analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO-990101-0703.doc

Full analysis: https://app.any.run/tasks/ed6d8330-af0d-4625-8e1a-d2f357338ef7
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 08:08:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
formbook
stealer
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: PC, Template: Normal.dotm, Last Saved By: PC, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 13 22:55:00 2019, Last Saved Time/Date: Wed Mar 13 22:55:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

E3B75B5421C383D26B3DAA28D550AEEF

SHA1:

249FC53405AA94F66B71CD29855A9A70FF47F9EA

SHA256:

4EB0D63BDEAE06A5DE41E0E858316FE9A67D6305D003A6745DDEAC0E493B1929

SSDEEP:

1536:UYxSupfQcHOhWy9z40mamePd6ZpA+6LOA9iMPfaqx:UASupzukCz40rd6Zmt9iMPC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2864)

    • Application was dropped or rewritten from another process

      • 0956877.exe (PID: 3560)
      • 0956877.exe (PID: 3296)
      • b6qbld.exe (PID: 1688)
      • b6qbld.exe (PID: 4048)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3416)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2864)

    • Changes the autorun value in the registry

      • 0956877.exe (PID: 3560)
      • cmd.exe (PID: 3732)
      • b6qbld.exe (PID: 1688)

    • Runs app for hidden code execution

      • explorer.exe (PID: 116)

    • FORMBOOK was detected

      • explorer.exe (PID: 116)

    • Formbook was detected

      • cmd.exe (PID: 3732)
      • Firefox.exe (PID: 1704)

    • Connects to CnC server

      • explorer.exe (PID: 116)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 3732)

    • Stealing of credential data

      • cmd.exe (PID: 3732)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 116)

    • Creates files in the user directory

      • explorer.exe (PID: 116)
      • powershell.exe (PID: 3416)
      • cmd.exe (PID: 3732)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3416)
      • 0956877.exe (PID: 3560)
      • DllHost.exe (PID: 2392)
      • explorer.exe (PID: 116)
      • b6qbld.exe (PID: 1688)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 116)
      • cmd.exe (PID: 3732)

    • Application launched itself

      • cmd.exe (PID: 3732)
      • 0956877.exe (PID: 3560)
      • b6qbld.exe (PID: 1688)

    • Loads DLL from Mozilla Firefox

      • cmd.exe (PID: 3732)

    • Creates files in the program directory

      • DllHost.exe (PID: 2392)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2864)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2864)
      • Firefox.exe (PID: 1704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:03:13 22:55:00
CreateDate: 2019:03:13 22:55:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 4
LastModifiedBy: PC
Template: Normal.dotm
Comments: -
Keywords: -
Author: PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
12
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winword.exe no specs powershell.exe 0956877.exe 0956877.exe no specs #FORMBOOK cmd.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object b6qbld.exe b6qbld.exe no specs cmstp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO-990101-0703.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass C:\Users\admin\AppData\Roaming\dxfChFC.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3560"C:\Users\admin\AppData\Roaming\0956877.exe" C:\Users\admin\AppData\Roaming\0956877.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3296"C:\Users\admin\AppData\Roaming\0956877.exe" C:\Users\admin\AppData\Roaming\0956877.exe0956877.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3732"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2156/c del "C:\Users\admin\AppData\Roaming\0956877.exe"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1704"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
cmd.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
2392C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1688"C:\Program Files\K8pmxrtbp\b6qbld.exe"C:\Program Files\K8pmxrtbp\b6qbld.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
4 293
Read events
3 846
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
75
Text files
4
Unknown types
12

