File name:

euro.doc

Full analysis: https://app.any.run/tasks/421f8880-e070-4b6d-90cf-6aa2d49da48f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 09:33:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
donotgroup
apt
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

18AF861C7923DF5245F462D37830B486

SHA1:

D81B63F942B2A8D37671FADA1B869024F1E17811

SHA256:

41C221C4F14A5F93039DE577D0A76E918C915862986A8B9870DF1C679469895C

SSDEEP:

768:MgnpnhOjj8MxfX3EqBjLW5qoX7LICSDmjl2/cqXz3HGSSmLdMjmxPcGecWAS+DUI:MM/hwRXymLdMjiMcWpK++JsLO/mOYPvM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DONOTGROUP was detected

      • WINWORD.EXE (PID: 2952)

    • Loads dropped or rewritten executable

      • EQNEDT32.EXE (PID: 2032)
      • rundll32.exe (PID: 2560)

    • Loads the Task Scheduler COM API

      • EQNEDT32.EXE (PID: 2032)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 2032)

  • SUSPICIOUS

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2032)
      • WINWORD.EXE (PID: 3396)
      • cmd.exe (PID: 1404)
      • WMIC.exe (PID: 2544)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2032)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 2032)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2032)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 2032)
      • WINWORD.EXE (PID: 3396)
      • WMIC.exe (PID: 2544)

    • Executed via Task Scheduler

      • rundll32.exe (PID: 2560)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 2560)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 1404)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)

    • Checks supported languages

      • WINWORD.EXE (PID: 2952)
      • rundll32.exe (PID: 2560)

    • Reads the computer name

      • WINWORD.EXE (PID: 2952)

    • Manual execution by user

      • WINWORD.EXE (PID: 3396)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3396)
      • WINWORD.EXE (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 49247
CharactersWithSpaces: 162
Company: home
Characters: 139
Words: 24
Pages: 1
TotalEditTime: -
RevisionNumber: 2
ModifyDate: 2022:05:14 15:37:00
CreateDate: 2022:05:14 15:37:00
LastModifiedBy: ismail - [2010]
Author: Windows User
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DONOTGROUP winword.exe eqnedt32.exe winword.exe no specs rundll32.exe no specs cmd.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404C:\Windows\system32\cmd.exe /c wmic csproduct get nameC:\Windows\system32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2032"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2544wmic csproduct get nameC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2560C:\WINDOWS\system32\rundll32.exe "C:\Users\admin\AppData\Local\Temp\poksxgtihnjk52.dll",IfgthjrgopC:\WINDOWS\system32\rundll32.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\euro.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\lpk.dll
3396"C:\PROGRA~1\MICROS~1\Office14\WINWORD.EXE" C:\Users\admin\AppData\Local\Temp\document.docC:\PROGRA~1\MICROS~1\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
4 875
Read events
4 100
Write events
641
Delete events
134

Modification events

(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:<l;
Value:
3C6C3B00880B0000010000000000000000000000
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2952) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
11
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD49C.tmp.cvr
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FFDD4B38-1EBA-4FDA-8EAD-F437325B2317}binary
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ro.doc.rtfpgc
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{57D2EEEA-3B28-46AD-A478-74F2B9BAFE55}.FSDbinary
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:
SHA256:
3396WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDC87.tmp.cvr
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2D49E4D9-0689-484F-8645-B44B7DC10041}.FSDbinary
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{1E5955BF-548C-4107-8F4E-444517D41A68}binary
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\template[1].doctext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
9
DNS requests
1
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
WINWORD.EXE
HEAD
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
malicious
2952
WINWORD.EXE
OPTIONS
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/
DK
malicious
828
svchost.exe
PROPFIND
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
2952
WINWORD.EXE
HEAD
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
2032
EQNEDT32.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI
DK
binary
6.38 Kb
malicious
828
svchost.exe
PROPFIND
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
828
svchost.exe
OPTIONS
301
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub
DK
html
254 b
malicious
2032
EQNEDT32.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI.rtf
DK
text
38.9 Kb
malicious
2952
WINWORD.EXE
HEAD
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
2952
WINWORD.EXE
GET
200
193.149.176.82:80
http://who.worksolution.buzz/pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php
DK
text
543 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
WINWORD.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious
828
svchost.exe
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious
2032
EQNEDT32.EXE
193.149.176.82:80
who.worksolution.buzz
DUPONT NUTRITION BIOSCIENCES ApS
DK
malicious

DNS requests

Domain
IP
Reputation
who.worksolution.buzz
  • 193.149.176.82
malicious

Threats

PID
Process
Class
Message
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
828
svchost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
2952
WINWORD.EXE
A Network Trojan was detected
ET TROJAN DonotGroup Maldoc Activity (GET)
2952
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.buzz domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
euro.doc