analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Quote.doc

Full analysis: https://app.any.run/tasks/cd4817a4-0077-4caa-a631-1f05796d64b0
Verdict: Malicious activity
Analysis date: February 18, 2019, 21:38:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

591D5522B129A5BEEA9466470C66B244

SHA1:

754B8F0B633A3E16B35DCB5255E4E09F2C059E01

SHA256:

3026B40C84B30CA910DFA0B44B439BDA352BB5691828A56E51798A3C1BDC0566

SSDEEP:

1536:aBsG2OiYC8XnxdHoP13Gm+xaA2KUm4MSRh2radcnGa:alhiYC8Tv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3472)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3472)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2976)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3472)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Windows User
LastModifiedBy: Windows User
CreateDate: 2019:01:20 14:19:00
ModifyDate: 2019:01:20 14:19:00
RevisionNumber: 2
TotalEditTime: -
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 85
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Quote.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3472"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
1 405
Read events
734
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6AFF.tmp.cvr
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:AAECCC94E3ECDA32925DF38101B107AE
SHA256:6098494583438F2C06D94E99F7A7D02D962683B62FA41223DC27CFA126DDFF9E
3472EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:A710D644C930DE168BB5B14B42CF0DB3
SHA256:18DB63739D7FE921A5CD4DF6D6C7D4416474C015B93F6F796930F10C99147377
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$Quote.docpgc
MD5:432837867A7FB33A57619B1F2484F2C5
SHA256:C5DAC4FD75735ECBDAA5672AC8A7BAFB356433BA551B732753CA48892EEFE661
3472EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3472
EQNEDT32.EXE
GET
403
88.86.121.71:80
http://www.novatisk.cz/obrazky/q/_output23E2830111111.jpg
CZ
html
301 b
malicious
3472
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2NcX0hZ
US
html
144 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3472
EQNEDT32.EXE
88.86.121.71:80
www.novatisk.cz
SuperNetwork s.r.o.
CZ
suspicious
3472
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
www.novatisk.cz
  • 88.86.121.71
malicious

Threats

PID
Process
Class
Message
3472
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info