File name:	6d8cd2886022ec0ff6d3badbc0617ff2b93cfb5411d627cb0fedce16b2e3880e
Full analysis:	https://app.any.run/tasks/799189d0-2931-4ce4-bad8-f117bea9d11b
Verdict:	Malicious activity
Analysis date:	October 16, 2024, 21:36:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	macros macros-on-open
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Bastian Buck, Template: Normal.dotm, Last Saved By: Bastian Buck, Revision Number: 9, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 26 10:03:00 2022, Last Saved Time/Date: Tue Apr 26 21:39:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:	B6B9D0A41A6C12E5D59872E8E3166C89
SHA1:	126FD96778FE9C5B7882C31FB1CB9B8B0A147DAA
SHA256:	6D8CD2886022EC0FF6D3BADBC0617FF2B93CFB5411D627CB0FEDCE16B2E3880E
SSDEEP:	768:NPcQyUqvlO9udgX1xptvAuvrIvi6BdSOhu4oKia7Z:NWvpdSn/AIrausial

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

Identification:	Word 8.0
LanguageCode:	English (US)
DocFlags:	Has picture, 1Table, ExtChar
System:	Windows
Word97:	No
Title:	-
Subject:	-
Author:	Bastian Buck
Keywords:	-
Comments:	-
Template:	Normal.dotm
LastModifiedBy:	Bastian Buck
Software:	Microsoft Office Word
CreateDate:	2022:04:26 10:03:00
ModifyDate:	2022:04:26 21:39:00
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	-
CharCountWithSpaces:	1
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Titel 1
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003-Dokument
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	9
TotalEditTime:	-
Words:	-
Characters:	1
Pages:	1
Paragraphs:	1
Lines:	1


(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6464
Operation:	write	Name:	0
Value: 0B0E109C4B204D10C28A43BB05224AF8B7B7E6230046E6A4BECBB782C8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C032D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(6464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

PID	Process	Filename		Type
6464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:D34E32479BA4951E9C5D7B93DFF52045	SHA256:3C2E28CDF0B666C1C6D8DF808F693F7AC0B959C60468906A35E256D067765D3C
6464	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:F09177AEAA4D90ACA27D5DC5A81BAFFD	SHA256:21655DC62AD41E3D66C0AA53BDFF79834C13731EDE24D49F93BA192B3BAFC732
6464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\6d8cd2886022ec0ff6d3badbc0617ff2b93cfb5411d627cb0fedce16b2e3880e.doc.LNK		lnk
		MD5:5FA70C6FC3F3FBF23DF2D2C1EC2CF54E	SHA256:0B71EC4E6BE15F3157BE2C6227FA75D139D08F8D797AA913A45074C65B0D55D5
6464	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:AD544C9E801832244CE181B23475D13F	SHA256:EE1B2747E946A4547944D04993A5F2C51FAD34AFB2E9187D0436EC042B17C86F
6464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:5E6EB6E57D384ABE03C63BB8069D47D1	SHA256:470ED1219302B2F767BE813F6B6A1EB3B5D49831E03B228217AC8662C387E85C
6464	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B480D4FA-4656-41E8-B59F-26EFB3D992E5		xml
		MD5:DF781120F7EEB29170120F30B8D62E37	SHA256:25693D7FDEFB0F93098CB2F93E039DED4D2945247B4A452305E248A9DB44499F
6464	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:E26452B217C9E57E5F3AF306D73A0685	SHA256:03BD1B35F0AE761DAF570FEE49A552BFBDBA7ACFB2CFAAAA52D6A9A355518700
6464	WINWORD.EXE	C:\Users\admin\Desktop\~$8cd2886022ec0ff6d3badbc0617ff2b93cfb5411d627cb0fedce16b2e3880e.doc		abr
		MD5:39C0A254F55A5855A8BA477F06E80209	SHA256:C0BDCFBC4C6D30F01D7F4A325F42069FDBBCDC13356B493635E8022F7162A4F5
6464	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7060	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7060	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	52.109.32.97:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	174 Kb	whitelisted
—	—	GET	200	2.17.100.200:443	https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C	unknown	xml	10.7 Kb	whitelisted
—	—	GET	200	23.48.23.30:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	2.21.20.151:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043402.cab	unknown	compressed	706 Kb	whitelisted
—	—	POST	200	20.189.173.18:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	whitelisted
—	—	GET	200	52.111.243.8:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B4D204B9C-C210-438A-BB05-224AF8B7B7E6%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7060	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6464	WINWORD.EXE	52.109.28.46:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
7060	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7060	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156 23.48.23.166 2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
omex.cdn.office.net	2.19.126.151 2.19.126.160	whitelisted
ecs.office.com	52.113.194.132	whitelisted
messaging.lifecycle.office.com	52.111.243.8	whitelisted
self.events.data.microsoft.com	13.89.179.8 52.182.143.215	whitelisted
metadata.templates.cdn.office.net	95.101.111.179 95.101.111.168	whitelisted

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

6d8cd2886022ec0ff6d3badbc0617ff2b93cfb5411d627cb0fedce16b2e3880e

B6B9D0A41A6C12E5D59872E8E3166C89

126FD96778FE9C5B7882C31FB1CB9B8B0A147DAA

6D8CD2886022EC0FF6D3BADBC0617FF2B93CFB5411D627CB0FEDCE16B2E3880E

768:NPcQyUqvlO9udgX1xptvAuvrIvi6BdSOhu4oKia7Z:NWvpdSn/AIrausial

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from MS Office

Microsoft Office executes commands via PowerShell or Cmd

Starts POWERSHELL.EXE for commands execution

Run PowerShell with an invisible window

SUSPICIOUS

Runs shell command (SCRIPT)

Powershell scripting: start process

Possibly malicious use of IEX has been detected

Found IP address in command line

Probably download files using WebClient

Application launched itself

Starts POWERSHELL.EXE for commands execution

INFO

The process uses the downloaded file

Sends debugging messages

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings