analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rechnungsbeilage_2019_10.doc

Full analysis: https://app.any.run/tasks/e01d09e6-2dd1-44de-9b45-f0dfb3839924
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 11:56:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Licensed, Subject: Sleek, Author: Alivia Heaney, Keywords: Generic Concrete Gloves, Comments: Legacy, Template: Normal.dotm, Last Saved By: Sharon Kulas, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 09:04:00 2019, Last Saved Time/Date: Mon Oct 14 09:04:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 171, Security: 0
MD5:

BF6386482CFDA4C2CF49A9977AD4DE8E

SHA1:

96E23E01340130A30B26D2D02D62543672B1CD1D

SHA256:

263DD7396F687A1E78663B389367D98D48C7C996B3364C7F9A9989057DEC8765

SSDEEP:

1536:1aHde0oPOXrkKPubsYwKjtrzu5rGImRoHynvwMMITLxQOXxrt:1aHde0oWQKgdzSrGtKyIwLx3B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1972)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Licensed
Subject: Sleek
Author: Alivia Heaney
Keywords: Generic Concrete Gloves
Comments: Legacy
Template: Normal.dotm
LastModifiedBy: Sharon Kulas
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:10:14 08:04:00
ModifyDate: 2019:10:14 08:04:00
Pages: 1
Words: 30
Characters: 171
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Baumbach, Beahan and Robel
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 200
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Flatley
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rechnungsbeilage_2019_10.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 755
Read events
952
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
1972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB7C1.tmp.cvr
MD5:
SHA256:
1972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:E69B8219B423DB5BF7647CBF266275BE
SHA256:DCF58A310CC9B61D7F21D7AAC3231401A8A22632F636E230D0FDDED045E35246
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88C95A6E.wmfwmf
MD5:09569ED461D0399D6E6A9492F9D4E1C1
SHA256:B62E72F098F67D81B0ABD0EB9049B52F52160EAC6C799077B226B5CA30C52C98
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5395A0AC.wmfwmf
MD5:FD1F2F63D8ADDD069B3A0EAD251A6749
SHA256:6F0EEA29C90B27CBC6FC53AE1C69944A6DDA05828ABDC818CBEC18BF259189AF
1972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:71834CB5A40FD067717E5E242FCFDDE2
SHA256:053F9EECE736E49AA9E3C99DB635C70D83D2B9311D2D3CA8D612695DCF73376C
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D3E479A.wmfwmf
MD5:6091278508C837CCB13B729D8C7519E8
SHA256:DC887D565160CE96D00AE41F750FFCF3E2FC434E4AE07D7D4C89F94A68ABB723
1972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$chnungsbeilage_2019_10.docpgc
MD5:2E0992ECAFC8D7CD5A9A73AB18D92740
SHA256:7128BE539BB0D27F46AC8F9221B80C1922D24C435F11F6E4DB8C24870A9132A5
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF6B97.wmfwmf
MD5:CE43F1FAC623BBC22C924624C31BF65B
SHA256:244A3D4B24DDA0A0FAEC64647C2197C7384FA976E4BD883BF50A993D8E94E8FE
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D69B0BD.wmfwmf
MD5:3D85CB8DB19F871BFAB7D2E13347CBB7
SHA256:E757A558435B96E8A65C4299276A3EB8CF323152BA1DA6A2A9B836CDE01218DE
1972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\633087CF.wmfwmf
MD5:A5057546ED3841DA9BAB661FFFC3209A
SHA256:2C3F21BE976CF7F2C5C8DFE099A4A0AFD8D1D4104B217D786A8BCB8D3E56363E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info