analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_11_08.doc

Full analysis: https://app.any.run/tasks/8bb73e0f-ddd6-40cd-b40e-c9a5054cbf7d
Verdict: Malicious activity
Analysis date: November 08, 2019, 15:47:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Auto Formatter v1.2, Subject: Payslip auto formatter, Author: WAREHOUSECOMP1, Comments: Reference #3466, Template: Normal, Last Saved By: Windows, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 6 10:17:00 2019, Last Saved Time/Date: Fri Nov 8 09:36:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

D4367830B0B1EC1AFA90BBC68929173E

SHA1:

161C049360C300CEFD5DE40CF140331D9C60132C

SHA256:

C3CE91767FA1A8D88AC3B98378FC92A854D6690C5981D9D47A6666668D79C82B

SSDEEP:

3072:uwIx16RX/0tq4Z/ZeRcMt/jmddUFdonaUPQ69L5hYaS2tfRQ+:ZIx18MtJZeR6dUFdoaUPph7S2tfRQ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 932)
    • Executes scripts

      • WINWORD.EXE (PID: 932)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 932)
  • INFO

    • Reads settings of System Certificates

      • WScript.exe (PID: 2608)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 932)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
  • ffwmamztsi
  • ffwmamztsi
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Bytes: 27648
Company: EasyLease LLC
Manager: Keon Weissnat
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:11:08 09:36:00
CreateDate: 2019:08:06 09:17:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: Пользователь Windows
Template: Normal
Comments: Reference #3466
Keywords: -
Author: WAREHOUSECOMP1
Subject: Payslip auto formatter
Title: Auto Formatter v1.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
932"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_11_08.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2608"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\eekinltaor.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
1 725
Read events
948
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA850.tmp.cvr
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\CabD82.tmp
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\TarD83.tmp
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\CabD84.tmp
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\TarD95.tmp
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\Cab1C2C.tmp
MD5:
SHA256:
2608WScript.exeC:\Users\admin\AppData\Local\Temp\Tar1C2D.tmp
MD5:
SHA256:
932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D3E45E9E34C71A48C10FD945E9620BAF
SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F
932WINWORD.EXEC:\Windows\Temp\eekinltaor.jstext
MD5:D596D1CB1DAA288119CBDD4B2C5D05DC
SHA256:614F21D485737B18C9ED703AE47C9BDE3115E3AC4CC9A6BEC46F2DB378DCF484
932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:CB0EBE4A947CF333DA5D3158CE876C90
SHA256:22937D5BD6841A606FC8494B164CED9765561AE0F212C239197827B62061BE1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2608
WScript.exe
GET
404
185.20.185.84:80
http://ooroollino.com/zepoli/ironak.php?l=slalel3.cab
NL
suspicious
2608
WScript.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.4 Kb
whitelisted
2608
WScript.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7.crt
US
der
848 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2608
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
2608
WScript.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2608
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
2608
WScript.exe
185.20.185.84:80
ooroollino.com
Serverius Holding B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
docs.microsoft.com
  • 104.109.84.249
whitelisted
www.trendmicro.com
  • 184.30.217.76
whitelisted
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
ooroollino.com
  • 185.20.185.84
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info