analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

738e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.doc

Full analysis: https://app.any.run/tasks/255c7ada-6d99-464a-81d1-14e2615dbc24
Verdict: Malicious activity
Analysis date: October 19, 2020, 23:51:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 13 18:13:00 2020, Last Saved Time/Date: Mon Oct 19 14:52:00 2020, Number of Pages: 1, Number of Words: 127541, Number of Characters: 726986, Security: 0
MD5:

4993777D3DD3930511C0C223B0396B50

SHA1:

C0FAA41859C8A24AD31F939C506FA0B9B5CBF895

SHA256:

738E7F8D70BAC3F69C628A8A545BDCE5DECACB7FCB9F43DDEAF48AF9C6EB1C63

SSDEEP:

12288:G65z7Xg4JEg3XSThnkGeLdZZNc/2viqPvK5oWBa3sc09AWv55RSLCtTu/pI/pE:nw4r3XS96LdZZNT1/18AWvDQIa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 1544)
    • Executed via COM

      • explorer.exe (PID: 2536)
      • DllHost.exe (PID: 1632)
    • Executes scripts

      • explorer.exe (PID: 2536)
    • Executed via WMI

      • explorer.exe (PID: 576)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3880)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3880)
      • WINWORD.EXE (PID: 1544)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1544)
      • WINWORD.EXE (PID: 3880)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 1544)
    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:10:13 17:13:00
ModifyDate: 2020:10:19 13:52:00
Pages: 1
Words: 127541
Characters: 726986
Security: None
CodePage: Windows Cyrillic
Company: -
Lines: 6058
Paragraphs: 1705
CharCountWithSpaces: 852822
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs winword.exe PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
1544"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\738e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
576explorer.exe c:\programdata\ExelTrod.vbeC:\Windows\explorer.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2536C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3908"C:\Windows\System32\WScript.exe" "C:\ProgramData\ExelTrod.vbe" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3880"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\benefitvideos.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1632C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 722
Read events
1 440
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
1544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3D8E.tmp.cvr
MD5:
SHA256:
3880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2406.tmp.cvr
MD5:
SHA256:
1544WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C1C67CF0B0C20528938523B8D0982EC8
SHA256:27B9B160473265404935B036276B5F6D9318BAA022216E75E59796A0EB8C626E
1544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:E937A5A3EA05457A6A6B8D023D9E8F2C
SHA256:E9110A5DB587C538C451D081DB7C2CAE3BECDDF4026964C19C99D7B36526A6C9
1544WINWORD.EXEC:\programdata\ExelTrod.vbetext
MD5:468E8518492FBAE8754111EE61B2E410
SHA256:8A5579850B8536D721A8CA1F9E9E51F36DEAF1E917668A221413C31EE912B21D
1544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$8e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.docpgc
MD5:A4B558FA235B06A40265DA55A68A7D71
SHA256:50892D99379C3E0C1BB355F4F1EA695E193E01A47240BAE8F256AAC432E95769
3880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1042\14\Built-In Building Blocks.dotxdocument
MD5:F0D6D1BDCAE8509261C4627473FD1622
SHA256:A7E9C3CC87CEBF7EB59483B283224779D4EC58BCA5A584EBF5DA9A2E0648AA10
3880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1046\14\Built-In Building Blocks.dotxdocument
MD5:68B53CF5E326BAAF22DE050B10EF6E37
SHA256:7FE75B4EF4BD4C0AF67B2B1326FA6134AC7B1F67217A2F9CC78A6E73029B1F25
3880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1049\14\Built-In Building Blocks.dotxdocument
MD5:871A3FF92041EF7A471ABF7CAA27F266
SHA256:E18A2500381F238440784A216C6D0796BB86B79F602FFA83B7181AB8C193C196
3880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1040\14\Built-In Building Blocks.dotxdocument
MD5:B39C6349338EDE041D9AEA6EB3CD5B78
SHA256:E897AAD31EEA5A446554C1EE5E0F993A854EAC3B63C1083CEB3BAA80FD51086D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3880
WINWORD.EXE
GET
404
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
341 b
whitelisted
3880
WINWORD.EXE
GET
404
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
341 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3880
WINWORD.EXE
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
office14client.microsoft.com
  • 52.109.76.6
whitelisted

Threats

No threats detected
No debug info