analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_11_08[1].doc

Full analysis: https://app.any.run/tasks/4076d16c-1ba4-4b46-ad29-211816ece171
Verdict: Malicious activity
Analysis date: November 08, 2019, 13:30:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
maldoc-3
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

CCA1779B76CC89EFF010630805E85156

SHA1:

A372C4C2B8CE1D61356D5846842D13A25D787A5D

SHA256:

5486A9296635ED474AEBE589FBE63D24C0B8B6A247FE43E3EBA3B9ADE7B9FE9B

SSDEEP:

1536:/VdFqp8g6+gCI4kEPFOGKbPJdVlpReoqQd5YFWAfV9AN7svtzTk7B5+DeHQ:/VdQig6fwIrfVlp59YAAbs7svJQ7B58/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2176)
  • SUSPICIOUS

    • Uses WMIC.EXE to obtain a system information

      • WINWORD.EXE (PID: 2176)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2176)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Description: -
Creator: bhbzqee
Subject: -
Title: -

XML

Category: -
ModifyDate: 2019:11:08 09:07:00Z
CreateDate: 2019:11:08 09:07:00Z
RevisionNumber: 2
LastModifiedBy: admin
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: home
Manager: -
TitlesOfParts:
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
ScaleCrop: No
Paragraphs: -
Lines: 2
DocSecurity: None
Application: Microsoft Office Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1635
ZipCompressedSize: 426
ZipCRC: 0xc8e48bf2
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
2176"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_11_08[1].doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
776"C:\windows\system32\wbem\wmic.exe" process list /format:"C:\Users\admin\AppData\Local\Temp\akei9"C:\windows\system32\wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 117
Read events
989
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2176WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRADAF.tmp.cvr
MD5:
SHA256:
2176WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:71834CB5A40FD067717E5E242FCFDDE2
SHA256:053F9EECE736E49AA9E3C99DB635C70D83D2B9311D2D3CA8D612695DCF73376C
2176WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:E50D645DCBD7B710AD42F0880FF4FAD0
SHA256:FDB62BC1D3E67C2D6D5670E451F7006747868CBBBECAF57A3000F7C6C96BF01F
2176WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$fo_11_08[1].doc.docmpgc
MD5:3955200FF23EBE0A1FCC1DF233143941
SHA256:4C4520561D5601961978929D56161E7E29E04DD9FB31E2E0836256229182F6FD
2176WINWORD.EXEC:\Users\admin\AppData\Local\Temp\akei9.xslxml
MD5:176777C3CD812E6BCCC5307344898DF7
SHA256:EF300AD49D25F40E9FD9ECFAB1FCB688A602140648537984048CE372917C7E3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
776
wmic.exe
194.61.1.217:80
chenilluro.com
unknown

DNS requests

Domain
IP
Reputation
chenilluro.com
  • 194.61.1.217
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info