analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

aacc8432eda684b179dab3de142286625d9a7322e5d9b3501b9cc711af9b50dc.doc

Full analysis: https://app.any.run/tasks/0160ee25-54b7-40d3-b216-bc864c0435f2
Verdict: Malicious activity
Analysis date: June 19, 2019, 02:41:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

43B1FEE15096EDB5B3EB18999B84B838

SHA1:

2777ECB029E986AB2FC281724DF1EDF2C71B429A

SHA256:

AACC8432EDA684B179DAB3DE142286625D9A7322E5D9B3501B9CC711AF9B50DC

SSDEEP:

1536:Jnz0vf4iGbX51pae9ziilMtQzRzn+FNWqnalO/Kp:Jz0X49L51MVipx+FNWCCp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2904)
      • EXCEL.EXE (PID: 2212)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 332)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 704)
      • cmd.exe (PID: 804)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2904)
      • EXCEL.EXE (PID: 2212)

    • Changes settings of System certificates

      • amsi.dll (PID: 2432)
      • amsi.dll (PID: 4064)
      • WScript.exe (PID: 872)

    • Application was dropped or rewritten from another process

      • WScript.exe (PID: 3412)
      • WScript.exe (PID: 1032)
      • amsi.dll (PID: 2432)
      • wscript.exe (PID: 3464)
      • amsi.dll (PID: 4064)
      • WScript.exe (PID: 3612)
      • WScript.exe (PID: 872)
      • wscript.exe (PID: 3860)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2920)
      • cmd.exe (PID: 332)
      • WScript.exe (PID: 1032)
      • svchost.exe (PID: 848)
      • cmd.exe (PID: 2180)
      • amsi.dll (PID: 2432)
      • wscript.exe (PID: 3464)
      • cmd.exe (PID: 804)
      • cmd.exe (PID: 704)

    • Writes to a start menu file

      • amsi.dll (PID: 2432)
      • amsi.dll (PID: 4064)
      • WScript.exe (PID: 872)

    • Changes the autorun value in the registry

      • amsi.dll (PID: 2432)
      • amsi.dll (PID: 4064)
      • WScript.exe (PID: 872)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 2904)
      • excelcnv.exe (PID: 2460)
      • EXCEL.EXE (PID: 2212)
      • excelcnv.exe (PID: 4040)

    • Executes scripts

      • cmd.exe (PID: 332)
      • cmd.exe (PID: 2180)
      • amsi.dll (PID: 2432)
      • cmd.exe (PID: 704)
      • cmd.exe (PID: 804)
      • WScript.exe (PID: 872)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1032)

    • Starts application with an unusual extension

      • WScript.exe (PID: 1032)
      • wscript.exe (PID: 3464)

    • Starts itself from another location

      • WScript.exe (PID: 1032)
      • amsi.dll (PID: 2432)
      • wscript.exe (PID: 3464)

    • Adds / modifies Windows certificates

      • amsi.dll (PID: 2432)
      • amsi.dll (PID: 4064)
      • WScript.exe (PID: 872)

    • Creates files in the user directory

      • amsi.dll (PID: 2432)

    • Application launched itself

      • WScript.exe (PID: 872)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2904)
      • WINWORD.EXE (PID: 712)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2904)
      • WINWORD.EXE (PID: 712)
      • excelcnv.exe (PID: 2460)
      • EXCEL.EXE (PID: 2212)
      • excelcnv.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xf2459e1f
ZipCompressedSize: 392
ZipUncompressedSize: 1806
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: Joselio Bonin
Description: -

