analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2811436.doc

Full analysis: https://app.any.run/tasks/9f5bb0a5-f733-456e-ac1b-3b44be48215b
Verdict: Malicious activity
Analysis date: August 13, 2019, 21:08:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
maldoc-21
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: mFIJs, Subject: EAGtNX, Author: B, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Wed Feb 16 04:10:00 2005, Create Time/Date: Wed Aug 7 14:43:00 2019, Last Saved Time/Date: Wed Aug 7 14:43:00 2019, Number of Pages: 3, Number of Words: 321, Number of Characters: 2034, Security: 0
MD5:

84C243CBE6D88BFF28ABC93F929D46A8

SHA1:

01FFB901FC5F1C1C49F1E192FF7DBDDA74945D43

SHA256:

83C9CDBAB56B87CF2334E1B68F135B2BA3DA760B52C172136515EF2A17D9CEB4

SSDEEP:

384:IzNPMOXv7g0iSAoKXMVky/v+UAottK6g0RbVU2eeE0j+p:kNPMOXvgMVkR2K6gsJCrp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2256)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2984)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 404)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2984)
    • Changes internet zones settings

      • iexplore.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
QuGdRWwdY: FPEg,X,:q4**uFc0k
XkfbxLOJ: yKY7p65Ts,#yHwUiRVn-odeW:fMy#SQ$
CodePage: Windows Cyrillic
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
TitleOfParts:
  • INVOICE/BILL
  • INVOICE/BILL
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 2352
Paragraphs: 3
Lines: 52
Bytes: 56281
Company: -
Security: None
Characters: 2034
Words: 321
Pages: 3
ModifyDate: 2019:08:07 13:43:00
CreateDate: 2019:08:07 13:43:00
LastPrinted: 2005:02:16 04:10:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: 1
Template: Normal.dotm
Comments: -
Keywords: -
Author: B
Subject: EAGtNX
Title: mFIJs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2811436.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2256"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
404"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2256 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 347
Read events
921
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCEA3.tmp.cvr
MD5:
SHA256:
2256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2256iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:1526B48366FAE837561FB83966374825
SHA256:3F1BDC94DF10DA494A10C0383768840B1F8B76CACBD3D9AF2F512B19E3A646DE
2984WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:EEF129F7F35B20FD01C35F76F65A65E9
SHA256:D771D4F16D97EBF6E1A068EC0CF74F50F44B98E384B86EAA2CC54BA176464C11
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$811436.docpgc
MD5:0C08144E268ECCBFAA1A5839A8A23FDD
SHA256:F2A5154F128DC2B08BC1A27C28888DB7AC91FF48EEDDAAA393C28EAC84C4C37B
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VMGUID1S\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:47289B7654C9BF503E4BCB2831839C20
SHA256:E57E6E44B4A7ACFA170446095664D847CF1B31621DB2273B3F4F24F519436C85
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JHB0622Z\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7HGCEG2H\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
404
iexplore.exe
GET
109.94.209.91:80
http://109.94.209.91/12340.txt
unknown
suspicious
2256
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2256
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
404
iexplore.exe
109.94.209.91:80
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info