analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

67bf28adf1b2994d9b20e4aa8a068f487e02d4bfd9a3ee73d81dd37f2a7d5a73.docx

Full analysis: https://app.any.run/tasks/74102ab7-0d02-4ecb-918c-f2dc58bfb987
Verdict: Malicious activity
Analysis date: June 19, 2019, 06:01:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

2EAE8B46F8FB1E0ADEF3954BFE6E265D

SHA1:

3CF1B7AFD245998F6DCC85213F2598BDFA51AE06

SHA256:

67BF28ADF1B2994D9B20E4AA8A068F487E02D4BFD9A3EE73D81DD37F2A7D5A73

SSDEEP:

12288:qdijc9YOuD00xMDcJx/MZyVgxKLUxol6zqowZDPxoyF4EnvUCZIDklI51hBXIH8o:eAxhVWZoUONDPxoAxnsCZIDklI5BCoK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3272)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3272)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xb71a911e
ZipCompressedSize: 234
ZipUncompressedSize: 590
ZipFileName: _rels/.rels

XML

Template: Normal.dotm
TotalEditTime: 17 minutes
Pages: 2
Words: 233
Characters: 1332
Application: Microsoft Office Word
DocSecurity: None
Lines: 11
Paragraphs: 3
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1562
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
CreateDate: 2019:06:12 07:40:00Z
ModifyDate: 2019:06:12 11:10:00Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs fltldr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3272"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\67bf28adf1b2994d9b20e4aa8a068f487e02d4bfd9a3ee73d81dd37f2a7d5a73.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3828"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLTC:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEWINWORD.EXE
User:
admin
Integrity Level:
LOW
Exit code:
0
Total events
1 081
Read events
751
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
3272WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2F55.tmp.cvr
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F19798A.png
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39322803.png
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBC83A28.png
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE3EE409.png
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCEE2A76.png
MD5:
SHA256:
3272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72892BFF.epsps
MD5:1BBA6EB824C123A239E8A9F0E7A15CEE
SHA256:2C7302DC716A8AD304D72DBB5F617310AB4C31A8F3595A4317944CD30C6CA910
3272WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17222E7BED955763CB75EBDA153E0074
SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
3272WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_342BE092-C599-429B-A73E-8074ED2B6360.0\FL3C85.tmpps
MD5:1BBA6EB824C123A239E8A9F0E7A15CEE
SHA256:2C7302DC716A8AD304D72DBB5F617310AB4C31A8F3595A4317944CD30C6CA910
3272WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$bf28adf1b2994d9b20e4aa8a068f487e02d4bfd9a3ee73d81dd37f2a7d5a73.docxpgc
MD5:27BD05D7A202DE942D8DBC48874A41F8
SHA256:4D4B68BB19AFA41BA3DEBD3B7724F8BE3A6D9630D9FF535B547155800A585702
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
216.58.210.14:80
Google Inc.
US
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info