analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

350ffb79008e7fccc184c73947de4f0c8f583ef640b030357029875840ed19a1

Full analysis: https://app.any.run/tasks/979f2212-ae90-48be-91b5-1dd0e217d5dd
Verdict: Malicious activity
Analysis date: May 20, 2019, 18:04:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: MacOS, Version 10.3, Code page: 10000, Title: Double Click to merge, Author: Lauchland, Henry, Template: Normal, Last Saved By: Carol Fisher, Revision Number: 7, Name of Creating Application: Microsoft Word 8.0, Total Editing Time: 16:00, Last Printed: Wed May 9 22:21:00 2001, Create Time/Date: Wed May 9 23:19:00 2001, Last Saved Time/Date: Fri May 11 17:36:00 2001, Number of Pages: 4, Number of Words: 878, Number of Characters: 5005, Security: 0
MD5:

CD22EBEE28CDDE71F7A7DD10B8B08A36

SHA1:

3B5A66812AFBB63B500A577B3E6BE93B0EF0F502

SHA256:

350FFB79008E7FCCC184C73947DE4F0C8F583EF640B030357029875840ED19A1

SSDEEP:

192:DCHp74vDUPUyPTaPN4Q3QUZZm8ZAVA+wAlA9vBl+ctbpUcVV6DmYcpMag551NZhS:DCHNUDMUyPTaZa/A+iBlzpUkpMD55PS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3368)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3368)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Double Click to merge
Subject: -
Author: Lauchland, Henry
Keywords: -
Template: Normal
LastModifiedBy: Carol Fisher
RevisionNumber: 7
Software: Microsoft Word 8.0
TotalEditTime: 16.0 minutes
LastPrinted: 2001:05:09 21:21:00
CreateDate: 2001:05:09 22:19:00
ModifyDate: 2001:05:11 16:36:00
Pages: 4
Words: 878
Characters: 5005
Security: None
Company: CALTRANS
Lines: 41
Paragraphs: 10
CharCountWithSpaces: 6146
AppVersion: 8.573
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Double Click to merge
HeadingPairs:
  • Title
  • 1
CodePage: Mac Roman (Western European)
Tag_PID_GUID: {70F0C93F-83A0-11D2-9E11-000502D9EE01}
CompObjUserTypeLen: 24
CompObjUserType: Microsoft Word Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs fltldr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3368"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\350ffb79008e7fccc184c73947de4f0c8f583ef640b030357029875840ed19a1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2356"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLTC:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEWINWORD.EXE
User:
admin
Integrity Level:
LOW
Exit code:
0
Total events
1 068
Read events
739
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR66.tmp.cvr
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_5FB98855-C00A-48E5-B96F-8BB9C3427F05.0\FL633.tmp
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D8BB270.pctgmc
MD5:B30736E06FE8FA4C083B1F723A5EFD5E
SHA256:761D7A4969124D95CDF66FE148F2336940E4F2050A454C74F180553972EC74D4
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D620AFB1.wmfwmf
MD5:9134676542A7426AF4DDEEB3BD797965
SHA256:41DF1FE04DDE6D30511E5894BB5B53173F901A0D2823572687BCF2435361E5EE
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$0ffb79008e7fccc184c73947de4f0c8f583ef640b030357029875840ed19a1.docpgc
MD5:5E53085D1B6C26E82F61B5AC91D80CBD
SHA256:900DD83588123F736BCE809253CE323AF5DF64B88B46CB6C9E3FE33E53153A1D
3368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:506993E8AB6FE16F209F744CD7642471
SHA256:805CCC7CBA103AE2083DF80D1083128BAE4AC9D3134E1AB4B965B413A55AD71C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
350ffb79008e7fccc184c73947de4f0c8f583ef640b030357029875840ed19a1