analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

gd.docx

Full analysis: https://app.any.run/tasks/1426d4a0-3b3b-43f1-8182-e6a9a7cdcb04
Verdict: Malicious activity
Analysis date: January 23, 2019, 11:04:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

8FC06AE874C24934487CF0145DE38879

SHA1:

4CFFD573CF8FE074B2A88121EEA87882703B1310

SHA256:

E02D74EAB1D170F441DD55AFFD19BE0DC1EE2F785AA5E21805523DA1498CB10D

SSDEEP:

192:rDGt2GoTEX8uyMtWNYc0mqQTnhr5OyQT1QpP55QVbFTB8GoA6aGkWlms:rDGt/vsuyMtiYeLOyQT1QpDQvdq3ms

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3012)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3012)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: Microsoft

XML

ModifyDate: 2017:09:24 17:27:00Z
CreateDate: 2017:09:24 17:26:00Z
RevisionNumber: 1
LastModifiedBy: Microsoft
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 7
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 7
Words: 1
Pages: 1
TotalEditTime: 1 minute
Template: dotm.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1422
ZipCompressedSize: 358
ZipCRC: 0x82872409
ZipModifyDate: 2019:01:22 09:33:08
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
3012"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\gd.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
280
Read events
251
Write events
28
Delete events
1

Modification events

(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:52,
Value:
35322C00C40B0000010000000000000000000000
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3012) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227351
(PID) Process:(3012) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227472
(PID) Process:(3012) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227473
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
C40B0000DC1CC57A0BB3D40100000000
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:w4,
Value:
77342C00C40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:w4,
Value:
77342C00C40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3012) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
24
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREA25.tmp.cvr
MD5:
SHA256:
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{4DE96153-8D1D-43A1-8CA1-0250456188D0}
MD5:
SHA256:
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{B03A125E-8298-4F04-B580-4E592FBA81D1}
MD5:
SHA256:
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C204AACB-E338-47C0-A877-4646010FEB06}.FSDbinary
MD5:62D0E6BF6176C1FD1222BE9969E9C5A7
SHA256:B81261CCA8A184F4C94962AC90573FBBEF1E13E0B9CF81BCC2CF93856B25043F
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:379B7A780787F681EC0B34A62569B4A0
SHA256:8B409C69A8F2E1E8F52F6CE2040F9BE15B38A3DC0CB7D49B909FC25F9F276AAC
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E0DA57D5-0196-4351-9168-35B6F27FFFE5}.FSDbinary
MD5:F7A92831F03764AC95AECED71FD780CA
SHA256:C0934833C0DC2AD6B486DF72D1DC8998FB89BCBF9DB2E67208DA1716E5F41E3A
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:F8898957A71622D7DC1DC692A25BB41F
SHA256:B3834F41BAB99224637530FB756998C51A0095D999A59B693EA35B03168D61D9
3012WINWORD.EXEC:\Users\admin\Desktop\~$gd.docxpgc
MD5:14B4E97FE1E5751BB649F9E1B35A5311
SHA256:3013CCFC5B4E55203843112A4AA1655C2E7AE4AB683F8F6A11C61BA3F3EA240A
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:497E1AD127A8ABBFE00D98C31D379CD7
SHA256:7BD9A49D66C5DD1EFF70D156F00D4FF99DC350442B7BB0865B9683AC9BBE07ED
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\good[1].rtftext
MD5:A29F2FE230C0CDA79A58E5E17F99DEB6
SHA256:0FC922E74C4FEF1E429497DA9A8B9CB88B69DBC3F2DF8B0B15CE26ED1F7B44C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
6
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3012
WINWORD.EXE
HEAD
200
194.36.173.46:80
http://194.36.173.46/good.rtf
unknown
malicious
3012
WINWORD.EXE
OPTIONS
200
194.36.173.46:80
http://194.36.173.46/
unknown
malicious
976
svchost.exe
OPTIONS
200
194.36.173.46:80
http://194.36.173.46/
unknown
malicious
3012
WINWORD.EXE
HEAD
200
194.36.173.46:80
http://194.36.173.46/good.rtf
unknown
text
69.3 Kb
malicious
3012
WINWORD.EXE
HEAD
200
194.36.173.46:80
http://194.36.173.46/good.rtf
unknown
malicious
976
svchost.exe
PROPFIND
194.36.173.46:80
http://194.36.173.46/
unknown
malicious
976
svchost.exe
PROPFIND
405
194.36.173.46:80
http://194.36.173.46/
unknown
html
226 b
malicious
3012
WINWORD.EXE
GET
200
194.36.173.46:80
http://194.36.173.46/good.rtf
unknown
text
69.3 Kb
malicious
976
svchost.exe
PROPFIND
405
194.36.173.46:80
http://194.36.173.46/
unknown
html
226 b
malicious
976
svchost.exe
PROPFIND
405
194.36.173.46:80
http://194.36.173.46/
unknown
html
226 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3012
WINWORD.EXE
194.36.173.46:80
malicious
976
svchost.exe
194.36.173.46:80
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3012
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
No debug info