analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4ac1525cbf2b6215670d2c5738af5a257eda436a38e8d5dde30b2dca60cdb7d1.doc

Full analysis: https://app.any.run/tasks/add70e5b-e41c-415d-b7a9-99a9a887e37f
Verdict: Malicious activity
Analysis date: May 21, 2019, 01:58:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

A83341D3292CFA52A1734DDF1352E072

SHA1:

B686684C7AC411599BF3F36F699B6C87B2875A55

SHA256:

4AC1525CBF2B6215670D2C5738AF5A257EDA436A38E8D5DDE30B2DCA60CDB7D1

SSDEEP:

24576:yEKAJERsah3X/Ckg+9inUs8/oc7TiSS+smn6NpL35hcwYL0bStf4no5lBbC4:ymEr3PvT2UrAc7TBGpL47dflbr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1PRIC‮slx.exe (PID: 2988)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2960)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2960)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2960)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 64
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Назва
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 24
Words: 41
Pages: 1
TotalEditTime: 4 minutes
Template: Normal.dotm
ModifyDate: 2019:05:20 15:16:00Z
CreateDate: 2019:05:20 15:12:00Z
RevisionNumber: 4
LastModifiedBy: [email protected]
Keywords: -

XMP

Description: -
Creator: [email protected]
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1460
ZipCompressedSize: 373
ZipCRC: 0x24886c04
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe 1pric‮slx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4ac1525cbf2b6215670d2c5738af5a257eda436a38e8d5dde30b2dca60cdb7d1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2988"C:\Users\admin\AppData\Local\Temp\1PRIC‮slx.exe" C:\Users\admin\AppData\Local\Temp\1PRIC‮slx.exeWINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
10
Total events
1 509
Read events
822
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREC23.tmp.cvr
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48926C04.emfemf
MD5:1EBE8A5E7B468570ACA29D5ACB0B9C84
SHA256:832B8EF38E4698C1C717321232ADB2A79B8A0171B5AE2E7964F17BBECEDFC2F3
2960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E1DC7BFE4381B1F6F3E885DB1412B654
SHA256:F206EE7DE362C26BBA540A673D937204836BBEAADBB3ACD071FC7F5CC02D7CEF
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$c1525cbf2b6215670d2c5738af5a257eda436a38e8d5dde30b2dca60cdb7d1.docpgc
MD5:A87E5D3361C70B75CA07E84207899BFC
SHA256:507274B85E685572A8C3B41A47C016156733133A5FFF6518C2A567A50C4A5006
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1PRIC‮slx.exeexecutable
MD5:43A8EF1DA6FD1CFF1D2DC73BD6C59697
SHA256:3B2E8D42C845F9650C970AF6244327EEC8F525CB8A6F21BBF59367365DF9B9A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4ac1525cbf2b6215670d2c5738af5a257eda436a38e8d5dde30b2dca60cdb7d1.doc