File name:

1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx

Full analysis: https://app.any.run/tasks/373fb38c-724d-40dc-861c-5bd1cf346d0c
Verdict: Malicious activity
Analysis date: January 09, 2024, 04:49:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
cve-2022-30190
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

8F83D19C2EFC062E8983BCE83062C9B6

SHA1:

C50CAA49156A1CE5CFB2DF20AB3A5292E81C54BF

SHA256:

1A88EF58675971EB18EEB267B1BE90594CD6C7EBDDF1C67D66729FA3E68DE323

SSDEEP:

1536:KKHsVWfpz9/Y5quKHOtVTgBriZ1x5bpjxLPHYs4JZ2zHwVBxQQskwHGRxJPXL:bsCZY5vKHO2y3ZV92Z2A8krj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 2184)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Connection from MS Office application

      • WINWORD.EXE (PID: 2184)

    • An automatically generated document

      • WINWORD.EXE (PID: 2184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:12:22 10:38:02
ZipCRC: 0xbd826b99
ZipCompressedSize: 247
ZipUncompressedSize: 737
ZipFileName: _rels/.rels

XML

Template: Normal
TotalEditTime: -
Application: Microsoft Office Word
DocSecurity: None
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
CreateDate: 2023:12:22 07:05:15Z
ModifyDate: 2023:12:22 07:05:15Z
Created: 2023:07:13 00:00:00Z
Creator: Microsoft® Word 2016
LastSaved: 2023:12:22 00:00:00Z
Producer: Microsoft® Word 2016

XMP

Creator: BMCR
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
8 137
Read events
7 661
Write events
346
Delete events
130

Modification events

(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(2184) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
20
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR127A.tmp.cvr
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8770C33317C5790B03C081955735496E
SHA256:35808AE9D550EB490CBE6D5A028FC6735B2866CBE713B2850D89C959807E3FA8
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:772AA99E6E44D9EDBB5D757FC31B6EC7
SHA256:74C812AFEA443E2C144D1490528E36B8B9584BB10B8159F57A2537CFB88BD714
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2184WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
2184WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E453791F50C2565C62E7A617E9E7F8B1binary
MD5:7D167577E55F69FC615862AC10022F03
SHA256:2E0C4D5F6F8571110F872D84DF5B6A6E210E268D56FD2D8DB1DB496181FDCDF9
2184WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:53C63D5E50E709E74D507C951BE8ECCD
SHA256:95A5CE7C2F5989774AB8DAC4F0C16BBA580C3E587D762E040FE11CB24C534F44
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{8435F071-E3BC-4BC1-B113-E2D1CF374953}binary
MD5:53C63D5E50E709E74D507C951BE8ECCD
SHA256:95A5CE7C2F5989774AB8DAC4F0C16BBA580C3E587D762E040FE11CB24C534F44
2184WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{005C1D11-DDBE-4D06-B8CA-FFCD914FA7F3}.FSDbinary
MD5:5C8A9318092CE7914F948FED33422F49
SHA256:6C11DF886F8E97A2D945D8F68A25827A87091FCA990A2D22B394539D6333719B
2184WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2184
WINWORD.EXE
GET
200
23.216.77.45:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7760b01246c60573
unknown
compressed
65.2 Kb
unknown
2184
WINWORD.EXE
GET
200
23.216.77.45:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9136cf2b23e1ddd6
unknown
compressed
4.66 Kb
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
1080
svchost.exe
GET
304
41.63.96.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eca8823d6d0692d6
unknown
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
2184
WINWORD.EXE
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSixgRoFMqete6sDJO5S35DAw%3D%3D
unknown
binary
5 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2184
WINWORD.EXE
77.83.196.59:443
moitt-gov-pk.fia-gov.net
HZ Hosting Ltd
PL
unknown
2184
WINWORD.EXE
23.216.77.45:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2184
WINWORD.EXE
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2184
WINWORD.EXE
184.24.77.48:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
828
svchost.exe
77.83.196.59:443
moitt-gov-pk.fia-gov.net
HZ Hosting Ltd
PL
unknown
1080
svchost.exe
41.63.96.128:80
ctldl.windowsupdate.com
LLNW
ZA
unknown

DNS requests

Domain
IP
Reputation
moitt-gov-pk.fia-gov.net
  • 77.83.196.59
malicious
ctldl.windowsupdate.com
  • 23.216.77.45
  • 23.216.77.69
  • 41.63.96.128
  • 41.63.96.0
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 184.24.77.48
  • 184.24.77.67
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323.docx