SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6B01A4399B399324F54D1B8A2E65AF4E
SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3297C78.epsps
MD5:C8F5679981B53D21163E227536DBF058
SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx.LNKlnk
MD5:AEECD1823E98D91F7CA9CC40F81AB356
SHA256:8615B803EF2B6E9DABAB3FD2FED3C135E0EEC273A827189B483E0916749CABC5
2988WINWORD.EXEC:\Users\admin\Desktop\~$853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docxpgc
MD5:5483FBFB757E0C3CFCCD3114B945D21A
SHA256:FCEB30276745AAD7D6F58306F92E907F7832BB90D89AF37AE74451B334E996C5
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:210A9A61960FBFE7E02338ED4E0DC87E
SHA256:18ADB6A941B28A784F6964762F069B18EAB455200A81AFD1020BA6C0112CDB89
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_9AADE63D-7850-4EB9-99DB-F448948054CB.0\FLBD96.tmpps
MD5:C8F5679981B53D21163E227536DBF058
SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBD5AF93.epsps
MD5:C8F5679981B53D21163E227536DBF058
SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info