analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

euro.doc

Full analysis: https://app.any.run/tasks/421f8880-e070-4b6d-90cf-6aa2d49da48f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 09:33:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
donotgroup
apt
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

18AF861C7923DF5245F462D37830B486

SHA1:

D81B63F942B2A8D37671FADA1B869024F1E17811

SHA256:

41C221C4F14A5F93039DE577D0A76E918C915862986A8B9870DF1C679469895C

SSDEEP:

768:MgnpnhOjj8MxfX3EqBjLW5qoX7LICSDmjl2/cqXz3HGSSmLdMjmxPcGecWAS+DUI:MM/hwRXymLdMjiMcWpK++JsLO/mOYPvM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DONOTGROUP was detected

      • WINWORD.EXE (PID: 2952)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 2032)

    • Loads dropped or rewritten executable

      • EQNEDT32.EXE (PID: 2032)
      • rundll32.exe (PID: 2560)

    • Loads the Task Scheduler COM API

      • EQNEDT32.EXE (PID: 2032)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2032)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 2032)
      • WINWORD.EXE (PID: 3396)
      • WMIC.exe (PID: 2544)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 2032)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2032)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2032)
      • WINWORD.EXE (PID: 3396)
      • cmd.exe (PID: 1404)
      • WMIC.exe (PID: 2544)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 2560)

    • Executed via Task Scheduler

      • rundll32.exe (PID: 2560)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 1404)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2952)
      • rundll32.exe (PID: 2560)

    • Reads the computer name

      • WINWORD.EXE (PID: 2952)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)

    • Manual execution by user

      • WINWORD.EXE (PID: 3396)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2952)
      • WINWORD.EXE (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 49247
CharactersWithSpaces: 162
Company: home
Characters: 139
Words: 24
Pages: 1
TotalEditTime: -
RevisionNumber: 2
ModifyDate: 2022:05:14 15:37:00
CreateDate: 2022:05:14 15:37:00
LastModifiedBy: ismail - [2010]
Author: Windows User
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DONOTGROUP winword.exe eqnedt32.exe winword.exe no specs rundll32.exe no specs cmd.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\euro.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2032"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3396"C:\PROGRA~1\MICROS~1\Office14\WINWORD.EXE" C:\Users\admin\AppData\Local\Temp\document.docC:\PROGRA~1\MICROS~1\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2560C:\WINDOWS\system32\rundll32.exe "C:\Users\admin\AppData\Local\Temp\poksxgtihnjk52.dll",IfgthjrgopC:\WINDOWS\system32\rundll32.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1404C:\Windows\system32\cmd.exe /c wmic csproduct get nameC:\Windows\system32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2544wmic csproduct get nameC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 875
Read events
4 100
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
11
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD49C.tmp.cvr
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FFDD4B38-1EBA-4FDA-8EAD-F437325B2317}binary
MD5:88B5E9F7AE767A6B7E7B72DA9F7367C4
SHA256:379232EAE021DF6B14335468857A2A01CF894FE46E48D31D8157637C27D688EF
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{57D2EEEA-3B28-46AD-A478-74F2B9BAFE55}.FSDbinary
MD5:DB433FC38A445FF2D06705571AE985E4
SHA256:29C4C156DAFE682307C235D4A3F4BEA2BA1AA92511C14E632C058DC98E9A869E
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:88B5E9F7AE767A6B7E7B72DA9F7367C4
SHA256:379232EAE021DF6B14335468857A2A01CF894FE46E48D31D8157637C27D688EF
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{801CF050-520A-4C10-92E2-371D2464525B}.tmpbinary
MD5:EF69A40F9B6AC71EDC80CD7488A43C17
SHA256:6500F354754A5E58D632606136F8B990B1E7F068A03845253F66CF445C2C65E8
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{1E5955BF-548C-4107-8F4E-444517D41A68}binary
MD5:D407E0B882BA814CE572EAD2BFA830F0
SHA256:EAA1F6DA3CE2339434089685AE3B53D4EC9237C30F7A9D3616AFBE97E058532F
2032EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\poksxgtihnjk52.dllexecutable
MD5:65BBDA25AD307488F89EF409D5B819A1
SHA256:2393E0EE12686F5DA57926DF59EF2C5DC90A7662EEE319527398AC07033DAC16
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:549C706452A754496E0CB23165A3CD18
SHA256:E413DF11DFF758AC92548A344DD653841366963AA0C67079465B05ADE86FC92F
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ro.doc.rtfpgc
MD5:DBA90CE023EB3EA232B00566EC7F1156
SHA256:A8E1E64F9F5A75E036929676E152CBB7F8ACD12ED69C51D2E9F929740E6161E5
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2D49E4D9-0689-484F-8645-B44B7DC10041}.FSDbinary
MD5:F3B6D402553E56402D97ECA61BDB981A
SHA256:F19C364DC7F4826614561542DF05BF3DBD9AB4FE5CBEA9095DD1D1727886CDBB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
9
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
WINWORD.EXE
HEAD
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
malicious
2952
WINWORD.EXE
OPTIONS
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
malicious
2952
WINWORD.EXE
HEAD
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
828
svchost.exe
PROPFIND
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
828
svchost.exe
PROPFIND
405
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
html
225 b
malicious
828
svchost.exe
OPTIONS
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
2952
WINWORD.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
828
svchost.exe
OPTIONS
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
html
254 b
malicious
828
svchost.exe
PROPFIND
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
828
svchost.exe
PROPFIND
405
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
html
225 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
WINWORD.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious
2032
EQNEDT32.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious
828
svchost.exe
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious

DNS requests

Domain
IP
Reputation
who.worksolution.buzz
  • 193.149.176.82
malicious

Threats

PID
Process
Class
Message
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
2952
WINWORD.EXE
A Network Trojan was detected
ET TROJAN DonotGroup Maldoc Activity (GET)
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
euro.doc