File name:

RuleBook.docm

Full analysis: https://app.any.run/tasks/2b18cdfc-b055-4a83-90dc-ef2035e9b5df
Verdict: Malicious activity
Analysis date: October 18, 2024, 10:03:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

2C7BF5C8B007C3BFD2ADFFB8ABC14FF3

SHA1:

391158B8CC2389E6711E94A8D7E4D0FD74283700

SHA256:

0BC4529F1664CD0939E21E99905D805BD1F5C679986CF8070AF5640198F7745F

SSDEEP:

6144:cBJoQ2ZmBYg/QeHSL0Md9HUV3ov63Fm/9J:cBJo/ZmkL0HV3hVm/n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 1792)

  • SUSPICIOUS

    • Executes application which crashes

      • WINWORD.EXE (PID: 1792)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x3f450766
ZipCompressedSize: 399
ZipUncompressedSize: 1503
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 12 minutes
Pages: 4
Words: 827
Characters: 4718
Application: Microsoft Office Word
DocSecurity: None
Lines: 39
Paragraphs: 11
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 5534
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
LastModifiedBy: HP
RevisionNumber: 9
CreateDate: 2024:09:29 13:43:00Z
ModifyDate: 2024:09:29 13:55:00Z

XMP

Creator: HP
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1792"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\RuleBook.docm /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6824C:\WINDOWS\system32\WerFault.exe -u -p 1792 -s 7372C:\Windows\System32\WerFault.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
17 254
Read events
16 870
Write events
360
Delete events
24

Modification events

(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1792
Operation:writeName:0
Value:
0B0E10A55019EDBB1EF34F9516B06468A3277A230046AAA18B98D0A8C8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511800ED2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(1792) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
5
Suspicious files
122
Text files
46
Unknown types
2

Dropped files

PID
Process
Filename
Type
1792WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:60B5BCAB518B8337EDC64BE06C076E42
SHA256:93746DDE76AD3FFA51C88BC2106792879ED112B77930B15136EDE760A31DBD21
1792WINWORD.EXEC:\Users\admin\Desktop\~$leBook.docmbinary
MD5:285747510D4969D4B3E01B71FB0AF59E
SHA256:7AF4EFE6CA5FBFA5D8DE4ADC89D124D2D18107F39A2366DFEA54B2F9F7FE91A2
1792WINWORD.EXEC:\Users\admin\AppData\Local\Temp\cabF0D3.tmpcompressed
MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
SHA256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
1792WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
1792WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:1362A7544CDBAB97395F94BB99384A17
SHA256:175E58699B68775871D7B7EEA51415E213DEC35340C7C6CD1953CAE4D13EDA85
1792WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\RuleBook.docm.LNKbinary
MD5:B637D0B0BA56D717783B6DCE8BD53FFC
SHA256:5A246B6136B783C10A72A7AA0D4A211040F7CDB5740BB030CF8F87FA25F0EBE9
1792WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:947B600758EB91B4DBD212B77CF1E1ED
SHA256:E36B1162C6093E751B448257C2DF6FF7FF4853C60F1C00857AD17F8A0FB60841
1792WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:96D0CFAC0474EE7E0B7325C6C9D0EDAF
SHA256:7C4FFFC74C35D1E1BE0007883C8914B2283A2393A8453C33EED4C4671AA9F044
1792WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8D39RI7FNIY3K5JYCZIE.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
1792WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:8BCDA00C9E4FB9E03680557819157E35
SHA256:AC856A03CFF3233806619ACC382C7B1FBBD5BC203BB77EF3078E7B5CFBB90DBF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
91
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1792
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
1792
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1792
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
1792
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
1792
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1792
WINWORD.EXE
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1792
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1792
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1792
WINWORD.EXE
2.19.126.160:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.19.217.218
whitelisted
google.com
  • 216.58.206.78
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 2.19.126.160
  • 2.19.126.151
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.183
  • 2.23.209.160
  • 2.23.209.176
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.158
  • 2.23.209.181
  • 2.23.209.175
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuleBook.docm