analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b61627824c7dc4cf90f9468eafeda996819dc51095b911601334052fdbe79618.docm

Full analysis: https://app.any.run/tasks/4cc6d1b8-5e11-41bc-92a6-2438ed0558cc
Verdict: Malicious activity
Analysis date: March 14, 2019, 06:33:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
maldoc-8
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

9E9FFAFA0180A4C09805FAD6C50906B2

SHA1:

AB6E2F0B39C13D9A5A979F181B3C465824DAFCED

SHA256:

B61627824C7DC4CF90F9468EAFEDA996819DC51095B911601334052FDBE79618

SSDEEP:

6144:h6hiN03B14z/jmClH+N7E+35nAh3mYhM40R7WNt4hTO2/k/aQJgxNnb7k:fNwbaeN336nM4gstSu52DnU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3492)
  • SUSPICIOUS

    • Executes application which crashes

      • WINWORD.EXE (PID: 3492)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3492)
    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3492)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Creator: Alex Smith

XML

ModifyDate: 2019:03:11 18:00:00Z
CreateDate: 2019:03:06 19:37:00Z
RevisionNumber: 3
LastModifiedBy: Alex Smith
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 2
LinksUpToDate: No
Company: Microsoft
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 2
Words: -
Pages: 2
TotalEditTime: 10 minutes
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1613
ZipCompressedSize: 438
ZipCRC: 0x14506c9d
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3492"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\b61627824c7dc4cf90f9468eafeda996819dc51095b911601334052fdbe79618.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4000"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 081
Read events
741
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3492WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDDFD.tmp.cvr
MD5:
SHA256:
3492WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C344E69A.png
MD5:
SHA256:
4000ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF771.tmp
MD5:
SHA256:
4000ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF772.tmp
MD5:
SHA256:
3492WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E36B11D3.png
MD5:
SHA256:
3492WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4B5F05F98636B3BC22649F1231423D7D
SHA256:06E603CC75F07CBAC81EAE65BE7F7C4040F593C0106CE836CD0793644246A890
3492WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1627824c7dc4cf90f9468eafeda996819dc51095b911601334052fdbe79618.docmpgc
MD5:7CFB4B26E3672A4F735B41FA22FD274B
SHA256:21BFEC6DD362550D59F4B164E67251BD1B2847AE90418C528CF38CB716546FE9
3492WINWORD.EXEC:\Users\Public\uyrseeakpi.exehtml
MD5:370E16C3B7DBA286CFF055F93B9A94D8
SHA256:D465172175D35D493FB1633E237700022BD849FA123164790B168B8318ACB090
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3492
WINWORD.EXE
185.244.150.170:443
kuchi8.pw
suspicious

DNS requests

Domain
IP
Reputation
kuchi8.pw
  • 185.244.150.170
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info