File name:

sample.doc

Full analysis: https://app.any.run/tasks/bcf03b5e-0e49-4550-9675-00834fb2aafd
Verdict: Malicious activity
Analysis date: May 18, 2025, 05:42:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
phishing
webdav
cve-2022-30190
exploit
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

52945AF1DEF85B171870B31FA4782E52

SHA1:

06727FFDA60359236A8029E0B3E8A0FD11C23313

SHA256:

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

SSDEEP:

192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 1080)

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 740)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 832)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 832)

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 740)

    • Reads Internet Explorer settings

      • WINWORD.EXE (PID: 740)

    • Manual execution by a user

      • explorer.exe (PID: 1120)
      • WINWORD.EXE (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:05:26 23:08:14
ZipCRC: 0x6cd2a4df
ZipCompressedSize: 340
ZipUncompressedSize: 1312
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: -
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: -
Paragraphs: -
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: KIS2
RevisionNumber: 3
CreateDate: 2022:05:25 13:14:00Z
ModifyDate: 2022:05:25 13:14:00Z

XMP

Title: -
Subject: -
Creator: KIS2
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe #PHISHING svchost.exe explorer.exe no specs winword.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
740"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\sample.doc.docxC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
832C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1120"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3068"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\particularlytotal.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
27 175
Read events
25 104
Write events
1 259
Delete events
812

Modification events

(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:br
Value:
62722000E4020000010000000000000000000000
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(740) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
29
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1632.tmp.cvr
MD5:
SHA256:
740WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:3763F9A0E6528A241298F0851EDCA315
SHA256:395DE451A5F8ED7E196B3E1E7589369F49FB3674CDE64288BBCD789D3CDC30FF
740WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:E8EA58E7E3FF695037B1633B973926F3
SHA256:49E858447287AFEBB0CA8B175E72BC8681172CE147C9C834D3397DF6F2483125
1080svchost.exeC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Tar1F6B.tmpbinary
MD5:91A1B89AA7A488DBB204DBB4767F1F21
SHA256:F6BE95C88C20EF82EE8A6878E16F9ECD77300BC1905EB826592A0DD41AD1C0F8
740WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\11GS3T50.txttext
MD5:658E9A7022260678F438C8C6C9661B33
SHA256:341312D758E6A7D103DF602D1E8A2616D9FF8FA7AB030514D2547879A1D5E913
740WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96027925CAA49D567EF24E394DA96DDC_E3A1357637564DB9BE9C638629EAA28Cbinary
MD5:BA2A1E8AA459985CADE0CB432015C0D7
SHA256:E3B1F2E7DA700B11499F32D5BA091EE2051C415A6377DB8A76DD71E77FD78583
740WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96027925CAA49D567EF24E394DA96DDC_E3A1357637564DB9BE9C638629EAA28Cbinary
MD5:64FC3E15B9A2FAE5B63E3E9DABAA76ED
SHA256:B3E3CDF0C1993E55339D4B6AC744713EF1BD25F55D80197C7E2012242FD76B26
740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:EE4D5296871E2806FFA1D9D9DA27580E
SHA256:3BB6E901F4EA2F50A1D008F93B466A3EA723066617728471176538ABDCBE1F2C
740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4318A094-9E89-496C-8F0C-C233248DEF53}.FSDbinary
MD5:7C68B72C1E641185382A91C0590A9A30
SHA256:13BD95F342BFBA034BB1E2CCFFF551A163B96D45910DBD5D387C75C1BD53DD60
740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
740
WINWORD.EXE
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
740
WINWORD.EXE
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a187eb57ab76515
unknown
whitelisted
740
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
740
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
740
WINWORD.EXE
POST
302
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
740
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
740
WINWORD.EXE
POST
302
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=120752
unknown
whitelisted
740
WINWORD.EXE
POST
302
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
740
WINWORD.EXE
HEAD
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
740
WINWORD.EXE
GET
200
184.24.77.46:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgbDfqxCJlObkwJ9KGuu2JC5Yg%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
740
WINWORD.EXE
185.107.56.59:443
www.xmlformats.com
NForce Entertainment B.V.
NL
unknown
740
WINWORD.EXE
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
740
WINWORD.EXE
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted
740
WINWORD.EXE
184.24.77.46:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
832
svchost.exe
185.107.56.59:443
www.xmlformats.com
NForce Entertainment B.V.
NL
unknown
740
WINWORD.EXE
199.59.243.228:80
survey-smiles.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
www.xmlformats.com
  • 185.107.56.59
unknown
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r10.o.lencr.org
  • 184.24.77.46
  • 184.24.77.52
  • 184.24.77.53
  • 184.24.77.67
whitelisted
survey-smiles.com
  • 199.59.243.228
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
740
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.doc