analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b9a67ffb81420e68f9e5607cc200604a.docx

Full analysis: https://app.any.run/tasks/7154c084-5181-412d-806a-694afa7c3fc4
Verdict: Malicious activity
Analysis date: April 15, 2019, 08:53:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B9A67FFB81420E68F9E5607CC200604A

SHA1:

248214CC3011A70BB473DC12B0C07CB730AA04B2

SHA256:

DAB2CD3DDFE29A89B3D80830C6A4950952A44B6C97A664F1E9C182318AE5F4DA

SSDEEP:

6144:EY0QYQ+rwD1vkTkCJ6AjC6w9NZsK0cabUOAZ9AJEJ:ErrOkF6Z79DUU7J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • EXCEL.EXE (PID: 2696)
      • EXCEL.EXE (PID: 1560)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • EXCEL.EXE (PID: 2696)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2696)
      • WINWORD.EXE (PID: 3704)
      • EXCEL.EXE (PID: 1560)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 213
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 183
Words: 31
Pages: 1
TotalEditTime: 1.1 hours
Template: README.txt
ModifyDate: 2019:04:07 19:21:00Z
CreateDate: 2019:04:07 18:10:00Z
RevisionNumber: 2
LastModifiedBy: I'm Negan
Keywords: -

XMP

Description: -
Creator: I'm Negan
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1553
ZipCompressedSize: 392
ZipCRC: 0xbc2b2aaa
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe excel.exe excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3704"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\b9a67ffb81420e68f9e5607cc200604a.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2696"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1560"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Total events
1 755
Read events
1 299
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
26
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
3704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6F30.tmp.cvr
MD5:
SHA256:
3704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{AE571005-D975-4443-9952-BEB33C125FB4}
MD5:
SHA256:
3704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E16C25AB-0A9B-4E8C-9164-01C2333CB85B}
MD5:
SHA256:
2696EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC7D0.tmp.cvr
MD5:
SHA256:
1560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAE14.tmp.cvr
MD5:
SHA256:
3704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2F7F5D9E-6187-48CB-ADB1-27DBFBCC633F}.FSDbinary
MD5:D15CEC2522CAECDBD633A62009B4A4D2
SHA256:F7BAC1E14279807DDA1FE1A2A08632E2A38174F2643DBC2573BE80B2AA3C5715
3704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:FCFB21F6616A9EF2FA41D38D1A9D0AC4
SHA256:959DCFBE93FB126E3F999E6DA38BB676901E784C420C0713A4FFB2C682823857
3704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$a67ffb81420e68f9e5607cc200604a.docxpgc
MD5:FFE63C7D4428DE7264FAD05D33CAB031
SHA256:4DB7751F92451C3BE9804BA6F1E250151219DE05B10C2F8E159AFEB93D0C9337
3704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B48173B4.png
MD5:
SHA256:
3704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF623B1C5B35A02580.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3704
WINWORD.EXE
GET
200
23.111.134.163:80
http://tfu.ae/README.txt
US
document
188 Kb
suspicious
3704
WINWORD.EXE
OPTIONS
23.111.134.163:80
http://tfu.ae/
US
suspicious
972
svchost.exe
OPTIONS
301
23.111.134.163:80
http://tfu.ae/
US
suspicious
3704
WINWORD.EXE
HEAD
200
23.111.134.163:80
http://tfu.ae/README.txt
US
suspicious
3704
WINWORD.EXE
HEAD
200
23.111.134.163:80
http://tfu.ae/README.txt
US
document
188 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
972
svchost.exe
23.111.134.163:80
tfu.ae
HIVELOCITY VENTURES CORP
US
suspicious
3704
WINWORD.EXE
23.111.134.163:80
tfu.ae
HIVELOCITY VENTURES CORP
US
suspicious
972
svchost.exe
23.111.134.163:443
tfu.ae
HIVELOCITY VENTURES CORP
US
suspicious

DNS requests

Domain
IP
Reputation
tfu.ae
  • 23.111.134.163
suspicious

Threats

PID
Process
Class
Message
3704
WINWORD.EXE
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
No debug info