analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payslip_+_delivery_details_84147719.docm

Full analysis: https://app.any.run/tasks/3f72b08e-08d7-46d1-a3ee-ba26b1bfa56b
Verdict: Malicious activity
Analysis date: September 18, 2019, 22:33:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

6F158190C7108C3ADC2452B179CBA988

SHA1:

F7062E4A95D3EF821D05EE8E7CA592D28479419D

SHA256:

8184BBCC1BA85265F87ABAECEEC5D06FCCA3F8800157EB836F4E931F3EFD06D5

SSDEEP:

1536:mvG2Od24uPltKdn47eBw4GS19U698bQTn3BH9kavFAGKQ24Jgf2kclYObssh:hV2Tl84a3GSoerBSatDQ2HqIssh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2064)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2064)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 1668)
  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2064)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2064)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2064)
    • Reads settings of System Certificates

      • WScript.exe (PID: 1668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 298901
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 597
Lines: 2123
DocSecurity: None
Application: Microsoft Office Word
Characters: 254797
Words: 44701
Pages: 71
TotalEditTime: 20 minutes
Template: Normal.dotm
ModifyDate: 2019:09:16 13:11:00Z
CreateDate: 2019:08:15 08:10:00Z
RevisionNumber: 30
LastModifiedBy: user
Keywords: -

XMP

Description: -
Creator: user
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1503
ZipCompressedSize: 399
ZipCRC: 0x3f450766
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0008
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Payslip_+_delivery_details_84147719.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
1668"C:\Windows\System32\WScript.exe" "C:\Users\admin\Documents\0.7055475.jse" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 459
Read events
1 101
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2064WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7D86.tmp.cvr
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D80E11EF.png
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1F250862-E8B5-4267-80A2-7CE1B7A54B09}.tmp
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9F0158D4-015D-4F0F-944C-99B67F111D71}.tmp
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{06489154-671E-4DD9-9CC8-CE63D6C6686B}.tmp
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A50B2829-5FF0-4204-A5C9-2BE3A581EDEF}.tmp
MD5:
SHA256:
2064WINWORD.EXEC:\Users\admin\Documents\0.7055475.jsetext
MD5:618F6E79C0333F661F33A6D03EBD01F9
SHA256:2F457FE204D0DEA5D9E58C1D3261B6C10A5E15DC9CC170F7E39F2C9AD90E3EF0
2064WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2064WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$yslip_+_delivery_details_84147719.docmpgc
MD5:F4EC920CB5B34F958CD0B6B17A579997
SHA256:1656214F56D03EFF210AB2274E58EB026CAD46B8E623462D0B5BCC849F2ACDBB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1668
WScript.exe
185.130.104.157:443
Hosting Solution Ltd.
RU
malicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted

Threats

PID
Process
Class
Message
1668
WScript.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1668
WScript.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1668
WScript.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
No debug info