File name:	85c05d0a5d83254cf21d5fb675778c2728a2534ad8b04ff0ea0eb8be1a4aaab2
Full analysis:	https://app.any.run/tasks/d20fa42a-bc65-4dd7-b576-4a7c473c8e97
Verdict:	Malicious activity
Analysis date:	March 25, 2025, 21:35:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros macros-on-open generated-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: -535, Template: Normal, Last Saved By: Windows User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 16 10:07:00 2016, Last Saved Time/Date: Fri Dec 16 10:07:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0
MD5:	E6AD8F2AAE70A48AC22722A9EEC31626
SHA1:	D348381BA3412722B16120FF091346B81575E4BA
SHA256:	85C05D0A5D83254CF21D5FB675778C2728A2534AD8B04FF0EA0EB8BE1A4AAAB2
SSDEEP:	768:TqqqqbPjNDx76LIHtYmA7nOuxwynCpXkeWE09syqW/ssXVI139:TqqqqbPjN9oIyvnB72UeWE09sLXCK

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

Identification:	Word 8.0
LanguageCode:	English (US)
DocFlags:	1Table, ExtChar
System:	Windows
Word97:	No
Title:	-
Subject:	-
Author:	Павел
Keywords:	-
Template:	Normal
LastModifiedBy:	Windows User
Software:	Microsoft Office Word
CreateDate:	2016:12:16 10:07:00
ModifyDate:	2016:12:16 10:07:00
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	SPecialiST RePack
CharCountWithSpaces:	3
AppVersion:	14
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	2
TotalEditTime:	-
Words:	-
Characters:	3
Pages:	1
Paragraphs:	1
Lines:	1


(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	v":
Value: ≶:Ҍ
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
Operation:	write	Name:	RoamingConfigurableSettings
Value: DC00000000000000803A0900E9070300020019001500230029001B00000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101001E0000008403000080510100050000000500000005000000
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1164
Operation:	write	Name:	0
Value: 0B0E109636CC295840CA4EBA96F240CE612A0B230046D4F0BAD7DDB9E7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DA201C2190000C50E8908C91003783634C5118C09D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:	write	Name:	2#:
Value: 32233A008C040000020000000000000085EF46DBCD9DDB01A000000001000000740000002000000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C0072006F006F0074005C006F0066006600690063006500310036005C00670065006E006B006F002E0064006C006C000000670065006E006B006F002E0063006F006E006E00650063007400310032000000
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\AddinsData\Genko.Connect12
Operation:	write	Name:	LoadCount
Value: 5
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\AddInLoadTimes
Operation:	write	Name:	Genko.Connect12
Value: 040000006D0000002F0000003F0000001000000000000000
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	2#:
Value: ⌲:Ҍ
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1164
Operation:	write	Name:	0
Value: 0B0E109636CC295840CA4EBA96F240CE612A0B230046D4F0BAD7DDB9E7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DA200C2190000C50E8908C91003783634C5118C09D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(1164) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1164
Operation:	write	Name:	0
Value: 0B0E109636CC295840CA4EBA96F240CE612A0B230046D4F0BAD7DDB9E7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0D2201A200C2190000C50E8908C91003783634C5118C09D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300

