File name:

sample.doc

Full analysis: https://app.any.run/tasks/b52df907-15ab-4600-a766-e5f2bcb537e3
Verdict: Malicious activity
Analysis date: June 21, 2025, 12:18:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
phishing
webdav
cve-2022-30190
exploit
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

52945AF1DEF85B171870B31FA4782E52

SHA1:

06727FFDA60359236A8029E0B3E8A0FD11C23313

SHA256:

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

SSDEEP:

192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 1080)

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 2784)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 832)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 832)

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 2784)

    • Reads Internet Explorer settings

      • WINWORD.EXE (PID: 2784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:05:26 23:08:14
ZipCRC: 0x6cd2a4df
ZipCompressedSize: 340
ZipUncompressedSize: 1312
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: -
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: -
Paragraphs: -
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: KIS2
RevisionNumber: 3
CreateDate: 2022:05:25 13:14:00Z
ModifyDate: 2022:05:25 13:14:00Z

XMP

Title: -
Subject: -
Creator: KIS2
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe #PHISHING svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
832C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2784"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\sample.doc.docxC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
17 085
Read events
16 122
Write events
641
Delete events
322

Modification events

(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2784) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
20
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2784WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR198E.tmp.cvr
MD5:
SHA256:
2784WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:B49671F951717307AF4E24CF58EF5A22
SHA256:2C5752FFD176CEC9D51BDB1296EA663D00C45415FE6F7DEC2BD811F76389A6FB
2784WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:060322CDF7D632EB8EE203CB85F32543
SHA256:B5D417FE01B153BE12B2077179B3CBA58D18AE10DE792F6834A86226560C0CE0
1080svchost.exeC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1E02.tmpcompressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
2784WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96027925CAA49D567EF24E394DA96DDC_E3A1357637564DB9BE9C638629EAA28Cbinary
MD5:55060152E01538DA09CDFC220862AFE4
SHA256:D6B2BC9D1E429896FE071FCC0ED201495E9DD345D919BDAA4953A1B109CAD7BE
2784WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MQHZYJMT.txttext
MD5:AE463FD9823D058BF4089BF58F2A3932
SHA256:8609B6E20C04DFBA1C9513923140A5C02E0719F6A4690AFB222507EAF7F9DF41
2784WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96027925CAA49D567EF24E394DA96DDC_E3A1357637564DB9BE9C638629EAA28Cbinary
MD5:49EC1E263A7FC5A4AF4EEF0819933CBA
SHA256:1B13195022F3DD626EF5E3D4E721D153BB41AD6119331D02DBD2CB90279B51CC
2784WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
2784WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:1A0F556E1C4CA79AE00B39C63FE007CF
SHA256:25ABB96449B06C655644A82565673DD1DC24187E6DBD345E14848A0A89052673
2784WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3371FB17-B6AC-403D-A043-1C1110D38B47}binary
MD5:1A0F556E1C4CA79AE00B39C63FE007CF
SHA256:25ABB96449B06C655644A82565673DD1DC24187E6DBD345E14848A0A89052673
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2784
WINWORD.EXE
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
unknown
whitelisted
2784
WINWORD.EXE
GET
200
184.24.77.65:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgbDfqxCJlObkwJ9KGuu2JC5Yg%3D%3D
unknown
whitelisted
2784
WINWORD.EXE
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e0bdab21959fb02a
unknown
whitelisted
2784
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
2784
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
2784
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
2784
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
2784
WINWORD.EXE
POST
302
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
2784
WINWORD.EXE
POST
302
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
2784
WINWORD.EXE
POST
302
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=120752
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2784
WINWORD.EXE
185.107.56.60:443
www.xmlformats.com
NForce Entertainment B.V.
NL
malicious
2784
WINWORD.EXE
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
2784
WINWORD.EXE
72.246.169.163:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted
2784
WINWORD.EXE
184.24.77.65:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
832
svchost.exe
185.107.56.60:443
www.xmlformats.com
NForce Entertainment B.V.
NL
malicious
2784
WINWORD.EXE
199.59.243.228:80
survey-smiles.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
www.xmlformats.com
  • 185.107.56.60
unknown
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted
r10.o.lencr.org
  • 184.24.77.65
  • 184.24.77.80
  • 184.24.77.52
  • 184.24.77.47
  • 184.24.77.53
  • 184.24.77.56
  • 184.24.77.69
  • 184.24.77.83
  • 184.24.77.77
whitelisted
survey-smiles.com
  • 199.59.243.228
whitelisted
go.microsoft.com
  • 2.18.97.227
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2784
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.doc