analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.doc

Full analysis: https://app.any.run/tasks/501d0ab3-7d7c-43f4-9b2e-7718a7322838
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:45:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
cve-2022-30190
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

52945AF1DEF85B171870B31FA4782E52

SHA1:

06727FFDA60359236A8029E0B3E8A0FD11C23313

SHA256:

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

SSDEEP:

192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 2840)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2840)

    • Reads the computer name

      • WINWORD.EXE (PID: 2840)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2840)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: KIS2
Subject: -
Title: -

XML

ModifyDate: 2022:05:25 13:14:00Z
CreateDate: 2022:05:25 13:14:00Z
RevisionNumber: 3
LastModifiedBy: KIS2
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: -
Lines: -
DocSecurity: None
Application: Microsoft Office Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1312
ZipCompressedSize: 340
ZipCRC: 0x6cd2a4df
ZipModifyDate: 2022:05:26 23:08:07
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample.doc.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
3 663
Read events
2 963
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR46FE.tmp.cvr
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{54996778-E1E1-4926-B85D-02109E4D477D}.FSDbinary
MD5:932876CB7F78769E9D05F5F2B7EFB292
SHA256:8AF5D5F8A52176A9165F63973B2CD0F755EBEC63F525C4D91A1D3F3FD335AB95
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{BB981D84-7C4B-489D-821A-D3C0983301C2}binary
MD5:67BE64C37CF6D4E48F72BE916A0BFCB3
SHA256:E5F79C3BC11535662095F1D8ECBD2BEE1E7366995A2B9F9598496C550C7FF015
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{07FF3A0D-9BE4-44B0-9F83-A1F7026F3750}binary
MD5:C6FD1258C253005A51F786B81B39E4A2
SHA256:6F00C2A9EBFF4C3C162BC4463505EDE8B4C6C441F5ABC981120EF2C8FBBFB389
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B629558E-4592-4DF8-85BA-D34EA3947EFF}.FSDbinary
MD5:F835EB0F97963629C6CB474336F39561
SHA256:A48A319A89CFEA80C31F485D1383982ED1EBADAFC723C842B45A97AA4DBE3460
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:67BE64C37CF6D4E48F72BE916A0BFCB3
SHA256:E5F79C3BC11535662095F1D8ECBD2BEE1E7366995A2B9F9598496C550C7FF015
2840WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BA7A8C3F66A2A0E2319C31AEEC3955D0
SHA256:0EC6232CC2BED849997473CE4BE0A30665F3A4D606250DB1E1CF8E309559005C
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$mple.doc.docxpgc
MD5:21AA390E7BBE1479E6B53F9BA8138FC9
SHA256:9A85A0B2DB203F3976BAB3F8353ECF90BD6147C0D3DF1C32265C59F87092B532
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:C6FD1258C253005A51F786B81B39E4A2
SHA256:6F00C2A9EBFF4C3C162BC4463505EDE8B4C6C441F5ABC981120EF2C8FBBFB389
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
www.xmlformats.com
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.doc