PID	Process	Filename		Type
1164	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:F886CD850049EA3ADD9C5E9E2B143E50	SHA256:5DA65F39E5BCFDA3DF83CF11EDAFD62E56C15F939E38EB69CC4E85FE84946F04
1164	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\85c05d0a5d83254cf21d5fb675778c2728a2534ad8b04ff0ea0eb8be1a4aaab2.doc.LNK		binary
		MD5:6649567DEA17B4241EA018B1790B73F8	SHA256:5E724D794D759CFD6CF67F1FC493290DB840814C4A3040D9DBFA7C4510B2C7E7
1164	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:6548EE0BEBC8C2D9AA34C37E75C9149D	SHA256:E5BAC38B130DD040A87083B9F897792D1653C54EAC83AF8437E6ABC97A399A25
1164	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D288049-B2F6-4870-A06D-11B5E263CB9E		xml
		MD5:241AE1605EEE47724ECABABBCBCB1FA8	SHA256:5814C9E56A078E77476E9E70BCF8D9E2BC3BE35B951113D649507E4921ACE3BF
1164	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C32AAA10188513909FC49DF344DD3D5F	SHA256:B2A74C4CD0168F9F8DF7BA9BB0E8BCA9CA5DBC3673FCA493535AED894758B3AC
1164	WINWORD.EXE	C:\Users\admin\Desktop\~$c05d0a5d83254cf21d5fb675778c2728a2534ad8b04ff0ea0eb8be1a4aaab2.doc		binary
		MD5:016004FDDD47D6A7FF4912CFD9F16665	SHA256:2223138D21631A61C7354918A99A725DEE93BEAF61043002B71EE4651B5644EB
1164	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:B027672BD550846121C14F5A8BF5CCC9	SHA256:29561EEC1FD823150C38760A2828CAB3DF8F037667ED9425BD485040FBC83AC5
1164	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:0A3F47242C00B61E6A52D00DC0360346	SHA256:97452D5EA4F670E49DB9C2C8C8ACDF7B70C1AB22B6B94C15F16BA4A61AD63E6B
1164	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABF4PEWV7UPR5BNDMGDO.temp		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
1164	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF10ff32.TMP		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1616	RUXIMICS.exe	GET	200	184.24.77.35:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.165:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	52.109.8.89:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	179 Kb	whitelisted
—	—	GET	200	52.123.129.14:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b29CC3696-4058-4ECA-BA96-F240CE612A0B%7d&LabMachine=false	unknown	binary	397 Kb	whitelisted
—	—	GET	200	184.24.77.20:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab	unknown	compressed	28.2 Kb	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp01840907.cab	unknown	compressed	42.6 Kb	whitelisted
—	—	GET	200	52.111.231.13:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B29CC3696-4058-4ECA-BA96-F240CE612A0B%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted
—	—	POST	200	20.189.173.27:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab	unknown	compressed	32.8 Kb	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab	unknown	compressed	45.3 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1616	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1164	WINWORD.EXE	52.109.8.89:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1616	RUXIMICS.exe	184.24.77.35:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1164	WINWORD.EXE	23.48.23.134:443	omex.cdn.office.net	Akamai International B.V.	DE	whitelisted
1164	WINWORD.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1164	WINWORD.EXE	52.111.231.13:443	messaging.lifecycle.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1164	WINWORD.EXE	20.42.73.25:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	172.217.18.14	whitelisted
officeclient.microsoft.com	52.109.8.89	whitelisted
crl.microsoft.com	184.24.77.35 184.24.77.37	whitelisted
omex.cdn.office.net	23.48.23.134 23.48.23.140 23.48.23.191	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
messaging.lifecycle.office.com	52.111.231.13	whitelisted
www.nnapoakea.top	—	unknown
self.events.data.microsoft.com	20.42.73.25	whitelisted
metadata.templates.cdn.office.net	2.17.147.218 2.17.147.184	whitelisted

General Info

85c05d0a5d83254cf21d5fb675778c2728a2534ad8b04ff0ea0eb8be1a4aaab2

E6AD8F2AAE70A48AC22722A9EEC31626

D348381BA3412722B16120FF091346B81575E4BA

85C05D0A5D83254CF21D5FB675778C2728A2534AD8B04FF0EA0EB8BE1A4AAAB2

768:TqqqqbPjNDx76LIHtYmA7nOuxwynCpXkeWE09syqW/ssXVI139:TqqqqbPjN9oIyvnB72UeWE09sLXCK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from MS Office

Changes powershell execution policy (Bypass)

Microsoft Office executes commands via PowerShell or Cmd

Starts CMD.EXE for commands execution

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Script downloads file (POWERSHELL)

SUSPICIOUS

Probably download files using WebClient

Runs shell command (SCRIPT)

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

INFO

An automatically generated document

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings