File name:	bau.docx
Full analysis:	https://app.any.run/tasks/8a5bde66-233c-4dba-bb28-b75a459cf480
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 29, 2019, 07:55:07
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ole-embedded generated-doc trojan loader smoke
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	5DA49B0F512C7842E37911D0BF5F5831
SHA1:	31B414AB65E22E19CE3A6B80303E2ED05C53A885
SHA256:	85997E087240560D408392DF17F262D05DAC5ADAF8155605A28C593572599324
SSDEEP:	768:a3D8WX9xOsttObdmj142h8unQE8hjDakw6LDzo:a3PX9xOpmj14P68YH6LY

.docx	\|	Word Microsoft Office Open XML Format document (52.2)
.zip	\|	Open Packaging Conventions container (38.8)
.zip	\|	ZIP compressed archive (8.8)

AppVersion:	16
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	20
LinksUpToDate:	No
Company:	-
ScaleCrop:	No
Paragraphs:	1
Lines:	1
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	18
Words:	3
Pages:	1
TotalEditTime:	-
Template:	Normal
ModifyDate:	2019:03:17 21:23:00Z
CreateDate:	2019:03:17 21:23:00Z
RevisionNumber:	1
LastModifiedBy:	John Klok
Keywords:	-

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1460
ZipCompressedSize:	373
ZipCRC:	0x24886c04
ZipModifyDate:	1980:01:01 00:00:00
ZipCompression:	Deflated
ZipBitFlag:	0x0006
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
1848	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bau.docx"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000
3524	"C:\Users\admin\AppData\Local\Temp\stub.exe"	C:\Users\admin\AppData\Local\Temp\stub.exe	—	WINWORD.EXE
User: admin Integrity Level: MEDIUM Exit code: 0
1432	explorer.exe	C:\Windows\explorer.exe		stub.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)

PID	Process	Filename		Type
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR5CF0.tmp.cvr		—
		MD5:—	SHA256:—
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B77EB048-A218-4998-B577-7179B837E8F0}.tmp		—
		MD5:—	SHA256:—
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{890C995F-7439-4E1C-A09F-6977082C8CC2}.tmp		—
		MD5:—	SHA256:—
1432	explorer.exe	C:\Users\admin\AppData\Roaming\Microsoft\hvvtugrr\tesrdgeh.exe		—
		MD5:—	SHA256:—
1848	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:BAEC04A54AC968DB29FEE2F2ABDA0EA1	SHA256:230C0E0381E2EA1B4CED9700B32635C2548CB4B0CE50C1D60F5BF49BA8E63985
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA0DD517.emf		emf
		MD5:81E0BA5363CCA75D65D17EA15C45872F	SHA256:C382312E42D2D336C95E2C1E7C1298602E810AF5CBD03806653C3ED73B18AE36
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$bau.docx		pgc
		MD5:B72E952F916A02C709307EC6972707DA	SHA256:EDB085B0C3533590BA6BA0E863A3117550D962B87333FE0E68F2286082C5813F
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{070FC94A-289A-424D-BEBD-77DDE72FDFEF}.tmp		smt
		MD5:5D4D94EE7E06BBB0AF9584119797B23A	SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
1848	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\stub.exe		executable
		MD5:2E7ED53A5AEDFE45425D2944FF8C68DF	SHA256:F66DD3ABEBD56E5313BC6C95CEC4DF2C62D85E1497FF9EC7055823FD6B288D60

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	184.31.85.84:80	http://msdn.microsoft.com/vstudio	NL	—	—	whitelisted
1432	explorer.exe	GET	302	23.38.36.63:80	http://go.microsoft.com/fwlink/?LinkId=133405	NL	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/982726	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	—	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted
1432	explorer.exe	GET	301	2.18.233.31:80	http://support.microsoft.com/kb/2460049	unknown	—	—	whitelisted

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
support.microsoft.com	2.18.233.31	whitelisted
go.microsoft.com	23.38.36.63	whitelisted
msdn.microsoft.com	184.31.85.84	whitelisted
visualstudio.microsoft.com	104.111.246.141	whitelisted
level23hacktools.com	93.123.73.193	malicious
www.opera.com	35.158.61.69 52.29.218.141	whitelisted
www.adobe.com	104.108.60.31	whitelisted
helpx.adobe.com	104.111.214.232	whitelisted
filezilla-project.org	136.243.154.86	whitelisted

PID	Process	Class	Message
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Sharik/Smoke CnC Beacon 9
1432	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] Bot.Sharik HTTP Header structure
1432	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] Sharik/SmokeLoader Check-in
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check
1432	explorer.exe	A Network Trojan was detected	ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check

Description:	-
Creator:	John Klok
Subject:	-
Title:	-

PID	Process	IP	Domain	ASN	CN	Reputation
1432	explorer.exe	184.31.85.84:80	msdn.microsoft.com	Akamai International B.V.	NL	whitelisted
1432	explorer.exe	2.18.233.31:443	support.microsoft.com	Akamai International B.V.	—	whitelisted
1432	explorer.exe	93.123.73.193:80	level23hacktools.com	Histate Global Corp.	BG	malicious
1432	explorer.exe	2.18.233.31:80	support.microsoft.com	Akamai International B.V.	—	whitelisted
1432	explorer.exe	104.108.60.31:443	www.adobe.com	Akamai Technologies, Inc.	NL	whitelisted
1432	explorer.exe	104.108.60.31:80	www.adobe.com	Akamai Technologies, Inc.	NL	whitelisted
1432	explorer.exe	35.158.61.69:80	www.opera.com	Amazon.com, Inc.	DE	unknown
1432	explorer.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
1432	explorer.exe	104.111.214.232:443	helpx.adobe.com	Akamai International B.V.	NL	whitelisted
1432	explorer.exe	23.38.36.63:80	go.microsoft.com	Akamai Technologies, Inc.	NL	whitelisted

General Info

bau.docx

5DA49B0F512C7842E37911D0BF5F5831

31B414AB65E22E19CE3A6B80303E2ED05C53A885

85997E087240560D408392DF17F262D05DAC5ADAF8155605A28C593572599324

768:a3D8WX9xOsttObdmj142h8unQE8hjDakw6LDzo:a3PX9xOpmj14P68YH6LY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Unusual execution from Microsoft Office

SMOKE was detected

Changes the autorun value in the registry

Executable content was dropped or overwritten

Connects to CnC server

SUSPICIOUS

Creates files in the user directory

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

XML

XMP

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings