analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dok_7918737646_275062031171.doc

Full analysis: https://app.any.run/tasks/e4934480-980c-44a5-b0a3-6087dac692a0
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 14:42:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Marketing, Subject: Small Soft Pizza, Author: Orin Littel, Keywords: Consultant, Comments: fuchsia, Template: Normal.dotm, Last Saved By: Eleonore Wisozk, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 07:21:00 2019, Last Saved Time/Date: Wed Oct 9 07:21:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:

C48BC5376CB7DBA8AA5FB0AE9030D74B

SHA1:

F515452C39EC00ABA5E97A8FFA6E85DABFC88784

SHA256:

9BAD271E422E1FD8D4504B370E458E884DBAD25C398A70A2D04DD61CF8AF00C4

SSDEEP:

1536:s7YEVyOLYoP8jJV0f8YTrkKPubsYwKjtrzu5rGumRoHynvwMMITLxQODxrt:REVyOLYB60KgdzSrGjKyIwLx31

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2768)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Dach
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 201
Paragraphs: 1
Lines: 1
Company: Jenkins, Steuber and Dickens
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 172
Words: 30
Pages: 1
ModifyDate: 2019:10:09 06:21:00
CreateDate: 2019:10:09 06:21:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Eleonore Wisozk
Template: Normal.dotm
Comments: fuchsia
Keywords: Consultant
Author: Orin Littel
Subject: Small Soft Pizza
Title: Marketing
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2768"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dok_7918737646_275062031171.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 208
Read events
799
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2768WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR259F.tmp.cvr
MD5:
SHA256:
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2977DE0A.wmfwmf
MD5:02C63938300FD8E253BFC8A79495F1E8
SHA256:528AA56EE076CAB8B4E1449A4CE0A34AB8DD3F99FD2BC12DE8724FE7679B12FC
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9DBB1DE.wmfwmf
MD5:F51914A9282EC8C206EB966A8AA1B770
SHA256:83A21B61A95E6A2E4FB3B97D7408B2F5A7B662CCB20F8966F360021CC39998AE
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC3692A8.wmfwmf
MD5:E6233E5CB76FAC3046D69828BA2C79B3
SHA256:D316B5AFE0C75BD10426B51EC681B37A1B82F731208673EB1D60843FCFE29B87
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\809D999C.wmfwmf
MD5:F43BFC4BDE162B8ED186EF95F0DED6DD
SHA256:94949F291A8714BADB9C2FEA25DCDCFCFD5C44919D88815076ACA4874AFF662D
2768WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$k_7918737646_275062031171.docpgc
MD5:9F88FB449265C74159B246DF6649F5E5
SHA256:AE222401BF8B16F5B172CB30A2298ADC892DF8D7D525AE83CCA01292E56EE330
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57B47C47.wmfwmf
MD5:669393B10A9837FD19CF8B68C0136D09
SHA256:3625CE4F20685CCC854D76078C6524FA92BB4AD29B1C04AC85EE03949657B79C
2768WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E6FD0F6153C506420961483324477288
SHA256:8F4449D195F66F6C33662644E20E983CFD68223ABE82CD0D6179905C4D7A0800
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C884283.wmfwmf
MD5:B267D6651C3C293042A3CB686D00CBC6
SHA256:9175E4AD865229C2FE21281A473D817106AD723B7372A92736D3269AFEB5248D
2768WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1ED93BE5.wmfwmf
MD5:468943C7CA6A399CA8AF4A875AFD882E
SHA256:A9F4D9BD805C314FBED7D127B132594D647AF9E00C46B61112C0A382B64AFF5C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info