analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

334d50f3ced57bb7540f2498705f3e8897148b4d30816be8b3721c49d2d08fe7

Full analysis: https://app.any.run/tasks/82bdf51d-75e2-427a-80f7-40f59dbbe9f5
Verdict: Malicious activity
Analysis date: August 25, 2019, 12:55:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

DFAD7D4A7ECB2EED6D69ABFBFB5F94C9

SHA1:

88B3189A1F33A0251272C0E4ADC775E2DB3F4EE5

SHA256:

334D50F3CED57BB7540F2498705F3E8897148B4D30816BE8B3721C49D2D08FE7

SSDEEP:

192:rooBVpXRqFlUbjoqn2VRwvTN81fydFQG4z2lJY26qjC+/5q:VV9RqDUbcc2VRwraQdOoJY26ubq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2928)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (41.2)
.zip | Open Packaging Conventions container (30.6)
.ubox | Universe Sandbox simulation (21)
.zip | ZIP compressed archive (7)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:10:12 06:16:09
ZipCRC: 0xeea5f986
ZipCompressedSize: 355
ZipUncompressedSize: 1364
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 315
Characters: 1802
Application: Microsoft Office Word
DocSecurity: None
Lines: 15
Paragraphs: 4
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 2113
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
Keywords: -
LastModifiedBy: Charlie
RevisionNumber: 3
CreateDate: 2018:10:11 12:14:00Z
ModifyDate: 2018:10:11 12:14:00Z

XMP

Title: -
Subject: -
Creator: Charlie
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\334d50f3ced57bb7540f2498705f3e8897148b4d30816be8b3721c49d2d08fe7.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
275
Read events
247
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B79.tmp.cvr
MD5:
SHA256:
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D73BD7B1-1F8A-4780-98F8-06CF0D813810}
MD5:
SHA256:
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{2575BAE7-EBB6-49E2-B391-F12D501D9F7A}
MD5:
SHA256:
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B53D675E-13FA-4E87-B421-988F04207777}.FSDbinary
MD5:E5353058A2EC5518C0521696523D87F8
SHA256:242B52D08C47FF7104CC80D92C65CB8BAAA82F282A6BCB8E8E1A039CDF3C429D
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:C8844EC52F71838969834A48524C7328
SHA256:63E66985393D853C52CB51D8977FCA9F1ABD79283ADD3A59434F08CCB7AE6489
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8253A95.emfemf
MD5:1B76675B86F1433D15822E75F858338F
SHA256:7D3D98835D2C9C355B5C9F1003C18F805EB2955C7AA76A910E3BA34DE7E2EDF6
2928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0A0D31AF62C5D5CF32A1200EEAAB7A92
SHA256:4245C829DC2746A0D44B7F2B1235F77ABFCA9525FB7BC37F4380AC844B0F5843
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:92EB9923F9F9D97FB8B9CA41A6D7D6BF
SHA256:69D8D61AFE8A217F6D560E856DFF124E794637267BE68486E4D20140ED6F5AF7
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{70C0F995-6473-4D45-9CC8-8D2CC93651F9}.FSDbinary
MD5:3287ED50AD00973B30DC72A972ED02BF
SHA256:BA3D70F14FF04B2AF7517F67168C6DBAB69A210DFD7C2B6074100E34CDA82282
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:EE9F72CD24EE377E13A4AB3028BA0E66
SHA256:C25B5B1DBC26F26057ACC5F8A87A7F793F92EBD9A9FE807FAAB887ABF1C3E6F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2928
WINWORD.EXE
OPTIONS
200
58.158.177.102:80
http://www.webserv-redir.net/images/67381F0B/-1/5272/3cdc4fcb/
JP
malicious
2928
WINWORD.EXE
HEAD
58.158.177.102:80
http://www.webserv-redir.net/images/67381F0B/-1/5272/3cdc4fcb/main.RTF
JP
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2928
WINWORD.EXE
58.158.177.102:80
www.webserv-redir.net
UCOM Corp.
JP
malicious

DNS requests

Domain
IP
Reputation
www.webserv-redir.net
  • 58.158.177.102
malicious

Threats

No threats detected
No debug info