analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Anuncio%20importante.doc

Full analysis: https://app.any.run/tasks/4498b112-6e7b-4b7f-b5c9-1d8002475a39
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 08, 2019, 12:30:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Bil Smith, Template: Normal.dotm, Last Saved By: hp, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 11:00, Create Time/Date: Fri Oct 18 12:02:00 2019, Last Saved Time/Date: Mon Oct 21 19:43:00 2019, Number of Pages: 2, Number of Words: 549, Number of Characters: 3132, Security: 0
MD5:

BBEA066160CDAD85D59D474078BA235F

SHA1:

D4F60CDA197A655B8F9BA6EB65BC7A65B618C1CA

SHA256:

4060463D50360718740DF83648D11567CF0A9C6364EC97D7E16204C4D171A0E5

SSDEEP:

6144:At+hLvMToPbI+LK/Mm1rUJL1DoMiYVWepPKN:At+hDA+bxANqJFoMuCC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2752)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2752)
    • Application was dropped or rewritten from another process

      • zczjgiqco.exe (PID: 1756)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2752)
    • Downloads executable files from IP

      • WINWORD.EXE (PID: 2752)
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2752)
    • Executable content was dropped or overwritten

      • zczjgiqco.exe (PID: 1756)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2752)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Hyperlinks:
  • http://docs.camerfirma.com/publico/DocumentosWeb/certificadosjerarquias/ac_camerfirma_aapp.cer
  • http://docs.camerfirma.com/publico/DocumentosWeb/certificadosjerarquias/ac_camerfirma-2009.cer
  • http://www.cert.fnmt.es/certs/ACRAIZAPE.crt
  • http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt
  • http://www.mineco.gob.es/portal/site/mineco/menuitem.b6c80362d9873d0a91b0240e026041a0/?vgnextoid=9ae18b2b7d93d310VgnVCM1000001d04140aRCRD&lang_choosen=es
CodePage: Unicode (UTF-8)
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
CharCountWithSpaces: 3674
Paragraphs: 7
Lines: 26
Company: Microsoft
Security: None
Characters: 3132
Words: 549
Pages: 2
ModifyDate: 2019:10:21 18:43:00
CreateDate: 2019:10:18 11:02:00
TotalEditTime: 11.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: hp
Template: Normal.dotm
Keywords: -
Author: Bil Smith
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe zczjgiqco.exe

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\086390d1-aad6-41b3-9339-d09ebd7c8a5a.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1756C:\Users\admin\AppData\Local\Temp\zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\zczjgiqco.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
934
Read events
861
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
2
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA756.tmp.cvr
MD5:
SHA256:
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\cert2spc.exeexecutable
MD5:15D14D0403243F2939389B50E62A5D9C
SHA256:C25F774434AF1C494594D8315CA8CFD12257C53B8E3682E626B230B79DD5A863
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\x-ms-wmv.xmlxml
MD5:E967D140F6E8A484F6ADCA59502F48DB
SHA256:31D358BC620D3B2C5479D92D89D861E75FAA1FB90443250832E215F1179B1B5F
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\node-get.m2itext
MD5:CEA2900FB396AF7EF68B835C0EDFAACC
SHA256:E6AA09ED94AC9A5D3C93147DFF679F9F7A837DEEC098B7DDF981C8A871DBFCCD
2752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$6390d1-aad6-41b3-9339-d09ebd7c8a5a.docpgc
MD5:1F9AB0FDCF68E301D94D2601D91B9B49
SHA256:D455CFCCD9522DD50E30569B846CDCD77576B329D5B97F2D545D36FC100820D3
2752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\zczjgiqco.exeexecutable
MD5:049EF18418AFFCD542D9AA545BB07EE3
SHA256:4D056B87049EC7FCE672B40190BF8B5F9185395B7313D05BC196A655E7FE0C7A
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\color-widget.csstext
MD5:6D19F73209BE3B3A3BBE49BE4B154266
SHA256:9D4503641A0F00D190B9C9C2EDDADFECF2FFE37FED60C089C61F6E4EA30052DE
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\convrt3d.pngimage
MD5:0C42372A9F77D8F0FAEF6EEDE641502F
SHA256:21117C234C5012D5C28E49ED3845FC559AC7D0956B7CCF76A1994CA36FC4B2B2
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\votes\m3ufilename\objbrowser.gifimage
MD5:0A2DAD5F60A899ED2B7E6681B546D8E7
SHA256:41D748CB939642431AA8CC5C7008ED77AFF94431EB7F0F18E1C06B8DB5448E4F
1756zczjgiqco.exeC:\Users\admin\AppData\Local\Temp\Airframebinary
MD5:C432D2BCF0806DB55128182D1101E084
SHA256:61A6EA138049C3E7B2FF58525A1611CC1E0301F59C857685AE16DD1E10E397DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2752
WINWORD.EXE
GET
200
181.143.146.58:80
http://181.143.146.58/System32.exe
CO
executable
465 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2752
WINWORD.EXE
181.143.146.58:80
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2752
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2752
WINWORD.EXE
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
2752
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2752
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2752
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2752
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info