analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Mahnung_9415174.doc

Full analysis: https://app.any.run/tasks/8744e43f-5c44-4e5b-bd27-6eea886275a2
Verdict: Malicious activity
Analysis date: June 19, 2019, 13:39:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal, Last Saved By: Administrator, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 29 10:40:00 2018, Last Saved Time/Date: Fri Jun 29 10:41:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

25A5A19487BF84EBF2EB9354D6650FFD

SHA1:

9DC467EC455AF149ABE42A46E0119F70B41263DB

SHA256:

58EBE798AC3C4845513764DEC23093585781CF10B213A1AE31058214F1FE8177

SSDEEP:

1536:MflXyBkWd88+a9MkJ3wfF0MQDVYgodbICgpH33eJ7Y1IKQndy8MEqsmoATjQbdTK:MdXadyOWtsodcCOH+JE1zsmobtKr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2796)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2796)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Administrator
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Administrator
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:06:29 09:40:00
ModifyDate: 2018:06:29 09:41:00
Pages: 1
Words: -
Characters: 1
Security: None
Company: -
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Windows Latin 1 (Western European)
XfhvqAdWA: TW5BUGRKcnFPdEhmeDF1Q3dLQnNDZXJxWURzZlBFb1JpS3FGSnpkTGNXUVVLb3NodlJEQUE=
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Mahnung_9415174.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
3 889
Read events
3 473
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE369.tmp.cvr
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@gyazo[1].txt
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{4EB6F618-7AEF-42C5-B09F-96701AB055A4}
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{75A944DF-DA6A-42FC-ACDF-C9A9CC863C23}
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D76F4168BF0F0E6D09678F095128B0F1
SHA256:C8BF8D3C9DA7146556C4475C794BD9D11E13596F3752768109A6C5EFE340D331
2796WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D5A169E9-4B3A-4437-A8BB-6F5172EC531D}.FSDbinary
MD5:05630EABAFC2FBC1028750205FC82917
SHA256:3F9D2D15982EBE22D64597BE4FC7EC23C0EB890CFD452DA58960511E85720224
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$hnung_9415174.docpgc
MD5:44129FD9400C6EF050590CE7A2163361
SHA256:8E17A4650E509E05F16F115586A2DD1E5F36C89DDBD5499953699B3E0CB5CCD2
2796WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F3D74767-10D0-49A2-9DED-4638097E1DC5}.FSDbinary
MD5:48E0B643B263DA69E29AC60E2E4907AF
SHA256:657FD653B0EA451F3429F3A2C9C5A91F6FF189BEDBBD0FABBE98FE73B9A458CE
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:AE18DD6B1BF9D73D4B8F2B1EE574D303
SHA256:FAC979CC8F166C5C45A252E66F18F4E9C95AC0C755F1E6AF36F8E631F0E1DFA3
2796WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:D9109BC65F833527CCE1486C93E6F3E6
SHA256:691623B318D67284A1AC03B441C1CF8B26391C04F4629FE7C9955CB187D413E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2796
WINWORD.EXE
104.19.142.111:443
i.gyazo.com
Cloudflare Inc
US
shared
2796
WINWORD.EXE
74.119.239.234:443
dkb-agbs.com
PDR
US
malicious

DNS requests

Domain
IP
Reputation
i.gyazo.com
  • 104.19.142.111
  • 104.19.143.111
whitelisted
dkb-agbs.com
  • 74.119.239.234
malicious

Threats

No threats detected
No debug info