analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Pensionskasse SHP_858151174_11.12.2018.docx

Full analysis: https://app.any.run/tasks/b23db689-8174-4c47-9085-17d4684ef902
Verdict: Malicious activity
Analysis date: January 11, 2019, 08:13:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
ole-embedded
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7EAB6D83E7AE505D9AEDDECFBD51972B

SHA1:

5DC30125F61AED479FD3A8F00178EAD0F9DBB7DC

SHA256:

9C73EB4894133262BF0094E865A9855B7278062D4792E657C96ABA009D0FCA75

SSDEEP:

1536:j/ZSUZUCPuuBQoB9WEp20e5cvqbEOqefd6sAMEVycvjp3o6S4:j/ZZZnuymx0e6CbRd6pMrcve6S4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2968)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2968)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3796)
      • cmd.exe (PID: 3064)
      • cmd.exe (PID: 3584)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2836)
      • cmd.exe (PID: 1428)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3064)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 1428)

    • Application launched itself

      • cmd.exe (PID: 3064)

    • Creates files in the user directory

      • powershell.exe (PID: 3156)
      • powershell.exe (PID: 4000)
      • powershell.exe (PID: 3828)
      • powershell.exe (PID: 3092)
      • powershell.exe (PID: 2720)
      • powershell.exe (PID: 4012)

    • Executes scripts

      • cmd.exe (PID: 3064)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 1428)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2968)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2968)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 3156)
      • powershell.exe (PID: 3092)
      • powershell.exe (PID: 4012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 12
Company: Röhrdanz
Manager: Silvio Kuhl
Paragraphs: 388
Lines: 4515
Application: Microsoft Office Word
CharactersWithSpaces: 315237
Characters: 315237
Words: 24249
Pages: 72
Template: Normal
Category: deleniti
ModifyDate: 2018:12:08 17:21:01Z
CreateDate: 2018:12:08 17:21:01Z
RevisionNumber: 322092
LastModifiedBy: Prof. Alice Kramer
Keywords: fugiat, esse, voluptatem

XMP

Description: Consequuntur accusamus quibusdam architecto rem perferendis laborum minima quae.
Creator: Prof. Alice Kramer
Subject: Pensionskasse SHP N858151174
Title: Pensionskasse SHP N858151174

ZIP

ZipFileName: word/document.xml
ZipUncompressedSize: 6507
ZipCompressedSize: 1430
ZipCRC: 0x83f7eeea
ZipModifyDate: 2018:12:11 12:44:03
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
16
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Pensionskasse SHP_858151174_11.12.2018.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3064cmd /c ""C:\Users\admin\AppData\Local\Temp\Windowseigener Bildviewer.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3796C:\Windows\system32\cmd.exe /c powershell -w hidden -Command "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4000powershell -w hidden -Command "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3156powershell -WindowStyle hidden -c "[IO.File]::WriteAllBytes($env:IZEivcCTHc, [System.Convert]::FromBase64String([IO.File]::ReadAllText($env:IZEivcCTHc)));"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2228wscript C:\Users\admin\AppData\Local\Temp\IKqYxwfzUpy.jsC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2880cmd /c ""C:\Users\admin\AppData\Local\Temp\Windowseigener Bildviewer.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3584C:\Windows\system32\cmd.exe /c powershell -w hidden -Command "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3828powershell -w hidden -Command "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3092powershell -WindowStyle hidden -c "[IO.File]::WriteAllBytes($env:IZEivcCTHc, [System.Convert]::FromBase64String([IO.File]::ReadAllText($env:IZEivcCTHc)));"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 620
Read events
1 922
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
12
Text files
116
Unknown types
2

Dropped files

PID
Process
Filename
Type
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6707.tmp.cvr
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso691C.tmp
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\557C7180.jpeg
MD5:
SHA256:
4000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZDXIWT3AWA64R50BXPUR.temp
MD5:
SHA256:
3156powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q2RYGI2NMDVQC5T1HJDJ.temp
MD5:
SHA256:
3828powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KFUX8DG4IOTW369B7DO9.temp
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Windowseigener Bildviewer.cmdtext
MD5:32BCDA4CB80CDF09155667A4AB54E836
SHA256:09F75B2BDA824C7BF09E74276F867995B0D8E6FC35303D75EB07BBE00402F4B8
4000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nsionskasse SHP_858151174_11.12.2018.docxpgc
MD5:D08137614A2233C8ADCB28730CA17A67
SHA256:190D1924C3E00EB3144C683E9C6C3B84ED34066E81ED81BBC5CD8BB86705A65D
3064cmd.exeC:\Users\admin\AppData\Local\Temp\IKqYxwfzUpy.jstext
MD5:B054E692A525B31167B866C81ADE1F77
SHA256:5D4159ED4F404A1D28B6DF3D533C9A4AF24E1508DB92E25F37ECA95C9279E8A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Pensionskasse SHP_858151174_11.12.2018.docx