analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OLE.docx

Full analysis: https://app.any.run/tasks/db46d830-1b13-4ce7-8414-64526cb0ef46
Verdict: Malicious activity
Analysis date: July 11, 2019, 13:00:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

5790E2D6B74F68F02B6282147F06EA5B

SHA1:

B55F3738F3D43DFFC7160A9502C79D3912A39502

SHA256:

29C7AF1089F5D1C9D7AC3CDA1EF45673807D7795802E0A45310C78C28B612472

SSDEEP:

6144:GZ+jkV8fbJ5i0WePgx1GIAQqS19SUWssyBVry5nV7tF:GZ9gbJge2GDS1vW9yBVryNF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • investment proposal (2).scr (PID: 872)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3328)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3328)

    • Loads the Task Scheduler COM API

      • investment proposal (2).scr (PID: 872)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 3328)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3328)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 15
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 20
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 18
Words: 3
Pages: 1
TotalEditTime: 2 minutes
Template: Normal
ModifyDate: 2019:07:10 09:28:00Z
CreateDate: 2019:07:10 09:26:00Z
RevisionNumber: 3
LastModifiedBy: Opal
Keywords: -

XMP

Description: -
Creator: Opal
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1460
ZipCompressedSize: 373
ZipCRC: 0x24886c04
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe investment proposal (2).scr

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\OLE.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
872"C:\Users\admin\AppData\Local\Temp\investment proposal (2).scr" /SC:\Users\admin\AppData\Local\Temp\investment proposal (2).scr
WINWORD.EXE
User:
admin
Company:
G&G Software
Integrity Level:
MEDIUM
Description:
Controversy Bilingual Forks Councils Stocks
Version:
6.3.2.4
Total events
1 409
Read events
758
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B32.tmp.cvr
MD5:
SHA256:
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$OLE.docxpgc
MD5:B68CA6A336CD8DF5F6D9BCC9B275A596
SHA256:1DDAFEB6F100BB3000176EA806E1307622749D8E8753B9102E6CDCEEF26FF6E8
3328WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5FEB07E3A262A925150E11542B57885E
SHA256:5EE878A6F80803BD9F14CC878656A4F27E47550BE4D47120A81C476B67C311FD
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\investment proposal (2).screxecutable
MD5:33E14179BC13A5AEAD84E7351C806E87
SHA256:D97264C62FED820A59F52D3F451A60961399D11DAC54622B5EEF6F72DD12C66B
3328WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C4BE25D.emfemf
MD5:0703026B83B08048C0652ADCF478E70B
SHA256:5688A413FBB9DC0C5D449049827E71079E2B638C08DFD6D04BFFC47D2BABA1C6
872investment proposal (2).scrC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ggkcowbacuayicoog[1].txthtml
MD5:E6B47C20212ED830766B93BFE45B2359
SHA256:CDAFD300AE8A3AE552E7BDD29BE346F031C91E40D25CF5EF397AA6B4FCC59E8D
872investment proposal (2).scrC:\Users\admin\AppData\Local\Temp\¢Ïwmf
MD5:FF848E8240B1764C1D0D782A3AFF3C61
SHA256:1A5B30FFE6C7ED3E73D981BC48D34770B48E95F1005504835CF4E07AB8F05270
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
872
investment proposal (2).scr
185.243.114.220:443
securegrandix.com
suspicious

DNS requests

Domain
IP
Reputation
securegrandix.com
  • 185.243.114.220
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OLE.docx