analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Request_12_04.doc

Full analysis: https://app.any.run/tasks/79e2ca3a-63f5-482e-93c3-18e691ff8503
Verdict: Malicious activity
Analysis date: December 06, 2019, 16:21:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
maldoc-3
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B3F3BFFD8EA42F9D1ECB7AD6851B4CD0

SHA1:

FE564577D5C8BB748E8F70A3B232E6976C6C6EE7

SHA256:

C3853565FF629438373C87717C0A160F852ABED5DCD8B17E7D503AA15FC17B70

SSDEEP:

1536:/VdE1Bnp4UReoqQd5YFWAfV9AN7svtzTk7Bt+DeHbqX:/Vinp4U59YAAbs7svJQ7Bt8eM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1752)

    • Uses WMIC.EXE to invoke XSL script

      • WINWORD.EXE (PID: 1752)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 1752)

    • Creates files in the user directory

      • notepad++.exe (PID: 2820)

    • Executed via COM

      • DllHost.exe (PID: 1888)

  • INFO

    • Manual execution by user

      • notepad++.exe (PID: 2820)
      • explorer.exe (PID: 2480)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1752)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Description: -
Creator: asueo
Subject: -
Title: -

XML

Category: -
ModifyDate: 2019:12:04 09:28:00Z
CreateDate: 2019:12:04 09:28:00Z
RevisionNumber: 2
LastModifiedBy: admin
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: home
Manager: -
TitlesOfParts:
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
ScaleCrop: No
Paragraphs: -
Lines: 2
DocSecurity: None
Application: Microsoft Office Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1635
ZipCompressedSize: 426
ZipCRC: 0xc8e48bf2
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wmic.exe no specs explorer.exe no specs Shell Security Editor no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Request_12_04.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3408wmic process list /format:"c:\windows\temp\anhIY.xsl"C:\Windows\System32\Wbem\wmic.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2480"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1888C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820"C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\Temp\anhIY.xsl"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
3744"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
2 256
Read events
1 106
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
1752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA8CD.tmp.cvr
MD5:
SHA256:
1752WINWORD.EXEC:\windows\temp\anhIY.xslxml
MD5:5FEC00CCF424D8CBBB5B193F9EB6AF35
SHA256:68E2F49CE6C922D422A24C728F0D3EF8768CE70050FFA8FE5D3418F2FB4561A9
1752WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D3E45E9E34C71A48C10FD945E9620BAF
SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F
1752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$quest_12_04.docpgc
MD5:524A7989A09477B4FF56B27F472151A1
SHA256:142564C8243AB86866DEFCD9402A2C44BA0DA052D15E413921FA229E8833B775
1752WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:CFF63ED6F2F3ADCFA1EEFFA3607CC643
SHA256:549603E658158BD345ED06C9F013885991FCBD8A2F25DD494390B6824C219E97
2820notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
2820notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
2820notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
2820notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3744
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
stoilamser.com
malicious
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Request_12_04.doc