File name:

TomMarslandResume.docm

Full analysis: https://app.any.run/tasks/ef1e3b59-ad43-4aa2-892d-4394d8c55c54
Verdict: Malicious activity
Analysis date: June 11, 2024, 18:20:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

9559A9EED09C11CBA30E4743CF7974CD

SHA1:

52279F70194B2E4F89BDDE1F403B41194DFEC67D

SHA256:

C97A6B93B33D0DFC9685AAABC673756BC0329DE8D2F9F088CCE7C70B76C66489

SSDEEP:

384:UmA7zSZweORo0rhhFL/ulWsboTp0RBfk/VBCUNfde9I0ZkZY:UlWOxdhFLGlWsbm0bfW7nhIZkW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • WINWORD.EXE (PID: 3972)

    • Sends HTTP request (SCRIPT)

      • WINWORD.EXE (PID: 3972)

    • Opens an HTTP connection (SCRIPT)

      • WINWORD.EXE (PID: 3972)

  • SUSPICIOUS

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • WINWORD.EXE (PID: 3972)

  • INFO

    • Reads Internet Explorer settings

      • CLVIEW.EXE (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x91fc8a0b
ZipCompressedSize: 401
ZipUncompressedSize: 1586
ZipFileName: [Content_Types].xml

XMP

Creator: cents

XML

LastModifiedBy: Solanki, Chance Y Finance
RevisionNumber: 12
CreateDate: 2022:07:04 00:29:00Z
ModifyDate: 2023:01:16 06:22:00Z
Template: Normal
TotalEditTime: 3.1 hours
Pages: 2
Words: 220
Characters: 1258
Application: Microsoft Office Word
DocSecurity: None
Lines: 10
Paragraphs: 2
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: ARGENTS
LinksUpToDate: No
CharactersWithSpaces: 1476
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe clview.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE" "WINWORD" "Microsoft Word"C:\Program Files\Microsoft Office\Office14\CLVIEW.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Help Viewer
Exit code:
0
Version:
14.0.6015.1000
Modules
Images
c:\program files\microsoft office\office14\clview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\program files\microsoft office\office14\msocf.dll
3972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\TomMarslandResume.docmC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
9 629
Read events
9 168
Write events
212
Delete events
249

Modification events

(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:*b?
Value:
2A623F00840F0000010000000000000000000000
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3972) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
106
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3A7A.tmp.cvr
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$mMarslandResume.docmpgc
MD5:7394BAE1D2A0832A722F213319C7B309
SHA256:A6BEE857756442152607A47F23176234F13CF25F78C10DC57C286C2D64655AA8
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEE8C.tmpbinary
MD5:7E8B24EECB300B45B19F534EFF40AD54
SHA256:DAA96DDB007D4387E35263890F76F3CE91EE276D6AE85B0BBF1D9BCB97FCF85B
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso3F4E.tmpimage
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
3972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D27D307C9620F0F2B78519B6F5CB7294
SHA256:8A5E3EC0A17A150FA69946625208F77546C15E5247A4A318EE1F7ADA644FFCF5
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEEAF.tmpbinary
MD5:4BD1EB83BB26A0192FE6465187600F4A
SHA256:375732431D8AB7B81AD6BA6F53FBB291BBA95614171A52B4BA281B628A69E061
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEEE5.tmpbinary
MD5:4BE2AEDDA24E0539C95564B48CA9D8BA
SHA256:E4D153F74AC21D4212A83FE030EE7A407B5FDFE2D3A8145F3E826532BD796893
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEE8D.tmpbinary
MD5:244A447B9438A40D8F83E1D975D44CE8
SHA256:903C9F354180FE84A34E8A68492A58EAAFE67310A8A3557E3080D4C85E36BE6E
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEE8A.tmpbinary
MD5:4BE2AEDDA24E0539C95564B48CA9D8BA
SHA256:E4D153F74AC21D4212A83FE030EE7A407B5FDFE2D3A8145F3E826532BD796893
2108CLVIEW.EXEC:\Users\admin\AppData\Local\Temp\IMTEEB1.tmpbinary
MD5:287DEDC2112AA88CD5156848417DE318
SHA256:40896DA16DEEFDE9CA98C763CCB07C2B0A7AFB9959947A800278C99E40A30DE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3972
WINWORD.EXE
9.53.99.47:80
US
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TomMarslandResume.docm