XML

Keywords: -
LastModifiedBy: Joselio Bonin
RevisionNumber: 5
CreateDate: 2019:06:16 00:44:00Z
ModifyDate: 2019:06:17 01:53:00Z
Template: Normal.dotm
TotalEditTime: 17.4 hours
Pages: 1
Words: 411
Characters: 2221
Application: Microsoft Office Word
DocSecurity: None
Lines: 18
Paragraphs: 5
ScaleCrop: No
HeadingPairs:
  • Título
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 2627
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
23
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe excel.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs wscript.exe no specs wscript.exe amsi.dll excelcnv.exe no specs svchost.exe searchprotocolhost.exe no specs wscript.exe no specs amsi.dll excel.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs wscript.exe no specs excelcnv.exe no specs wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
712"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\aacc8432eda684b179dab3de142286625d9a7322e5d9b3501b9cc711af9b50dc.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2904"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
332"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & start C:\Users\Public\WindowsDefender.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2180"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & start C:\Users\Public\atach.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2452ping 127.0.0.1 -n 3 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3184ping 127.0.0.1 -n 5 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3412"C:\Windows\System32\WScript.exe" "C:\Users\Public\WindowsDefender.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1032"C:\Windows\System32\WScript.exe" "C:\Users\Public\atach.vbs" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2432"C:\Users\Public\amsi.dll" "C:\Users\Public\atach.vbs"C:\Users\Public\amsi.dll
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2460"C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -EmbeddingC:\Program Files\Microsoft Office\Office14\excelcnv.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
2 460
Read events
2 026
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
24
Text files
32
Unknown types
9

Dropped files

PID
Process
Filename
Type
712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3F2F.tmp.cvr
MD5:
SHA256:
712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{79F5F166-D795-4C9A-B6CC-19CD88C718B2}
MD5:
SHA256:
712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E50BC193-61E3-434A-8D46-E44917757C8E}
MD5:
SHA256:
2904EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRFC45.tmp.cvr
MD5:
SHA256:
712WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:6262DCDAEDA7736AA7DA374DDB92BB9A
SHA256:A84DAF37B9966C593B6F3977854266531A565C707C0C8C9CE5CFD846C8F3BBC8
712WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:78854943818252C6E83A83506E030BA5
SHA256:70605DF163FEFE0262A4C8EC5FEA5164CDA9B34A06150B7FAA60DE41EEFE53B8
712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cc8432eda684b179dab3de142286625d9a7322e5d9b3501b9cc711af9b50dc.docpgc
MD5:B38E6D79C9155253BD90DE72B3C4B3A6
SHA256:9F6057F9A4709F53127613422AB623646B1DDA916F4613626CEADAB6FB296565
712WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:323B35733F3B04E12CBCA0126CCEEE72
SHA256:5BDEBE636AEF582EF015D1155E3C323E971E759CACA3605EE352CF0500D1F6DF
848svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:71CA7046B0B8C29B86E377E31888B3D7
SHA256:1EF7983D907EA8D5C152B0A6352827CA3F4133C26E42A77E66AF092D86073AD0
712WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4847CBA6-1548-40D5-BCEF-3ECC213568A2}.FSDbinary
MD5:74189D4CBFEFE0431E64C0151A6B7CB3
SHA256:832C3AB4C6118668EB98D06DCA9061B5D48ED2D288801A65F666D9E28AA9C852
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
71
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
712
WINWORD.EXE
OPTIONS
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/
BR
malicious
712
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
984
svchost.exe
OPTIONS
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/
BR
malicious
712
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
712
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
712
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
712
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
712
WINWORD.EXE
GET
304
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
712
WINWORD.EXE
GET
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
text
104 Kb
malicious
984
svchost.exe
PROPFIND
301
191.252.51.35:80
http://hotelpremier.com.br/imagens
BR
html
243 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
191.252.51.35:80
hotelpremier.com.br
Locaweb Serviços de Internet S/A
BR
malicious
712
WINWORD.EXE
191.252.51.35:80
hotelpremier.com.br
Locaweb Serviços de Internet S/A
BR
malicious
984
svchost.exe
191.252.51.35:80
hotelpremier.com.br
Locaweb Serviços de Internet S/A
BR
malicious
2904
EXCEL.EXE
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
2432
amsi.dll
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
4064
amsi.dll
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
4064
amsi.dll
168.197.229.117:70
bylgay.hopto.org
GIGASAT SERVIÇOS DE PROCESSAMENTOS DE DADOS LTDA
BR
malicious
4064
amsi.dll
79.134.225.20:70
microsoftoutlook.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious
2212
EXCEL.EXE
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
872
WScript.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
hotelpremier.com.br
  • 191.252.51.35
malicious
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
bylgay.hopto.org
  • 168.197.229.117
malicious
soucdtevoceumcuzao.duckdns.org
  • 168.197.229.117
malicious
microsoftoutlook.duckdns.org
  • 79.134.225.20
malicious

Threats

PID
Process
Class
Message
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
712
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
aacc8432eda684b179dab3de142286625d9a7322e5d9b3501b9cc711af9b50dc.doc