analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Paid_invoice_7458548.docm

Full analysis: https://app.any.run/tasks/4cb6c741-f399-47db-9744-060a9988f1bb
Verdict: Malicious activity
Analysis date: August 13, 2019, 18:16:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
generated-doc
maldoc-4
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

C26002DBC985A645CE07F49FD13098FD

SHA1:

3F35CB2C1707A56FCC9B78E4FFE0979B9B634B33

SHA256:

801724CB0DC05E2AF52F443AC053B01BAEE289935B1B840DC961E4D833E7DF29

SSDEEP:

3072:daRAsxdGSIyyPhOHq8Abxg4Qp9UoeidhFEDnP0KxAjDZAeeEh8d98e4crDyREOea:d4AGTyPtXbxg3GoemhCzP0Ku3yeey8UR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes file to Word startup folder

      • WINWORD.EXE (PID: 1404)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1404)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 1404)
  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 3988)
  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 2324)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1404)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Creator: -

XML

ModifyDate: 2019:08:09 11:47:00Z
CreateDate: 2019:07:08 09:55:00Z
RevisionNumber: 1
LastModifiedBy: -
AppVersion: 15
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 790502
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1581
Lines: 5615
DocSecurity: None
Application: Microsoft Office Word
Characters: 673862
Words: 118221
Pages: 90
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 2535
ZipCompressedSize: 463
ZipCRC: 0x53898b0b
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs wscript.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Paid_invoice_7458548.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3988"C:\Windows\System32\cmd.exe" /c"c:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2388"C:\Windows\System32\WScript.exe" "C:\Users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2324"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 337
Read events
1 280
Write events
48
Delete events
9

Modification events

(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:-/a
Value:
2D2F61007C050000010000000000000000000000
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1404) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1326252062
(PID) Process:(1404) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1326252176
(PID) Process:(1404) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1326252177
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
7C0500001CB8BD370352D50100000000
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:f0a
Value:
663061007C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:f0a
Value:
663061007C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1404) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1404WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE71D.tmp.cvr
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF232567.png
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3AFF7B75-2BD4-49DA-9830-8AA3F39CA801}.tmp
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F61B9C-DD79-437D-ABE0-541894B65532}.tmp
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2E89DAC8-475D-408E-B4C4-DE1F89AB52A2}.tmp
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ACE35CEA-C28B-467A-A2E6-DABC3C1D6C04}.tmp
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E564A6D6459A6CB0E3CE1F3C14FC8E1F
SHA256:CC2E410900E011B16448B0B13D5493307DB568A24AAF225842F7C8128E98F70A
1404WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$id_invoice_7458548.docmpgc
MD5:F6424F9681C46CB8FA47A8BFD5E59D73
SHA256:673A8E80FC309F6BD91A332C5581DE8CD3B56D71B6E2FC787521444CF82B7F14
1404WINWORD.EXEC:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jsetext
MD5:8A35FDC9436A3C2B78005BD10D96A54D
SHA256:23DBA732B6DD25EC6D293DCFB4C8C8A6A9A69431CBB95C1EF9485170EF296D6E
1404WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info