analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

43b1fee15096edb5b3eb18999b84b838.docx

Full analysis: https://app.any.run/tasks/1129ec9a-5b9a-466f-846f-4baf2d01c5f3
Verdict: Malicious activity
Analysis date: June 19, 2019, 02:16:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

43B1FEE15096EDB5B3EB18999B84B838

SHA1:

2777ECB029E986AB2FC281724DF1EDF2C71B429A

SHA256:

AACC8432EDA684B179DAB3DE142286625D9A7322E5D9B3501B9CC711AF9B50DC

SSDEEP:

1536:Jnz0vf4iGbX51pae9ziilMtQzRzn+FNWqnalO/Kp:Jz0X49L51MVipx+FNWCCp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2984)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2984)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2076)
      • cmd.exe (PID: 2816)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3572)
      • cmd.exe (PID: 2076)
      • WScript.exe (PID: 756)
      • svchost.exe (PID: 840)
      • cmd.exe (PID: 2816)
      • wscript.exe (PID: 3968)
      • amsi.dll (PID: 3964)

    • Application was dropped or rewritten from another process

      • WScript.exe (PID: 2864)
      • WScript.exe (PID: 756)
      • amsi.dll (PID: 3964)
      • wscript.exe (PID: 3968)
      • amsi.dll (PID: 1644)

    • Changes settings of System certificates

      • amsi.dll (PID: 3964)
      • amsi.dll (PID: 1644)

    • Writes to a start menu file

      • amsi.dll (PID: 3964)
      • amsi.dll (PID: 1644)

    • Changes the autorun value in the registry

      • amsi.dll (PID: 3964)
      • amsi.dll (PID: 1644)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 2984)

    • Executes scripts

      • cmd.exe (PID: 2816)
      • cmd.exe (PID: 2076)
      • amsi.dll (PID: 3964)

    • Starts itself from another location

      • WScript.exe (PID: 756)
      • amsi.dll (PID: 3964)
      • wscript.exe (PID: 3968)

    • Starts application with an unusual extension

      • WScript.exe (PID: 756)
      • wscript.exe (PID: 3968)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 756)

    • Adds / modifies Windows certificates

      • amsi.dll (PID: 3964)
      • amsi.dll (PID: 1644)

    • Creates files in the user directory

      • amsi.dll (PID: 3964)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3384)
      • EXCEL.EXE (PID: 2984)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2984)
      • WINWORD.EXE (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xf2459e1f
ZipCompressedSize: 392
ZipUncompressedSize: 1806
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: Joselio Bonin
Description: -

XML

Keywords: -
LastModifiedBy: Joselio Bonin
RevisionNumber: 5
CreateDate: 2019:06:16 00:44:00Z
ModifyDate: 2019:06:17 01:53:00Z
Template: Normal.dotm
TotalEditTime: 17.4 hours
Pages: 1
Words: 411
Characters: 2221
Application: Microsoft Office Word
DocSecurity: None
Lines: 18
Paragraphs: 5
ScaleCrop: No
HeadingPairs:
  • Título
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 2627
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
13
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe excel.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs wscript.exe no specs wscript.exe amsi.dll svchost.exe searchprotocolhost.exe no specs wscript.exe no specs amsi.dll

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\43b1fee15096edb5b3eb18999b84b838.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2984"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2076"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & start C:\Users\Public\WindowsDefender.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2816"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & start C:\Users\Public\atach.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3412ping 127.0.0.1 -n 3 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3556ping 127.0.0.1 -n 5 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2864"C:\Windows\System32\WScript.exe" "C:\Users\Public\WindowsDefender.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
756"C:\Windows\System32\WScript.exe" "C:\Users\Public\atach.vbs" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3964"C:\Users\Public\amsi.dll" "C:\Users\Public\atach.vbs"C:\Users\Public\amsi.dll
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
840C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 221
Read events
975
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
24
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
3384WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREAE.tmp.cvr
MD5:
SHA256:
3384WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{AD1AC134-0758-4B88-8FAD-321E4D3E281E}
MD5:
SHA256:
3384WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{2471E088-CA2A-4309-BB80-7172EB3025E5}
MD5:
SHA256:
840svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:71CA7046B0B8C29B86E377E31888B3D7
SHA256:1EF7983D907EA8D5C152B0A6352827CA3F4133C26E42A77E66AF092D86073AD0
2984EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD71E.tmp.cvr
MD5:
SHA256:
3384WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7E5DB406-81D4-4188-B716-1489BF410672}.FSDbinary
MD5:09C626C19CE347DDC578982E157A2146
SHA256:5AFD815A1DF1BA4A39FF612EC78F4C691032D13E06E59033AA27A8653E01E89D
3384WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:0D259EFA54A57B4AA631F83BAE415B54
SHA256:F4A894E0EE9B81A217A446477CC4B14189A2CB51F6C41C1A8E2FD756AD69343C
3384WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:53F77EC81B0DC570E9F1096FC7072865
SHA256:CBB30FF111947B59AD248A6CEB9D4B617E5CD3FF40198B34E902A1DD6B3F10DE
3384WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$b1fee15096edb5b3eb18999b84b838.docxpgc
MD5:8AFA98DCF3F64FDE815C4A37164F13EA
SHA256:154B4DE46451770C0FDED2D7038C027036D8BA381E0984B26328CC12FE3A9854
3384WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1C3731FA96EBDD2B59DD9077E7304E50
SHA256:90231EF6597C66760A15F548BBB57E7F36AE0729947BF09439BF18DB568920C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
53
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
WINWORD.EXE
OPTIONS
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/
BR
malicious
3384
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
980
svchost.exe
OPTIONS
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/
BR
malicious
3384
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
3384
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
3384
WINWORD.EXE
GET
304
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
980
svchost.exe
OPTIONS
301
191.252.51.35:80
http://hotelpremier.com.br/imagens
BR
html
243 b
malicious
980
svchost.exe
PROPFIND
405
191.252.51.35:80
http://hotelpremier.com.br/imagens/
BR
xml
969 b
malicious
980
svchost.exe
PROPFIND
301
191.252.51.35:80
http://hotelpremier.com.br/imagens
BR
html
243 b
malicious
3384
WINWORD.EXE
HEAD
200
191.252.51.35:80
http://hotelpremier.com.br/imagens/a.doc
BR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3384
WINWORD.EXE
191.252.51.35:80
hotelpremier.com.br
Locaweb Serviços de Internet S/A
BR
malicious
980
svchost.exe
191.252.51.35:80
hotelpremier.com.br
Locaweb Serviços de Internet S/A
BR
malicious
3964
amsi.dll
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
1644
amsi.dll
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
2984
EXCEL.EXE
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
168.197.229.117:70
bylgay.hopto.org
GIGASAT SERVIÇOS DE PROCESSAMENTOS DE DADOS LTDA
BR
malicious
1644
amsi.dll
168.197.229.117:70
bylgay.hopto.org
GIGASAT SERVIÇOS DE PROCESSAMENTOS DE DADOS LTDA
BR
malicious
1644
amsi.dll
79.134.225.20:70
microsoftoutlook.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
hotelpremier.com.br
  • 191.252.51.35
malicious
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
bylgay.hopto.org
  • 168.197.229.117
malicious
soucdtevoceumcuzao.duckdns.org
  • 168.197.229.117
malicious
microsoftoutlook.duckdns.org
  • 79.134.225.20
malicious

Threats

PID
Process
Class
Message
3384
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
3384
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
43b1fee15096edb5b3eb18999b84b838.docx