File name:	635b01bda7f9753ba72dfa5efed266f10addb19273eb2bcaf8d8cfd3c06d1fa9
Full analysis:	https://app.any.run/tasks/e4024e38-c9a6-4f17-b730-08da85af7a4d
Verdict:	Malicious activity
Analysis date:	December 29, 2024, 22:15:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	macros macros-on-open generated-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Author: , Template: Normal.dotm, Last Saved By: , Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Dec 29 03:29:00 2024, Last Saved Time/Date: Sun Dec 29 03:29:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5:	C3E4D0F03CE34C94986741AE9CDF6104
SHA1:	38B95EB3BEC13067F3B39D5DAA048B68C1C25FBB
SHA256:	635B01BDA7F9753BA72DFA5EFED266F10ADDB19273EB2BCAF8D8CFD3C06D1FA9
SSDEEP:	384:giIR3DLxvkuTxcyvuFJWLuY7BM5U02m7M7+jGo0j9wFS:gR3DBkuiyGFZ1Bo7KX3U

.doc	\|	Microsoft Word document (35.9)
.xls	\|	Microsoft Excel sheet (33.7)
.doc	\|	Microsoft Word document (old ver.) (21.3)

Identification:	Word 8.0
LanguageCode:	English (US)
DocFlags:	1Table, ExtChar, Far east
System:	Windows
Word97:	No
Title:	-
Subject:	-
Author:	Ӿ?? ??
Keywords:	-
Comments:	-
Template:	Normal.dotm
LastModifiedBy:	Ӿ?? ??
Software:	Microsoft Office Word
CreateDate:	2024:12:29 03:29:00
ModifyDate:	2024:12:29 03:29:00
Security:	None
CodePage:	Windows Simplified Chinese (PRC, Singapore)
Company:	-
CharCountWithSpaces:	-
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
CompObjUserTypeLen:	28
CompObjUserType:	Microsoft Word 97-2003 ?ĵ?
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	2
TotalEditTime:	-
Words:	-
Characters:	-
Pages:	1
Paragraphs:	-
Lines:	-


(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4528
Operation:	write	Name:	0
Value: 0B0E109366AD2526235342ADCD4E978A5D7219230046C4C1A3F5F3C7D6ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511B023D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ko-kr
Value: 2
(PID) Process:	(4528) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	pt-br
Value: 2

PID	Process	Filename		Type
3620	DWWIN.EXE	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_64935fc192ac76250153abb995bdb75cadecdc_00000000_dea4e046-b249-4a42-a311-5317b59dd41c\Report.wer		—
		MD5:—	SHA256:—
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFC7FC5CD23936B53E.TMP		document
		MD5:C3E4D0F03CE34C94986741AE9CDF6104	SHA256:635B01BDA7F9753BA72DFA5EFED266F10ADDB19273EB2BCAF8D8CFD3C06D1FA9
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF91FA34B5DDBA702B.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
4528	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:51B83B92B8832136420AD04E176A2F3B	SHA256:5AAFAB80D38D689B2217ED6811C55CF4DC62EFE91567D688BE8244A29D230073
4528	WINWORD.EXE	C:\Users\admin\Desktop\~$5b01bda7f9753ba72dfa5efed266f10addb19273eb2bcaf8d8cfd3c06d1fa9.doc		binary
		MD5:F56401B1C2854628EC64129F3730F0A7	SHA256:62690251309F59BE2944ABEB30832B3C8FDB31201D522882BAF08C8F2332C0D6
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF3439559A4B2CE231.TMP		document
		MD5:C3E4D0F03CE34C94986741AE9CDF6104	SHA256:635B01BDA7F9753BA72DFA5EFED266F10ADDB19273EB2BCAF8D8CFD3C06D1FA9
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFB5129604496556DC.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
4528	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\635b01bda7f9753ba72dfa5efed266f10addb19273eb2bcaf8d8cfd3c06d1fa9.doc.LNK		binary
		MD5:920A363E56E0383053CD5721DB3B1CB4	SHA256:95415BE3EEB9116242F7D790B91C0F1D2067EFF98035E7FAC544327BCAAB40DE
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{421165C1-A4B1-48B1-9451-28C358E47781}.tmp		binary
		MD5:FB294ADA09B99EF2DEFEDC229C6C3EF7	SHA256:8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099
4528	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF4E747D499B839F83.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3040	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	52.109.89.18:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	178 Kb	—
—	—	GET	200	23.32.238.120:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	52.113.194.132:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b25AD6693-2326-4253-ADCD-4E978A5D7219%7d&LabMachine=false	unknown	binary	398 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
3040	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.187:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4528	WINWORD.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3620	DWWIN.EXE	104.208.16.94:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.209.187 2.23.209.189 2.23.209.182 2.23.209.133 2.23.209.149 2.23.209.140 2.23.209.176 2.23.209.185 2.23.209.179	whitelisted
google.com	142.250.185.174	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted
omex.cdn.office.net	2.16.168.119 2.16.168.101	whitelisted
ecs.office.com	52.113.194.132	whitelisted
self.events.data.microsoft.com	20.42.73.25	unknown

General Info

635b01bda7f9753ba72dfa5efed266f10addb19273eb2bcaf8d8cfd3c06d1fa9

C3E4D0F03CE34C94986741AE9CDF6104

38B95EB3BEC13067F3B39D5DAA048B68C1C25FBB

635B01BDA7F9753BA72DFA5EFED266F10ADDB19273EB2BCAF8D8CFD3C06D1FA9

384:giIR3DLxvkuTxcyvuFJWLuY7BM5U02m7M7+jGo0j9wFS:gR3DBkuiyGFZ1Bo7KX3U

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from MS Office

SUSPICIOUS

INFO

An automatically generated document

The process uses the downloaded file

Reads Microsoft Office registry keys

Reads the software policy settings

Drops encrypted VBS script (Microsoft Script Encoder)

Creates files in the program directory

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings