analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

euro.doc

Full analysis: https://app.any.run/tasks/3ae758e2-dd00-4b49-b0a3-085c66f9e25c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 08:02:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
donotgroup
apt
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

18AF861C7923DF5245F462D37830B486

SHA1:

D81B63F942B2A8D37671FADA1B869024F1E17811

SHA256:

41C221C4F14A5F93039DE577D0A76E918C915862986A8B9870DF1C679469895C

SSDEEP:

768:MgnpnhOjj8MxfX3EqBjLW5qoX7LICSDmjl2/cqXz3HGSSmLdMjmxPcGecWAS+DUI:MM/hwRXymLdMjiMcWpK++JsLO/mOYPvM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DONOTGROUP was detected

      • WINWORD.EXE (PID: 2948)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3180)

    • Loads the Task Scheduler COM API

      • EQNEDT32.EXE (PID: 3180)

    • Loads dropped or rewritten executable

      • EQNEDT32.EXE (PID: 3180)

  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3180)
      • WINWORD.EXE (PID: 2440)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3180)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3180)
      • WINWORD.EXE (PID: 2440)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3180)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3180)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2948)

    • Reads the computer name

      • WINWORD.EXE (PID: 2948)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2948)

    • Manual execution by user

      • WINWORD.EXE (PID: 2440)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2948)
      • WINWORD.EXE (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 49247
CharactersWithSpaces: 162
Company: home
Characters: 139
Words: 24
Pages: 1
TotalEditTime: -
RevisionNumber: 2
ModifyDate: 2022:05:14 15:37:00
CreateDate: 2022:05:14 15:37:00
LastModifiedBy: ismail - [2010]
Author: Windows User
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DONOTGROUP winword.exe eqnedt32.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\euro.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3180"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2440"C:\PROGRA~1\MICROS~1\Office14\WINWORD.EXE" C:\Users\admin\AppData\Local\Temp\document.docC:\PROGRA~1\MICROS~1\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
3 176
Read events
2 850
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
11
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD2E7.tmp.cvr
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ro.doc.rtfpgc
MD5:27E436145324000EFB1C82B66243684F
SHA256:9258534C6646A1353DFB4142C07283E5481CC6232D49158C60DED42A8256A021
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B667AD30-E3E4-4C33-B6F3-6BFEC9B1B7BC}.FSDbinary
MD5:4A0CBDBCCD3FDF5C465B9BC234F50E82
SHA256:18DA4746763984A8B77840B0E09550CCACB9730576CAB34C15B9B9821D382D97
2948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:549C706452A754496E0CB23165A3CD18
SHA256:E413DF11DFF758AC92548A344DD653841366963AA0C67079465B05ADE86FC92F
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:AFD872E65AA99B0F766B08A9D676A19A
SHA256:988D817CAC83737D9FA4CED1B0F7AC0D30737AC7F792BA23017837FBBE48C253
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:537FEADF1AC437B8C76B8F576270D067
SHA256:A41EB149F1AC9CF53C3CC0AA898D8F8899249F7435097205D6547BED19CCD047
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\template[1].doctext
MD5:AEA376E720EC230E765CE077EDF2FD01
SHA256:07640E115918F9C4BBEE240004EA2E555FDCFFF125180DF65C45E525032F5856
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{82349FE4-CDE3-4D38-A23E-54CAF70ABA26}binary
MD5:AFD872E65AA99B0F766B08A9D676A19A
SHA256:988D817CAC83737D9FA4CED1B0F7AC0D30737AC7F792BA23017837FBBE48C253
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB037.tmp.cvr
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BB28F91D-7081-41A8-AA27-0030E6CA4AAB}.FSDbinary
MD5:7EEF5CF17AF2AE5FA08E4C5B19101B91
SHA256:62E2EA71D0F6042CFED79DA0991D97D2AC6A726DECD1DA50C6B44A83440A10B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2948
WINWORD.EXE
OPTIONS
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
malicious
2948
WINWORD.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
3180
EQNEDT32.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI
DK
binary
6.38 Kb
malicious
3180
EQNEDT32.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI.rtf
DK
text
38.9 Kb
malicious
3180
EQNEDT32.EXE
GET
500
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI.mp3/9//V39jJwYz83sPPyd/f8Yz/1d/YycGM38Hf34LJ1MmMz9/e39+CydTJjNvFwsXCxdiCydTJjM/f3t/fgsnUyYzbxcLAw8vDwoLJ1MmM38ne2sXPyd+CydTJjMDfzd/fgsnUyYzA38GCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjN/cw8PA39qCydTJjN/az8TD39iCydTJjN/az8TD39iCydTJjOXh6ejl7/j5/Ojt+OmC6fTpjN/az8TD39iCydTJjNjN38fEw9/YgsnUyYzYzd/HycLLgsnUyYzI28GCydTJjMnU3MDD3snegsnUyYzP2MrBw8KCydTJjP/Jzd7PxOXCyMnUyd6CydTJjP/Jzd7PxPzew9jDz8PA5MPf2ILJ1MmM/8nN3s/E6sXA2Mne5MPf2ILJ1MmM++Xi++P+6ILp9OmMzdnIxcPIy4LJ1MmM6f3i6ej4n56C6fTpjMjAwMTD39iCydTJjA==
DK
html
532 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3180
EQNEDT32.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious
2948
WINWORD.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious

DNS requests

Domain
IP
Reputation
who.worksolution.buzz
  • 193.149.176.82
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2948
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
2948
WINWORD.EXE
A Network Trojan was detected
ET TROJAN DonotGroup Maldoc Activity (GET)
2948
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
3180
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
3180
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
3180
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
euro.doc