Malware analysis sample.doc Malicious activity | ANY.RUN

Add for printing

File name:	sample.doc
Full analysis:	https://app.any.run/tasks/05029e35-2383-4fe4-81c1-f2d6847c3cb9
Verdict:	Malicious activity
Analysis date:	January 26, 2024, 15:01:46
OS:	Ubuntu 22.04.2
Tags:	generated-doc
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	52945AF1DEF85B171870B31FA4782E52
SHA1:	06727FFDA60359236A8029E0B3E8A0FD11C23313
SHA256:	4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784
SSDEEP:	192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads passwd file
  - soffice.bin (PID: 6877)
  - soffice.bin (PID: 6876)
  - oosplash (PID: 6860)
  - ls (PID: 6866)
- Checks system locale (may determine the language used by the system)
  - oosplash (PID: 6860)
- Executes commands using command-line interpreter
  - soffice.bin (PID: 6876)
- Creates files in the user directory
  - soffice.bin (PID: 6876)
INFO
- Checks timezone
  - sudo (PID: 6859)
  - ls (PID: 6866)
  - soffice.bin (PID: 6876)
- Creates file in the temporary folder
  - soffice.bin (PID: 6876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.docx	\|	Word Microsoft Office Open XML Format document (52.2)
.zip	\|	Open Packaging Conventions container (38.8)
.zip	\|	ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2022:05:26 23:08:14
ZipCRC:	0x6cd2a4df
ZipCompressedSize:	340
ZipUncompressedSize:	1312
ZipFileName:	[Content_Types].xml

XML

Template:	Normal
TotalEditTime:	-
Pages:	1
Words:	-
Characters:	-
Application:	Microsoft Office Word
DocSecurity:	None
Lines:	-
Paragraphs:	-
ScaleCrop:	No
Company:	-
LinksUpToDate:	No
CharactersWithSpaces:	-
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	16
Keywords:	-
LastModifiedBy:	KIS2
RevisionNumber:	3
CreateDate:	2022:05:25 13:14:00Z
ModifyDate:	2022:05:25 13:14:00Z

XMP

Title:	-
Subject:	-
Creator:	KIS2
Description:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

250

Monitored processes

31

Malicious processes

0

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
6858	/bin/sh -c "DISPLAY=:0 sudo -iu user libreoffice --writer \"/tmp/sample\.doc\.docx\" "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
6859	sudo -iu user libreoffice --writer /tmp/sample.doc.docx	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
6860	/usr/lib/libreoffice/program/oosplash --writer /tmp/sample.doc.docx	/usr/lib/libreoffice/program/oosplash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
6861	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	oosplash
User: user Integrity Level: UNKNOWN Exit code: 0
6862	/bin/sh /usr/bin/libreoffice --writer /tmp/sample.doc.docx	/usr/bin/dash	—	oosplash
User: user Integrity Level: UNKNOWN Exit code: 0
6863	dirname /usr/bin/libreoffice	/usr/bin/dirname	—	oosplash
User: user Integrity Level: UNKNOWN Exit code: 0
6864	basename /usr/bin/libreoffice	/usr/bin/basename	—	oosplash
User: user Integrity Level: UNKNOWN Exit code: 0
6865	/bin/sh /usr/bin/libreoffice --writer /tmp/sample.doc.docx	/usr/bin/dash	—	oosplash
User: user Integrity Level: UNKNOWN Exit code: 0
6866	ls -l libreoffice	/usr/bin/ls	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
6867	sed "s/\.*libreoffice -> //g"	/usr/bin/sed	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
6876	soffice.bin	/home/user/.config/libreoffice/4/.lock		—
		MD5:—	SHA256:—
6876	soffice.bin	/home/user/.config/libreoffice/4/user/uno_packages/cache/stamp.sys		—
		MD5:—	SHA256:—
6876	soffice.bin	/home/user/.config/libreoffice/4/user/extensions/tmp/stamp.sys		—
		MD5:—	SHA256:—
6876	soffice.bin	/home/user/.config/libreoffice/4/user/extensions/bundled/lastsynchronized		—
		MD5:—	SHA256:—
6876	soffice.bin	/home/user/.config/libreoffice/4/user/extensions/shared/lastsynchronized		—
		MD5:—	SHA256:—
6876	soffice.bin	/home/user/.config/libreoffice/4/user/4qT1hx		—
		MD5:—	SHA256:—
6876	soffice.bin	/tmp/lu687625mip.tmp/lu687625miq.tmp		—
		MD5:—	SHA256:—
6876	soffice.bin	/tmp/lu687625mip.tmp/lu687625mir.tmp		—
		MD5:—	SHA256:—
6876	soffice.bin	/tmp/lu687625mip.tmp/lu687625mis.tmp		—
		MD5:—	SHA256:—
6876	soffice.bin	/tmp/lu687625mip.tmp/lu687625mit.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

2

TCP/UDP connections

8

DNS requests

13

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown
—	—	GET	204	34.122.121.32:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	unknown
—	—	156.146.33.137:443	—	Datacamp Limited	DE	unknown
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	156.146.33.140:443	—	Datacamp Limited	DE	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
58.100.168.192.in-addr.arpa	—	unknown
api.snapcraft.io	185.125.188.55 185.125.188.58 185.125.188.59 185.125.188.54	unknown
connectivity-check.ubuntu.com	2620:2d:4000:1::2a 2620:2d:4000:1::2b 2001:67c:1562::23 2620:2d:4000:1::22 2620:2d:4000:1::23 2001:67c:1562::24 34.122.121.32 185.125.190.49 185.125.190.48 185.125.190.18 91.189.91.49 35.224.170.84 91.189.91.48 185.125.190.17 35.232.111.17	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

sample.doc

52945AF1DEF85B171870B31FA4782E52

06727FFDA60359236A8029E0B3E8A0FD11C23313

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads passwd file

Checks system locale (may determine the language used by the system)

Executes commands using command-line interpreter

Creates files in the user directory

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

TRiD

EXIF

ZIP

XML

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings