analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Davos 2019 Einladung_86014847_10.12.2018.docx

Full analysis: https://app.any.run/tasks/c17440b4-aff7-4eac-873a-fb8f9a6707aa
Verdict: Malicious activity
Analysis date: December 18, 2018, 11:23:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
ole-embedded
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0291D710703D712022582BF0BD74637E

SHA1:

D8E96BB7DEA8BD4722F9A077D0B24E2FC104E5ED

SHA256:

4C16B4AF0703379D42B6F89E49C174B5850AAF91B7DB19FC12935B6C72035DFF

SSDEEP:

1536:jwv4Vw7CUBs78Uj19tCapEeGezdQyLMuCjZaLQB3IGPhvuwugsn:jwvoQCU2jrQQEe9ZQYmZmQBYGpuwugsn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2488)
      • cmd.exe (PID: 3256)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2724)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2724)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2488)
    • Application launched itself

      • cmd.exe (PID: 2488)
    • Creates files in the user directory

      • powershell.exe (PID: 3472)
      • powershell.exe (PID: 2584)
    • Executes scripts

      • cmd.exe (PID: 2488)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2724)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:12:10 13:11:16
ZipCRC: 0xb8b18cf8
ZipCompressedSize: 1444
ZipUncompressedSize: 6303
ZipFileName: word/document.xml

XMP

Title: Davos 2019 Einladung N86014847
Subject: Davos 2019 Einladung N86014847
Creator: Milos Heinz-Dietz
Description: Fugit beatae possimus voluptates impedit.

XML

Keywords: mollitia, tenetur, commodi
LastModifiedBy: Milos Heinz-Dietz
RevisionNumber: 661554
CreateDate: 2018:12:03 20:04:07Z
ModifyDate: 2018:12:03 20:04:07Z
Category: asperiores
Template: Normal
Pages: 78
Words: 36909
Characters: 73818
CharactersWithSpaces: 73818
Application: Microsoft Office Word
Lines: 5874
Paragraphs: 170
Manager: Armin Täsche
Company: Trubin AG & Co. OHG
AppVersion: 12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Davos 2019 Einladung_86014847_10.12.2018.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2488cmd /c ""C:\Users\admin\AppData\Local\Temp\Microsoft Word Image viewer.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3256C:\Windows\system32\cmd.exe /c powershell -WindowStyle hidden -c "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472powershell -WindowStyle hidden -c "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2584powershell -WindowStyle hidden -Command "[IO.File]::WriteAllBytes($env:iNyrUYwSFR, [System.Convert]::FromBase64String([IO.File]::ReadAllText($env:iNyrUYwSFR)));"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628wscript C:\Users\admin\AppData\Local\Temp\OQxvqCZ.jsC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
1 597
Read events
1 144
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
51
Unknown types
2

Dropped files

PID
Process
Filename
Type
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8718.tmp.cvr
MD5:
SHA256:
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso8A55.tmp
MD5:
SHA256:
2724WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F83B82B0.jpeg
MD5:
SHA256:
3472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\39D4904OEO4P35ETGQ2M.temp
MD5:
SHA256:
2584powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9L60FRLA0DMO19IAL1T9.temp
MD5:
SHA256:
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$vos 2019 Einladung_86014847_10.12.2018.docxpgc
MD5:980E6BBF93AF6FA505064D7E6F202C46
SHA256:32AAB3504A3EE76BEEFDB6FA885CD764AE1B3437F16752870AEF89D041F3CD72
3472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Microsoft Word Image viewer.cmdtext
MD5:EE18B4A81FDD14C1CAD74FB9EAFE67B6
SHA256:85B2789CD03EA57163A1DAA67C2D6B48EE078D3568AD13C92A824EEF04F63836
2724WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:41379A924454D4DBF21EC8153C20C10F
SHA256:0C15CF2B44D7D8698623838B4214E135CD0F5B33F8FE0D860DBE04AB98A65B80
2488cmd.exeC:\Users\admin\AppData\Local\Temp\OQxvqCZ.jstext
MD5:870377FBEB8E245A033F4C24EE80A183
SHA256:1FFF772785666F57AA6AA5ECE68F9980906BD391568F482D18F556DAE6E0BD3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info