analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx

Full analysis: https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 26, 2019, 02:03:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

845D7CA39D9E6DC4D2B099DE6CA7808A

SHA1:

8C3216DBBB9CBBF151E01C577782A3B9976B7C06

SHA256:

01D85719C5FEC354431881F304307BB5521ECF6CB50EEC4D3EC40D103DD3D3AE

SSDEEP:

1536:6VvOYQAh8AQExMovYHFASgx1GPrioVJmSNxXdk:CPVh8/+NQHGSgHGz1DNxXdk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2068)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2068)

    • Application was dropped or rewritten from another process

      • wine.exe (PID: 2564)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2068)
      • explorer.exe (PID: 3560)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2068)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2068)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3368)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: -
Subject: -
Title: -

XML

ModifyDate: 2019:08:07 10:05:00Z
CreateDate: 2018:10:22 04:24:00Z
RevisionNumber: 1
LastModifiedBy: -
Keywords: -
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 12929
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 25
Lines: 91
DocSecurity: None
Application: Microsoft Office Word
Characters: 11021
Words: 1933
Pages: 6
TotalEditTime: -
Template: F5B0B47F.txt

ZIP

ZipFileName: _rels/.rels
ZipUncompressedSize: 590
ZipCompressedSize: 234
ZipCRC: 0xb71a911e
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe cmd.exe no specs explorer.exe no specs explorer.exe no specs wine.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3368"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2068"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3684cmd /c explorer %userprofile%\wine.exeC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2436explorer C:\Users\admin\wine.exeC:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3560C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2564"C:\Users\admin\wine.exe" C:\Users\admin\wine.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 171
Read events
815
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
24
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9C35.tmp.cvr
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso9F53.tmp
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3EEF5842-FF54-4530-804D-7112DB5B1E56}
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{2575BAE7-EBB6-49F3-BF91-2E28501D9F7A}
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:CE6AC01A0AB5C6FA825BEBA8B6F06BA3
SHA256:F75740FDBF14C5295F71144C3C734E236C4FBF71D3F56D77D23886EFFFC6B9B7
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\kb8989476[1].txttext
MD5:A0C39CE84DE41626A38B251F4CA516D1
SHA256:51DFA1D8C62598B0D03F77FAA57887DCDEB0075216C35F5018609FBCB82C8672
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:9A61B50983802233A969744C82349E0C
SHA256:45AA81E6D115408B1C5FEBACCA45B2C84971E81C103AA1DBBD2E88FFA5B8CFC3
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{84B9BB91-A0CB-497B-8610-1BEC9DFC41CB}.FSDbinary
MD5:502772EBCE75605626A560358DF55A8A
SHA256:358E21927CCC33765EA6B09B9425BCC8777A4A795A54EA9845DC0E97E7D71051
3368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:62F2DA178DD59EBA6B61EE250E55F925
SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:F0320F42D134FE2EEA3DD204CCC93A66
SHA256:7AA4F723734018DF36B06C19C1EA1641EECEF88ACD69336364004008A88DCCD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3368
WINWORD.EXE
GET
200
156.67.222.128:80
http://cloud-storage-service.com/pub/officex32x64/kb8989476
CY
text
3.11 Kb
malicious
2068
EQNEDT32.EXE
GET
200
156.67.222.128:80
http://office360-pub.16mb.com/1277654-ADDFC-9A343C3A91D/YARDY/8a.html
CY
malicious
3368
WINWORD.EXE
HEAD
200
156.67.222.128:80
http://cloud-storage-service.com/pub/officex32x64/kb8989476
CY
compressed
3.11 Kb
malicious
2068
EQNEDT32.EXE
GET
200
156.67.222.128:80
http://office360-pub.16mb.com/1277654-ADDFC-9A343C3A91D/YARDY/IMG_5.gif
CY
image
706 b
malicious
2068
EQNEDT32.EXE
GET
200
156.67.222.128:80
http://noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl
CY
executable
42.6 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3368
WINWORD.EXE
156.67.222.128:80
cloud-storage-service.com
Hostinger International Limited
CY
malicious
2068
EQNEDT32.EXE
156.67.222.128:80
cloud-storage-service.com
Hostinger International Limited
CY
malicious
984
svchost.exe
156.67.222.128:80
cloud-storage-service.com
Hostinger International Limited
CY
malicious

DNS requests

Domain
IP
Reputation
cloud-storage-service.com
  • 156.67.222.128
malicious
office360-pub.16mb.com
  • 156.67.222.128
malicious
noitfication-office-client.890m.com
  • 156.67.222.128
malicious

Threats

PID
Process
Class
Message
3368
WINWORD.EXE
A Network Trojan was detected
MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit
2068
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2068
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2068
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Possible Windows executable sent when remote host claims to send a Text File
2068
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx