analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Prepared_document_13964884.docm |
| Full analysis: | https://app.any.run/tasks/45e0085e-81d1-496a-91e3-af356ae78fc5 |
| Verdict: | Malicious activity |
| Analysis date: | August 13, 2019, 18:10:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | 560767753EDFBAF47050CFDBA0D4D715 |
| SHA1: | DF375B0E6771903814EABE8FE7510B6380402B74 |
| SHA256: | B6839EAC3C7D32746F383E28FF3AB421759B0A922040E369265F1400083C50BA |
| SSDEEP: | 3072:daRAsxdGSIyyPhOHq89kcUip4NHpESFFUGaP0KxAjDZAeeEh8d98e4crDyREOesj:d4AGTyPtgkFHpE2YP0Ku3yeey8Ue4CDS |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2568)
Writes file to Word startup folder
- WINWORD.EXE (PID: 2568)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2568)
SUSPICIOUS
Executes scripts
- cmd.exe (PID: 2108)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2568)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
|---|---|---|
| .docx | | | Word Microsoft Office Open XML Format document (24.2) |
| .zip | | | Open Packaging Conventions container (18) |
| .zip | | | ZIP compressed archive (4.1) |
EXIF
XMP
| Creator: | - |
|---|
XML
| ModifyDate: | 2019:08:09 11:47:00Z |
|---|---|
| CreateDate: | 2019:07:08 09:55:00Z |
| RevisionNumber: | 1 |
| LastModifiedBy: | - |
| AppVersion: | 15 |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| CharactersWithSpaces: | 790502 |
| LinksUpToDate: | No |
| Company: | - |
| TitlesOfParts: | - |
| HeadingPairs: |
|
| ScaleCrop: | No |
| Paragraphs: | 1581 |
| Lines: | 5615 |
| DocSecurity: | None |
| Application: | Microsoft Office Word |
| Characters: | 673862 |
| Words: | 118221 |
| Pages: | 90 |
| TotalEditTime: | - |
| Template: | Normal.dotm |
ZIP
| ZipFileName: | [Content_Types].xml |
|---|---|
| ZipUncompressedSize: | 2535 |
| ZipCompressedSize: | 463 |
| ZipCRC: | 0x53898b0b |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2568 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Prepared_document_13964884.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
| 2108 | "C:\Windows\System32\cmd.exe" /c"c:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2232 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
Total events
1 578
Read events
1 232
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6CF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7847E0BD.png | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BE9D24D-174B-4B29-BE6A-F7962D1A2120}.tmp | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ACCD68FA-066B-4657-96CA-E5DA9B9F5804}.tmp | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4EF2AD4-1CD1-422D-AF49-4C18DCB26032}.tmp | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{20048F6F-B285-4C1D-A246-D31431DBF61A}.tmp | — | |
MD5:— | SHA256:— | |||
| 2568 | WINWORD.EXE | C:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse | text | |
MD5:D9D3BDAF54217BD1629AEBB16B989087 | SHA256:293BA9EC960160F4B8BCD6E940C35F0CBAD92923B8D1C753809C505D8638AB2C | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$epared_document_13964884.docm | pgc | |
MD5:60427B6FE763251098DDB8261F30D6F6 | SHA256:1612CEA2AE95187E343B5CF3A9C67EAD59CE444FD33FDB65BE8D40EEF68D108E | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E564A6D6459A6CB0E3CE1F3C14FC8E1F | SHA256:CC2E410900E011B16448B0B13D5493307DB568A24AAF225842F7C8128E98F70A | |||
| 2568 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report