analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Complaint 8872-19 International Claims Suit.doc

Full analysis: https://app.any.run/tasks/1ff5a977-a7ec-458e-8527-bbd2f4d6e16a
Verdict: Malicious activity
Analysis date: April 15, 2019, 08:09:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: h7f4e2d, Subject: d5d73b, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 11 21:47:00 2019, Last Saved Time/Date: Thu Apr 11 21:06:00 2019, Number of Pages: 1, Number of Words: 19, Number of Characters: 109, Security: 0
MD5:

94784C3C6A8B275A4143935CB7FA377C

SHA1:

0C8A9B7851D199CEDF5B7769FB8A629270AD7F8F

SHA256:

BAB6B48ED9581CACF4D8E0FCAA263CC2FEB6F914953A7830161E4B06BD997F05

SSDEEP:

1536:iMdWDR+vDByNjFkwabf3wIibFASIztZ31+JZTssTEZ+eXBjJlCZ8O+7VZyi68FXM:JHvDByREMAzqZTIZ+m1JG8O98FbGv5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2684)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2684)

  • SUSPICIOUS

    • Executes application which crashes

      • cmd.exe (PID: 2900)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2684)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (80)

EXIF

FlashPix

CompObjUserType: Microsoft Office Word 97-2003 Document
CompObjUserTypeLen: 39
HeadingPairs:
  • Title
  • 1
TitleOfParts: h7f4e2d
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CharCountWithSpaces: 127
Paragraphs: 1
Lines: 1
Bytes: 11000
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 109
Words: 19
Pages: 1
ModifyDate: 2019:04:11 20:06:00
CreateDate: 2019:04:11 20:47:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal
Comments: -
Keywords: -
Author: -
Subject: d5d73b
Title: h7f4e2d
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2684"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Complaint 8872-19 International Claims Suit.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2900"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\mb4f6f2.txt" "mb4f6f2.exe" &start "" "C:\Users\admin\AppData\Local\Temp\mb4f6f2.exe" C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1156"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 104
Read events
765
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2EFC.tmp.cvr
MD5:
SHA256:
2684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mb4f6f2.txt
MD5:
SHA256:
1156ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs7ED2.tmp
MD5:
SHA256:
1156ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs7ED3.tmp
MD5:
SHA256:
2684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$mplaint 8872-19 International Claims Suit.docpgc
MD5:401D15725EACD791A1DE1C021C4A454F
SHA256:4C01B3BFEAAA8D41EEB0FEE9B4C3DD0787E24BAF37A6A4FA2A44CC54584B3E08
2900cmd.exeC:\Users\admin\AppData\Local\Temp\mb4f6f2.exehtml
MD5:AAC2661A51246CE89B8F330CDBC3C9B1
SHA256:CE2149848B4D1CB7A2E75786F8457044C1DC91C1F48F3408A0A3E77AA6D31227
2684WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E
SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
WINWORD.EXE
5.77.61.92:443
notarygafa.com
iomart Cloud Services Limited.
GB
malicious

DNS requests

Domain
IP
Reputation
notarygafa.com
  • 5.77.61.92
malicious

Threats

PID
Process
Class
Message
2684
WINWORD.EXE
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Complaint 8872-19 International Claims Suit.doc