File name:

1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx

Full analysis: https://app.any.run/tasks/373fb38c-724d-40dc-861c-5bd1cf346d0c
Verdict: Malicious activity
Analysis date: January 09, 2024, 04:49:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
cve-2022-30190
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

8F83D19C2EFC062E8983BCE83062C9B6

SHA1:

C50CAA49156A1CE5CFB2DF20AB3A5292E81C54BF

SHA256:

1A88EF58675971EB18EEB267B1BE90594CD6C7EBDDF1C67D66729FA3E68DE323

SSDEEP:

1536:KKHsVWfpz9/Y5quKHOtVTgBriZ1x5bpjxLPHYs4JZ2zHwVBxQQskwHGRxJPXL:bsCZY5vKHO2y3ZV92Z2A8krj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 2184)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 2184)

    • Connection from MS Office application

      • WINWORD.EXE (PID: 2184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:12:22 10:38:02
ZipCRC: 0xbd826b99
ZipCompressedSize: 247
ZipUncompressedSize: 737
ZipFileName: _rels/.rels

XML

Template: Normal
TotalEditTime: -
Application: Microsoft Office Word
DocSecurity: None
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
CreateDate: 2023:12:22 07:05:15Z
ModifyDate: 2023:12:22 07:05:15Z
Created: 2023:07:13 00:00:00Z
Creator: Microsoft® Word 2016
LastSaved: 2023:12:22 00:00:00Z
Producer: Microsoft® Word 2016

XMP

Creator: BMCR
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR127A.tmp.cvr
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8770C33317C5790B03C081955735496E
SHA256:35808AE9D550EB490CBE6D5A028FC6735B2866CBE713B2850D89C959807E3FA8
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Cab1A3B.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:772AA99E6E44D9EDBB5D757FC31B6EC7
SHA256:74C812AFEA443E2C144D1490528E36B8B9584BB10B8159F57A2537CFB88BD714
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docxbinary
MD5:166F52A856E4A6EE93278D31DBAB6369
SHA256:753B2308A66D65B57DCC10A0B964AE5EE8698C62C6E4E1BDF4F693E8C1BC4EB0
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{23DC507B-DEE4-493A-9C3B-6B700EFA4D0E}binary
MD5:D6E6DAE6CA2551D2F279B7AC1FEB9144
SHA256:ED6E20236FBCD83A1C8815EF7A94105A97C78F1248A5AAD97F8C82FAFA5DD457
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E453791F50C2565C62E7A617E9E7F8B1binary
MD5:7D167577E55F69FC615862AC10022F03
SHA256:2E0C4D5F6F8571110F872D84DF5B6A6E210E268D56FD2D8DB1DB496181FDCDF9
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{8435F071-E3BC-4BC1-B113-E2D1CF374953}binary
MD5:53C63D5E50E709E74D507C951BE8ECCD
SHA256:95A5CE7C2F5989774AB8DAC4F0C16BBA580C3E587D762E040FE11CB24C534F44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2184
WINWORD.EXE
GET
200
23.216.77.45:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9136cf2b23e1ddd6
unknown
compressed
4.66 Kb
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
1080
svchost.exe
GET
304
41.63.96.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eca8823d6d0692d6
unknown
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
2184
WINWORD.EXE
GET
200
23.216.77.45:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7760b01246c60573
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2184
WINWORD.EXE
77.83.196.59:443
moitt-gov-pk.fia-gov.net
HZ Hosting Ltd
PL
unknown
2184
WINWORD.EXE
23.216.77.45:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2184
WINWORD.EXE
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2184
WINWORD.EXE
184.24.77.48:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
828
svchost.exe
77.83.196.59:443
moitt-gov-pk.fia-gov.net
HZ Hosting Ltd
PL
unknown
1080
svchost.exe
41.63.96.128:80
ctldl.windowsupdate.com
LLNW
ZA
unknown

DNS requests

Domain
IP
Reputation
moitt-gov-pk.fia-gov.net
  • 77.83.196.59
malicious
ctldl.windowsupdate.com
  • 23.216.77.45
  • 23.216.77.69
  • 41.63.96.128
  • 41.63.96.0
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 184.24.77.48
  • 184.24.77.67
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx