analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ccc.doc

Full analysis: https://app.any.run/tasks/d959fecc-fa01-4b3d-9068-a136b42c7692
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 02:55:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

93C3E76659E7893FCEF5F63EF1AFC403

SHA1:

BB162586C1A1FAF0D5544F8223748E5ECA6F623E

SHA256:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E

SSDEEP:

384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2004)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2004)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2004)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x344b4b79
ZipCompressedSize: 398
ZipUncompressedSize: 1474
ZipFileName: [Content_Types].xml

XMP

Creator: Olachi

XML

LastModifiedBy: Olachi
RevisionNumber: 2
CreateDate: 2018:11:08 13:02:00Z
ModifyDate: 2018:11:08 13:02:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 10
Characters: 61
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 70
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ccc.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
429
Read events
368
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
27
Text files
7
Unknown types
3

Dropped files

PID
Process
Filename
Type
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA091.tmp.cvr
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{565ACAAD-EE1F-4D46-845B-F5B0943FBE0E}
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3548CEF4-18A5-4E82-8A02-8E66F98FD3AE}
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\512CC70.doc
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:F1355C7B8F4FFE4A7F06F16CB67182F3
SHA256:F1422C3E7C9B537B1BF8C03DF47CE39DC2701B5857015473654203C16BC2D0DE
2004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256A3EF47ED32A3D3038855D49DF0319
SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14EADE92.emfemf
MD5:0B4608E6B88EBB3F196708ED5E3CA66A
SHA256:CF2A6EC134BFB707253F6FB6EE12E710FE19EDD7DF21963EF1B2185E1AE19D94
2004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@urlz[1].txttext
MD5:70B6CCC8AB311049FBE3FD65203C4229
SHA256:062EF995B33932FAAD0E669A1A465678881FB45326E6EF33FB6FC01369EA1D1F
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C1651540-AF76-4141-8365-E5CF577DEF8E}.FSDbinary
MD5:CD43E4D44112B25D764D47EFEFC74894
SHA256:6DB59F5D4EA0732E611E7DAD7B81C2F32CADAD537839B2051047E49C996A0E84
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ccc.docpgc
MD5:B1D444BB9B333BB23E2EA40430622F97
SHA256:FAFEBE9656D1F7656C2F9E24E68C88E0983964DE705161535A5D1884B6BE2A24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2004
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
2004
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.hta
RU
html
2.29 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
980
svchost.exe
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
2004
WINWORD.EXE
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
2004
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
urlz.fr
  • 104.28.14.54
  • 104.28.15.54
shared

Threats

PID
Process
Class
Message
2004
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
2004
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
2004
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
2004
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ccc.doc