File name:

Bank Swift Copy.docx

Full analysis: https://app.any.run/tasks/5c3887c0-287c-4b0c-9486-8dd4c4ec8148
Verdict: Malicious activity
Analysis date: November 14, 2024, 14:53:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

3F9AE2B975CEC92E0402D614CD2391A5

SHA1:

43D41944021358BEE6B6B48594D9C3F54FBAECD5

SHA256:

27A37162F8F0BAF5FE161825F8108F1F3E20BADA83C2BE08FE9919C60E4727B8

SSDEEP:

24576:DNH+U3t9xXoYhdhdhdrE4nE1fobSof8kw+9MnlmWNujnB+hYrQ5WQ:DNH+U3t9xXoYhdhdhdrE4nE1fobSof8B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:11:14 02:01:56
ZipCRC: 0xaadb80b7
ZipCompressedSize: 399
ZipUncompressedSize: 2344
ZipFileName: [Content_Types].xml

XMP

Creator: Modexcomm

XML

LastModifiedBy: Modexcomm
RevisionNumber: 8
CreateDate: 2024:07:19 01:41:00Z
ModifyDate: 2024:11:01 13:01:00Z
Template: Normal.dotm
TotalEditTime: 19 minutes
Pages: 1
Words: 139326
Characters: 794160
Application: Microsoft Office Word
DocSecurity: None
Lines: 6618
Paragraphs: 1863
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 931623
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4128"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bank Swift Copy.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7784"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "8C4D4AE6-CF6C-43B4-93F5-4F976AB91351" "A9A1A40C-2759-4632-B15A-9870A1E94069" "4128"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
Total events
15 234
Read events
14 809
Write events
387
Delete events
38

Modification events

(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4128
Operation:writeName:0
Value:
0B0E109D867ECA2437FA43A4F4F02FA95A8E5E230046A8B7FA8CCFD4CDED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A020D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(4128) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
26
Suspicious files
158
Text files
25
Unknown types
2

Dropped files

PID
Process
Filename
Type
4128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nk Swift Copy.docxbinary
MD5:2115E503721D94E5467684CEC5196802
SHA256:8251A33EAA8CEB15260D2AC1BAE070608A913A6F66680B4792C28D8E7D42E91C
4128WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:32ED32328972ABFA9798099BA7292BC0
SHA256:5FD65CD50A0579F00C656D90AB090A2181F1E65672C1EFDF2F56E36073278128
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{34204664-0CA7-4760-9FF9-3143876F2CCB}.tmpsmt
MD5:830FBF83999E052538EAF156AB6ECB17
SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttfbinary
MD5:4296A064B917926682E7EED650D4A745
SHA256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BF75F168-A301-40FF-B2A5-9775509E4AD2xml
MD5:E8281694D1969FC00E7EB1DC72A68583
SHA256:2B30F52BCBB7908CF4008370425A9E7BC3FD92543282F3BCC469602446E068FA
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:F6AE2279DF33DEA053291E534CE0F22C
SHA256:0B2FD8940073A37F75DCC719E8688EB403E2C0BA9753687DD8B35018DDB071F2
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\07fc2a8c43a1d1f16572d21e959a4847e306edae.tempbinary
MD5:8D9328B8547C7F2B4B092633CA7C65D9
SHA256:03CF832A7C8FB7F11D47892BDDBEE3435AD3801086ACACB111211771F30CD74C
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:F965EA7954DE5AB34AF6B04A36BEB6E9
SHA256:B9163A19656A370B54DA7BA2FCAFB14C952FA8B67B8F356717437276393CF4BD
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\data.jsonbinary
MD5:8D9328B8547C7F2B4B092633CA7C65D9
SHA256:03CF832A7C8FB7F11D47892BDDBEE3435AD3801086ACACB111211771F30CD74C
4128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\xXdquUOrM1vD3An[1].doctext
MD5:2087DE574FEFAE441DB7CED132DA6407
SHA256:DC8AE41681FDF19ABCF62B27B3D8359C32BA6F20BEE1E24B7CE9B37D4FAEBE8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
85
DNS requests
33
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4128
WINWORD.EXE
OPTIONS
200
87.120.84.39:80
http://87.120.84.39/txt/
unknown
unknown
4128
WINWORD.EXE
OPTIONS
200
87.120.84.39:80
http://87.120.84.39/txt/
unknown
unknown
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4128
WINWORD.EXE
HEAD
200
87.120.84.39:80
http://87.120.84.39/txt/xXdquUOrM1vD3An.doc
unknown
unknown
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4128
WINWORD.EXE
GET
200
87.120.84.39:80
http://87.120.84.39/txt/xXdquUOrM1vD3An.doc
unknown
unknown
4128
WINWORD.EXE
HEAD
200
87.120.84.39:80
http://87.120.84.39/txt/xXdquUOrM1vD3An.doc
unknown
unknown
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2464
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4128
WINWORD.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4128
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 2.16.164.24
  • 2.16.164.114
  • 2.16.164.34
  • 2.16.164.40
  • 2.16.164.17
  • 2.16.164.106
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.136
  • 104.126.37.185
  • 104.126.37.137
  • 104.126.37.176
  • 104.126.37.129
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.186
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r.bing.com
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.139
whitelisted
th.bing.com
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.139
whitelisted

Threats

PID
Process
Class
Message
4128
WINWORD.EXE
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 10
4128
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
4128
WINWORD.EXE
Potentially Bad Traffic
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
4128
WINWORD.EXE
Potentially Bad Traffic
ET INFO Possible RTF File With Obfuscated Version Header
4128
WINWORD.EXE
Potentially Bad Traffic
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
4128
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
4128
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
4128
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bank Swift Copy.docx