analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ARQUIVO 112019.doc

Full analysis: https://app.any.run/tasks/d0245ced-6fe6-4abc-8f69-4de5f36669b0
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 03, 2019, 01:11:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Est quasi deleniti., Author: Lucien Hohnheiser, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 12 14:18:00 2019, Last Saved Time/Date: Tue Nov 12 14:18:00 2019, Number of Pages: 1, Number of Words: 44, Number of Characters: 254, Security: 0
MD5:

577C09131DB747D83A58C8029FEA63C1

SHA1:

04F03D073444E754EAA69DA4227781BFDD3ED177

SHA256:

284AD2239CC0F333450F8DAE671FC4F08B042A56614D1E72CC7972AF58F1B085

SSDEEP:

3072:NgveLuqK1MH+UaqFh51r/SzFaSaJGBrjC48+WZ/POhh+/gP:NgveLuqK1MHNaqjSzGJD48+aPOn1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2152)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 297
Paragraphs: 1
Lines: 2
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 254
Words: 44
Pages: 1
ModifyDate: 2019:11:12 14:18:00
CreateDate: 2019:11:12 14:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Lucien Hohnheiser
Subject: -
Title: Est quasi deleniti.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ARQUIVO 112019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 642
Read events
906
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
21

Dropped files

PID
Process
Filename
Type
2152WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA7D3.tmp.cvr
MD5:
SHA256:
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\507F666E.wmfwmf
MD5:3698146FD66506565A70EFC98F13CA64
SHA256:DE01659CFCD0EA000EC8F7251B6F3EE22BDD80BB2778876C9D23C6611B4C39B7
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\829F49E1.wmfwmf
MD5:663D37242EACE73CEDF89AF47919D2ED
SHA256:5A5B736A14E16A90FA2BF35AE63892E03CB79A6B82808B017ED9530EA09DE2C1
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C2F139A.wmfwmf
MD5:B3F05EFFF594A679302F8EE24D1BA2B3
SHA256:4CEA9BEB60BFA867D9EEF532B081A1820C2CC847605F77D71BC69EA3D8316B4A
2152WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8B378DCC62035BBABEF8B1C2A131A338
SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275
2152WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$QUIVO 112019.docpgc
MD5:BA1AF6B944BE48C8AB8DDEFD8DBAC726
SHA256:BE96DB2EF7373D9C92A16B1C1CCC1151DEC7A792881F40B8AF30D9E643C001E3
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BEDD86.wmfwmf
MD5:5204181254DBC6385B32C57FD60EBECF
SHA256:5751C64B8905CBA7DAA42A36EAA44766F294FC0A0D2C4BF868400BB8C2A4FC9F
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25E8AEB8.wmfwmf
MD5:E1E09CD185CFFDB6683E838F40B64E5C
SHA256:318B55A5502A34CCD68D8A11D2D8276492308CFC9345D7259666779531BFE446
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D6ACBD.wmfwmf
MD5:7DF5DDA1A8E1B00241BE829CEDB56AB6
SHA256:41F4772D4778EE70CACEF74D366FCEE8E309981E8401D894F63C68000154D988
2152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37138CAC.wmfwmf
MD5:2555A54141FB980239AAE296DD64012A
SHA256:F67C8D0973D5A66AF69AA7F3616EF69887E75223986F1B06A9B071BBCDB1E395
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ARQUIVO 112019.doc