analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Hazel-102941_d.docm

Full analysis: https://app.any.run/tasks/419dd81e-f114-4956-ae3e-7d39770f514f
Verdict: Malicious activity
Analysis date: June 12, 2019, 00:46:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

6A03F2DA9DED3551632CE59929935B34

SHA1:

7626F9B273D72CF4122A11371AEE920CB75352FC

SHA256:

53D7274D1E4ACCCBBABE554DE655DA7F6B8114E27DF956EB8C18583ECFB67F1C

SSDEEP:

1536:cESUNLmoy2+u1b5bWONWU73Sgfqm5Nv6YRqF2C+Hy375U4Y:9LmoyKjcUu4qMNUwY375UJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2568)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2568)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2568)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: home
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: Password protected
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: 13 minutes
Template: Normal
ModifyDate: 2019:06:11 13:12:00Z
CreateDate: 2019:05:22 12:44:00Z
RevisionNumber: 11
LastModifiedBy: Windows User
Keywords: -

XMP

Description: -
Creator: admin
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1745
ZipCompressedSize: 465
ZipCRC: 0x5bc2bfc4
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
2568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Hazel-102941_d.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3796wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 590
Read events
896
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3F8D.tmp.cvr
MD5:
SHA256:
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54CB36E9.png
MD5:
SHA256:
2568WINWORD.EXEC:\Windows\Temp\aXwZvnt48.xslxml
MD5:AB115043D603E3E7C505BD572AC8DE12
SHA256:13904531105CB20F006E56CCCDB1CF979D9510E14811338D487431494458E6FE
2568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:78854943818252C6E83A83506E030BA5
SHA256:70605DF163FEFE0262A4C8EC5FEA5164CDA9B34A06150B7FAA60DE41EEFE53B8
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:7EE45E11E1CE2549CB4F0A3BBD858FB9
SHA256:392E88847A4DBCC622D972DC0883AAE3832F7FD9CF6D9D5F2D35EA3D1CBD1865
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$zel-102941_d.docmpgc
MD5:9A8B42BCA5025090CA25C4243902D64D
SHA256:03524CC0D6D2F1C4EB7A83D79B2447BA1225CC37281FA0A038FE42FA5ABE1D90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
wmic.exe
162.241.222.64:443
antevu.club
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
antevu.club
  • 162.241.222.64
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Hazel-102941_d.docm