analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.doc

Full analysis: https://app.any.run/tasks/db12f1bc-69ba-466c-a673-7595086fe2c5
Verdict: Malicious activity
Analysis date: August 12, 2022, 14:50:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
cve-2022-30190
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

52945AF1DEF85B171870B31FA4782E52

SHA1:

06727FFDA60359236A8029E0B3E8A0FD11C23313

SHA256:

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

SSDEEP:

192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 3580)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • WINWORD.EXE (PID: 3580)

    • Checks supported languages

      • WINWORD.EXE (PID: 3580)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:05:26 23:08:07
ZipCRC: 0x6cd2a4df
ZipCompressedSize: 340
ZipUncompressedSize: 1312
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: -
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: -
Paragraphs: -
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: KIS2
RevisionNumber: 3
CreateDate: 2022:05:25 13:14:00Z
ModifyDate: 2022:05:25 13:14:00Z

XMP

Title: -
Subject: -
Creator: KIS2
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3580"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample.doc.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
3 637
Read events
2 936
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD518.tmp.cvr
MD5:
SHA256:
3580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5A6F4CCA-814C-4374-B016-A57E02FA3B84}.FSDbinary
MD5:BFE1B928E401E3A6DA5E8BF028CEADB0
SHA256:2AC6F7E95F9C22E0F2E1C29FEE7CFFA9344E170060C75FB8EC1B9755549166B9
3580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3A81A98EF3EA746BEBEC0A0E071C6470
SHA256:4D708B00A51B865A7F79A8DD2E0D09D687ACFC38CAA2DCEB2C62CAB0E9E00910
3580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:B9EC245FEA1B3A2ED0C6F7CF559084B4
SHA256:FFA57255957BA07E3BB6440E52B50DECCF50966C3058127736B7023DD5132689
3580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:945CBD80227968B0C9339BDE0E0A9105
SHA256:90589629DF6E754AA369A1E1D8D73C599FBC587C953CD9FA49ECD99BAFBE5ACB
3580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$mple.doc.docxpgc
MD5:050AA1BCFD4A1B2DAB4B88D8C1D9DD44
SHA256:B18475EEB39FB936572D40C15C01CF63A0DABC9C205FDB2AB6BDEF09346F54AC
3580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2FE64880-6ED4-4739-AE1C-91E3C5BBF4CB}.FSDbinary
MD5:DAB4B3F1FCA84BF78466D768FA68A8C1
SHA256:6082D8B413B8844EF985D5B637601F7F3E0CDCDC7F2BAEB367494B126DED9670
3580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{97318FF2-A21A-403C-B4D9-1520037FF19F}binary
MD5:945CBD80227968B0C9339BDE0E0A9105
SHA256:90589629DF6E754AA369A1E1D8D73C599FBC587C953CD9FA49ECD99BAFBE5ACB
3580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{40B5620C-2CEC-4FC0-A5C3-7FD316675FE0}binary
MD5:B9EC245FEA1B3A2ED0C6F7CF559084B4
SHA256:FFA57255957BA07E3BB6440E52B50DECCF50966C3058127736B7023DD5132689
3580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
www.xmlformats.com
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.doc