Dropped files

PID
Process
Filename
Type
2864WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8737.tmp.cvr
MD5:
SHA256:
3416powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CNMJAUL7XT8WSWH3VZN5.temp
MD5:
SHA256:
2864WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF0777FFBBFCD89794.TMP
MD5:
SHA256:
2864WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0838EBC3-5685-4072-B773-B9657C2A57CB}.tmp
MD5:
SHA256:
2864WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{11726436-D478-4C30-A3D8-3ACEA91D099F}.tmp
MD5:
SHA256:
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:D2CE664F7189D341CC9077F9DAE3FCE4
SHA256:8CD3AF80057E012EFA6C4B2E32931B60DFE9608223BF9A1FFE49101AB0FCD9B7
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\PO-990101-0703.doc.lnklnk
MD5:A95E675CE68A8D9DE271E90B7C2E8BA3
SHA256:DF1726D8DF5FF70E76560D1DBB137E050C9AB7CDA2111F78E4EB1D07195EA5CE
2864WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D06C09AC66DA54707DA777847D6D35FF
SHA256:803205644058729C5EBA193CDB70834AFF4E023B08CD01B630611C1AB127FF97
3416powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199b4c.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2864WINWORD.EXEC:\Users\admin\AppData\Roaming\dxfChFC.ps1text
MD5:6DA64DB8647BCC8E7FF4A57BC74EC42F
SHA256:ED9453F3EE4BB1BEE110EA6F3B3B4E8F9EE3FF0BC9E3F376997C362C355D9499
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
107.180.12.36:80
http://www.fumigacionesgrupomarroking.com/br/?8p=Gw8YIfbuZIAWdO6zSaqnbSyjTOQEkziATnx49FNtLJK8GtoM25npbaAX1u2PmizkisIA5g==&o2=iLj8LXix&sql=1
US
malicious
116
explorer.exe
POST
85.13.147.154:80
http://www.schulhaus-hotel.com/br/
DE
malicious
116
explorer.exe
POST
192.64.116.17:80
http://www.vaxosyk.com/br/
US
malicious
116
explorer.exe
GET
404
192.64.116.17:80
http://www.vaxosyk.com/br/?8p=CBl5s08pmgnt2NWnc95p9Mg//is/++YYL65jDk7RxbSMgEoqWoJjjLkS/E534VpIZLNvGw==&o2=iLj8LXix
US
html
326 b
malicious
116
explorer.exe
GET
200
74.220.199.6:80
http://www.bigsavings2day.com/br/?8p=sHGnyDvH+3+NfxRA9o4tV2tmc5uhhLzTgSd4jExe9n2m1YQzVMadvLjtxOs99fSuI4EwZA==&o2=iLj8LXix
US
html
4.71 Kb
malicious
116
explorer.exe
POST
107.180.12.36:80
http://www.fumigacionesgrupomarroking.com/br/
US
malicious
116
explorer.exe
POST
192.64.116.17:80
http://www.vaxosyk.com/br/
US
malicious
116
explorer.exe
POST
107.180.12.36:80
http://www.fumigacionesgrupomarroking.com/br/
US
malicious
3416
powershell.exe
GET
200
107.180.27.166:80
http://mincoindia.com/wp-admin/AI/0956877.exe
US
executable
1.05 Mb
malicious
116
explorer.exe
POST
85.13.147.154:80
http://www.schulhaus-hotel.com/br/
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
116
explorer.exe
85.13.147.154:80
www.schulhaus-hotel.com
Neue Medien Muennich GmbH
DE
malicious
116
explorer.exe
192.64.116.17:80
www.vaxosyk.com
Namecheap, Inc.
US
malicious
3416
powershell.exe
107.180.27.166:80
mincoindia.com
GoDaddy.com, LLC
US
malicious
116
explorer.exe
107.180.12.36:80
www.fumigacionesgrupomarroking.com
GoDaddy.com, LLC
US
malicious
116
explorer.exe
74.220.199.6:80
www.bigsavings2day.com
Unified Layer
US
malicious
116
explorer.exe
23.20.239.12:80
www.please-click.com
Amazon.com, Inc.
US
shared
116
explorer.exe
154.220.176.82:80
www.mobetier.com
MULTACOM CORPORATION
US
malicious

DNS requests

Domain
IP
Reputation
mincoindia.com
  • 107.180.27.166
malicious
www.bigsavings2day.com
  • 74.220.199.6
malicious
www.luba63631.com
unknown
www.fumigacionesgrupomarroking.com
  • 107.180.12.36
malicious
www.schulhaus-hotel.com
  • 85.13.147.154
malicious
www.nj-aisino.com
unknown
www.vaxosyk.com
  • 192.64.116.17
malicious
www.mobetier.com
  • 154.220.176.82
malicious
www.please-click.com
  • 23.20.239.12
shared

Threats

PID
Process
Class
Message
3416
powershell.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3416
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3416
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
15 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PO-990101-0703.doc