analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | canadapost_invoice_1175.doc |
| Full analysis: | https://app.any.run/tasks/71d60417-bf4e-41b4-b3a7-344705d2f8b5 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2019, 14:00:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Keywords: 408 306 225 408, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Wed Dec 4 12:01:00 2019, Last Saved Time/Date: Wed Dec 4 12:16:00 2019, Number of Pages: 3, Number of Words: 44104, Number of Characters: 251396, Security: 0 |
| MD5: | D29F42A3E3F69CEEA68B782A15158EAA |
| SHA1: | 7443886D3E7EFD6B2E203232FF7E389F776427D3 |
| SHA256: | 9E0B8BA50B9E1ED9B6A6D49EC6F0D2FEA6BB13F841B9ABB8C0ADAF931E65B928 |
| SSDEEP: | 6144:tnlp9xk8FKPt3yNybhVcjUXzUrAs0x1wwXMi:rp9xk8FKPINGbNX0ARwwv |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 492)
Executes scripts
- WINWORD.EXE (PID: 492)
SUSPICIOUS
No suspicious indicators.INFO
Creates files in the user directory
- WINWORD.EXE (PID: 492)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | Windows User |
| Keywords: | 408 306 225 408 |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | Windows User |
| RevisionNumber: | 5 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 3.0 minutes |
| CreateDate: | 2019:12:04 12:01:00 |
| ModifyDate: | 2019:12:04 12:16:00 |
| Pages: | 3 |
| Words: | 44104 |
| Characters: | 251396 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 2094 |
| Paragraphs: | 589 |
| CharCountWithSpaces: | 294911 |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
36
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 492 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\canadapost_invoice_1175.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
| 3512 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Word\PublicEnemy\hereyouare.jse" True | C:\Windows\System32\WScript.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
| 3524 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 336 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
| 912 | C:\Windows\system32\dwwin.exe -x -s 336 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 398
Read events
1 009
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
6
Text files
0
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDF63.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30A45022.wmf | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BECE8480.wmf | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1454641D095DDE06.TMP | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF116F34C74C1A66F8.TMP | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF9C06EE72A526760B.TMP | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B648706F-DD09-4D59-9639-DC55360F7E85}.tmp | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2FB611ED-656D-477E-9F98-252B7AB4E951}.tmp | — | |
MD5:— | SHA256:— | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRL0001.tmp | document | |
MD5:7AFE555CC3B97C8F7868212798B85B0E | SHA256:F71491B17F1D132F29EC40C363F142089BF47A506371F240E693AF7748A78F55 | |||
| 492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:DE4920A2A468C3D64E908E6B5DE5511E | SHA256:B6DF9289B3A49182F01C7F3E0361489A6D8B2758E4C9722A8BFF1872C89AFEFB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report