analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

00da193de8fe7a3abcf0cea0ad7fc631bb6ae0eb0f135a180f4d4b9921eae1bf.docx

Full analysis: https://app.any.run/tasks/e8c92b8a-71e2-49d3-8f40-7d12462ec32f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 19, 2020, 22:33:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

A3B6FE0AB49DC6A090CECDC032082FE6

SHA1:

36674FAD8D858141B0018D7F11957DB4755E26EA

SHA256:

00DA193DE8FE7A3ABCF0CEA0AD7FC631BB6AE0EB0F135A180F4D4B9921EAE1BF

SSDEEP:

192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC+h1wVSA:aNxUyn0i13LROEiOLkX6Ujnw+35EVSA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4092)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3980)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 4092)

    • Executed via COM

      • EQNEDT32.EXE (PID: 4092)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 4092)

  • INFO

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2244)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2244)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: HP 15
Subject: -
Title: -

XML

ModifyDate: 2018:03:07 09:39:00Z
CreateDate: 2018:03:07 09:39:00Z
RevisionNumber: 3
LastModifiedBy: HP 15
Keywords: -
AppVersion: 15
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 5
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 5
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1312
ZipCompressedSize: 346
ZipCRC: 0x6cd2a4df
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe vbc.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2244"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\00da193de8fe7a3abcf0cea0ad7fc631bb6ae0eb0f135a180f4d4b9921eae1bf.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4092"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3980"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Sad
Exit code:
0
Version:
0.0.0.0
2100"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
2 140
Read events
1 030
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
24
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
2244WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4BA7.tmp.cvr
MD5:
SHA256:
2244WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{174D883C-B180-49D8-8474-AD27EBFE7B75}
MD5:
SHA256:
2244WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{8062FFA4-CBBC-4C9A-AF5F-A9897B72EA64}
MD5:
SHA256:
2244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0A79D5AA4B92D5451B95C26B7A997639
SHA256:3E0AFBD5AA4AF9630F718692721908FFF6CF2A0A68BF284C5FF2D82C0FCC1D0C
2244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:31B48BE390EFF0CE0633E1B55598233F
SHA256:25F5940843DBF6D28569307573A7E2BE74F8695C2D4038AC34D85B1711C00D7D
2244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B386C972-836E-4A32-ADAB-25BDDC73E44A}.FSDbinary
MD5:0A4E287A833CBB62052340157845C603
SHA256:49E9E5D5AA91442A39602C60490A6D2FA8AE045F57DB508AF59ED6829E611F4E
4092EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\aaa[1].exeexecutable
MD5:FAF16B50E72D67AEEB8DD7EFB8310C11
SHA256:B38C5A2C106B04D1805AA03191E30458FAA8B2FDBB169301E55DFDFED4C839D5
2244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:1BDDB15F53BA0D0B5A84E4E7416321F7
SHA256:DD76A048D99794B70E6FC614B9DAA3437EF292C49762F355E0D0284B65339FA5
2244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDC50B52.doctext
MD5:98C0CB1FEB2EE5FF220205CBBD6203AF
SHA256:82E6327077CF19985D46A98EC9E6AAFDE20F33377FEE1B8A6C7154AF475F0531
4092EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:FAF16B50E72D67AEEB8DD7EFB8310C11
SHA256:B38C5A2C106B04D1805AA03191E30458FAA8B2FDBB169301E55DFDFED4C839D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2244
WINWORD.EXE
OPTIONS
302
107.173.219.115:80
http://totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu/
US
suspicious
2244
WINWORD.EXE
HEAD
200
107.173.219.115:80
http://totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu/document.doc
US
suspicious
4092
EQNEDT32.EXE
GET
200
107.173.219.115:80
http://107.173.219.115/aaa.exe
US
executable
573 Kb
suspicious
2244
WINWORD.EXE
GET
200
107.173.219.115:80
http://totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu/document.doc
US
text
8.88 Kb
suspicious
2244
WINWORD.EXE
HEAD
200
107.173.219.115:80
http://totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu/document.doc
US
text
8.88 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2244
WINWORD.EXE
107.173.219.115:80
totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu
ColoCrossing
US
suspicious
4092
EQNEDT32.EXE
107.173.219.115:80
totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu
ColoCrossing
US
suspicious
840
svchost.exe
107.173.219.115:80
totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu
ColoCrossing
US
suspicious

DNS requests

Domain
IP
Reputation
totalbusinesnetworkforinternationalwordfiletransfer.ydns.eu
  • 107.173.219.115
suspicious

Threats

PID
Process
Class
Message
4092
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
4092
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
4092
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
4092
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4092
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
4092
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
00da193de8fe7a3abcf0cea0ad7fc631bb6ae0eb0f135a180f4d4b9921eae1bf.docx