analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CONTRACT11072018.doc

Full analysis: https://app.any.run/tasks/4206eb80-65cf-47e1-9d00-3474f6b79178
Verdict: Malicious activity
Analysis date: November 08, 2018, 09:29:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Brian Fitzsimmons, Author: Microsoft, Template: Normal, Last Saved By: Laane, Sten, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Last Printed: Thu Sep 27 05:36:00 2018, Create Time/Date: Wed Oct 10 18:41:00 2018, Last Saved Time/Date: Wed Nov 7 09:42:00 2018, Number of Pages: 1, Number of Words: 74, Number of Characters: 427, Security: 0
MD5:

3A04A92E12CF1CE50BD868F0C73B08AB

SHA1:

F4B0BE2BFEF388860336CF8138A35F4F17400655

SHA256:

F95DCFD2D7D9F33176C53DA20D0E8233D52FF6A6843FDA2995741487080AEEE6

SSDEEP:

768:/9pTw0t7lChKtIzgXQsGlozNO3Z+1o9IzwA:lpM0t7kZUBGqBOp+a9i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3668)
    • Reads internet explorer settings

      • WINWORD.EXE (PID: 3668)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3052)
    • Creates files in the user directory

      • iexplore.exe (PID: 3468)
      • WINWORD.EXE (PID: 3668)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3052)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3468)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3468)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3668)
    • Changes internet zones settings

      • iexplore.exe (PID: 3052)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3052)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Hyperlinks:
  • http://ranadac.ro/analyticskjctlvxem/office/index.htm
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: Brian Fitzsimmons
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 500
Paragraphs: 1
Lines: 3
Company: Microsoft
Security: None
Characters: 427
Words: 74
Pages: 1
ModifyDate: 2018:11:07 09:42:00
CreateDate: 2018:10:10 17:41:00
LastPrinted: 2018:09:27 04:36:00
TotalEditTime: 6.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: Laane, Sten
Template: Normal
Keywords: -
Author: Microsoft
Subject: -
Title: Brian Fitzsimmons
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3668"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CONTRACT11072018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3052"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3052 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 554
Read events
1 148
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
12
Unknown types
4

Dropped files

PID
Process
Filename
Type
3668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2FC5.tmp.cvr
MD5:
SHA256:
3052iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
3052iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC9B6244D4034045B.TMP
MD5:
SHA256:
3468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\index2[1].php
MD5:
SHA256:
3468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\index[1].htmhtml
MD5:C02D1D743D742A0E6321B83237E2FD36
SHA256:5AAAF19B68B5E7EC8FA8E289716886BAD68873B6A98E3F7DDBFEA6F5B58FFEA7
3668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$NTRACT11072018.docpgc
MD5:0D37D915199F12028458A0BB828C861D
SHA256:0F20F96A84F999A5A9B2453E0B2CE3A2E2CC96C9286B5289559A62665EBAAA26
3052iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110820181109\index.datdat
MD5:53A54956B4A78F365FD21CDE3B364A5B
SHA256:01FA4E5C558FBA3B21D68C426E927737EF507DEA945106B4506C84B48AE301F7
3468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\index2[1].htmhtml
MD5:E6F35AC9416CDB7DAABD1F492AF08D16
SHA256:083D5199EFEF194A8E05A40CE53D7918570E5D7896606BBE6978C2A6B4EC178E
3468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\ConvergedLogin_PCore[1].jstext
MD5:9228676AD7631F135F2706A15BC32F1B
SHA256:6CCD4A3B849014B27E2FBA0EEF0638A6F163FB5916732E60813C5451025F54F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3668
WINWORD.EXE
GET
200
92.114.95.146:80
http://ranadac.ro/analyticskjctlvxem/office/index.htm
RO
html
5.64 Kb
malicious
3468
iexplore.exe
GET
200
92.114.95.146:80
http://ranadac.ro/analyticskjctlvxem/office/index.htm
RO
html
5.64 Kb
malicious
3468
iexplore.exe
POST
200
92.114.95.146:80
http://ranadac.ro/analyticskjctlvxem/office/index2.php
RO
html
6.24 Kb
malicious
3052
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3468
iexplore.exe
POST
92.114.95.146:80
http://ranadac.ro/analyticskjctlvxem/office/info.php
RO
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3052
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3668
WINWORD.EXE
92.114.95.146:80
ranadac.ro
T-Mobile Czech Republic a.s.
RO
suspicious
3468
iexplore.exe
52.97.133.242:443
outlook.office365.com
Microsoft Corporation
US
whitelisted
3468
iexplore.exe
104.111.245.227:443
auth.gfx.ms
Akamai International B.V.
NL
whitelisted
3052
iexplore.exe
104.111.245.227:443
auth.gfx.ms
Akamai International B.V.
NL
whitelisted
3468
iexplore.exe
92.114.95.146:80
ranadac.ro
T-Mobile Czech Republic a.s.
RO
suspicious

DNS requests

Domain
IP
Reputation
ranadac.ro
  • 92.114.95.146
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
auth.gfx.ms
  • 104.111.245.227
whitelisted
outlook.office365.com
  • 52.97.133.242
  • 52.97.133.146
  • 52.97.129.226
  • 40.100.174.226
whitelisted

Threats

PID
Process
Class
Message
3668
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Microsoft Live Phishing Landing
3668
WINWORD.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing M1 2018-04-19
3668
WINWORD.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing 2018-08-07
3468
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Microsoft Live Phishing Landing
3468
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing M1 2018-04-19
3468
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing 2018-08-07
3468
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Microsoft Live Phishing Landing
3468
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing M1 2018-04-19
3468
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Account Phishing Landing 2018-08-07
3468
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Http Client Body contains passwd= in cleartext
No debug info