analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice_284615.doc

Full analysis: https://app.any.run/tasks/caf6a15c-1ca4-4f93-91f1-ecdcbee6e0bf
Verdict: Malicious activity
Analysis date: December 06, 2018, 13:09:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
macros-on-close
generated-doc
evasion
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: 444555, Template: Normal.dotm, Last Saved By: win7home, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 1 13:17:00 2018, Last Saved Time/Date: Mon Oct 1 13:17:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 20, Security: 0
MD5:

41A3101AF94FCA79BBDB0DB2A52994C0

SHA1:

103DC7E3100963F31C2280B129D8280B22194C72

SHA256:

E2B0C9F57DCF08C0E14456F5CB54D8E50714C8E7A3A88CF818896DC8BA1DBA51

SSDEEP:

3072:uJRZnZD2qmeocGqScjptqeJKbzB1FtDLQSQPpyaZ09o:IRZV2d/c2aCDLQ1UaZ0G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2920)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2920)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2920)
    • Application was dropped or rewritten from another process

      • 6.pif (PID: 2596)
      • 6.pif (PID: 312)
      • 6.pif (PID: 3072)
      • 6.exe (PID: 2888)
      • 6.pif (PID: 2304)
      • 6.pif (PID: 2988)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3716)
  • SUSPICIOUS

    • Checks for external IP

      • 6.pif (PID: 2596)
      • 6.pif (PID: 312)
      • 6.pif (PID: 2988)
      • 6.pif (PID: 2304)
      • 6.pif (PID: 3072)
      • 6.exe (PID: 2888)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3716)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2920)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 22
Paragraphs: 1
Lines: 1
Company: Home
CodePage: Unicode (UTF-8)
Security: None
Characters: 20
Words: 3
Pages: 1
ModifyDate: 2018:10:01 12:17:00
CreateDate: 2018:10:01 12:17:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: win7home
Template: Normal.dotm
Comments: -
Keywords: -
Author: 444555
Subject: -
Title:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs ping.exe no specs 6.pif 6.pif 6.pif 6.pif 6.pif 6.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice_284615.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3716cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pifC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2284ping localhost -n 100 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2596"C:\Users\admin\AppData\Local\Temp\6.pif" C:\Users\admin\AppData\Local\Temp\6.pif
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3072C:\Users\admin\AppData\Local\Temp\6.pifC:\Users\admin\AppData\Local\Temp\6.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
312"C:\Users\admin\AppData\Local\Temp\6.pif" C:\Users\admin\AppData\Local\Temp\6.pif
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2304"C:\Users\admin\AppData\Local\Temp\6.pif" C:\Users\admin\AppData\Local\Temp\6.pif
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2988"C:\Users\admin\AppData\Local\Temp\6.pif" C:\Users\admin\AppData\Local\Temp\6.pif
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2888"C:\Users\admin\AppData\Local\Temp\6.exe" C:\Users\admin\AppData\Local\Temp\6.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Total events
1 160
Read events
1 004
Write events
145
Delete events
11

Modification events

(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:{3?
Value:
7B333F00680B0000010000000000000000000000
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2920) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1300627479
(PID) Process:(2920) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1300627600
(PID) Process:(2920) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1300627601
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
680B00003A792AE6648DD40100000000
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:%5?
Value:
25353F00680B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:%5?
Value:
25353F00680B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2920) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
2
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA7FB.tmp.cvr
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\5C.pif
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFCF0E9030CA4152CE.TMP
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRD0000.tmp
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF285F7D30D694689A.TMP
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25767B51-AD78-45BF-9307-35F1A614BC10}.tmp
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{289ADA63-D605-41B5-9F74-B2AFC2E1D859}.tmp
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27919C22-08C8-4544-81EB-80EA9121C873}.tmp
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA399618D5B0D5698.TMP
MD5:
SHA256:
2920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{124A6245-1F54-40B2-980C-B47854135964}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3072
6.pif
GET
200
50.16.248.221:80
http://api.ipify.org/
US
text
15 b
shared
2988
6.pif
GET
200
50.16.248.221:80
http://api.ipify.org/
US
text
15 b
shared
312
6.pif
GET
200
50.16.248.221:80
http://api.ipify.org/
US
text
15 b
shared
2304
6.pif
GET
200
50.16.248.221:80
http://api.ipify.org/
US
text
15 b
shared
2888
6.exe
GET
200
50.16.248.221:80
http://api.ipify.org/
US
text
15 b
shared
2596
6.pif
GET
200
23.23.114.123:80
http://api.ipify.org/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2596
6.pif
23.23.114.123:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted
3072
6.pif
50.16.248.221:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted
2304
6.pif
50.16.248.221:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted
312
6.pif
50.16.248.221:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted
2988
6.pif
50.16.248.221:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted
2888
6.exe
50.16.248.221:80
api.ipify.org
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 23.23.114.123
  • 23.21.121.219
  • 54.221.234.215
  • 54.204.36.156
  • 50.16.248.221
  • 54.243.123.39
shared
perranrowsin.com
malicious
utteronhim.ru
malicious
heundthetrec.ru
unknown

Threats

PID
Process
Class
Message
2596
6.pif
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
3072
6.pif
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
312
6.pif
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2304
6.pif
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2988
6.pif
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2888
6.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
Process
Message
6.pif
d
6.pif
d
6.pif
d
6.pif
d
6.pif
d
6.exe
d