File name:

P.O.docx

Full analysis: https://app.any.run/tasks/af53a460-f1ac-48b8-b9a6-32dd64df6ed2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 07:37:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
exploit
cve-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

C0D2EB0027375B50061631D76A5E98BD

SHA1:

72F5EB4CA91ABCF6F4ABC53F70BEB3E4FDC2ADB8

SHA256:

5648FC2B6D3ED7402B985EBDC9FCE8088D5FFD5F0010149E3BABAF51F8EC7EC6

SSDEEP:

192:B5yKGi65y4ZXuyMtWNRai0mqQTnhr5OzQT1QUP55D4LbFTB8GoA6avkW9mpTd:B5ypnQ8uyMtiRLLOzQT1QUDDQdrDmpZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2920)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2920)

    • Application was dropped or rewritten from another process

      • educr.exe (PID: 2148)

    • Loads dropped or rewritten executable

      • vbc.exe (PID: 2960)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2960)

  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • vbc.exe (PID: 2960)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2920)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2540)

    • Executable content was dropped or overwritten

      • educr.exe (PID: 2148)
      • vbc.exe (PID: 2960)
      • EQNEDT32.EXE (PID: 2920)

    • Creates files in the user directory

      • educr.exe (PID: 2148)
      • EQNEDT32.EXE (PID: 2920)

    • Executes scripts

      • educr.exe (PID: 2148)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2540)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2540)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:09:19 02:24:04
ZipCRC: 0x82872409
ZipCompressedSize: 358
ZipUncompressedSize: 1422
ZipFileName: [Content_Types].xml

XML

Template: dotm.dotm
TotalEditTime: 1 minute
Pages: 1
Words: 1
Characters: 7
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: SPecialiST RePack
LinksUpToDate: No
CharactersWithSpaces: 7
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: Microsoft
RevisionNumber: 1
CreateDate: 2017:09:24 17:26:00Z
ModifyDate: 2017:09:24 17:27:00Z

XMP

Creator: Microsoft
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe educr.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Users\admin\AppData\Roaming\educr.exe"C:\Users\admin\AppData\Roaming\educr.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\educr.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
2540"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\P.O.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
2920"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2960"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
educr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
782
Read events
680
Write events
91
Delete events
11

Modification events

(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:e8
Value:
65382000EC090000010000000000000000000000
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2540) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1328742442
(PID) Process:(2540) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742526
(PID) Process:(2540) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742527
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
EC0900007692A724BD6ED50100000000
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:}>
Value:
7D3E2000EC09000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:}>
Value:
7D3E2000EC09000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2540) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
51
Suspicious files
24
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8065.tmp.cvr
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{9D2A1CD8-03E5-482B-B19A-EDFFEB3210F0}
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{59BE77C8-B801-4FDB-A6A5-C3CC7D91019A}
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\edu[1].doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23D58F9C.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5D1440A.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3A0C089.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:
SHA256:
2920EQNEDT32.EXEC:\Users\admin\AppData\Roaming\educr.exeexecutable
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\edu.doc.urltext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
8
DNS requests
4
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2540
WINWORD.EXE
OPTIONS
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/
US
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
malicious
2540
WINWORD.EXE
GET
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
GET
304
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2920
EQNEDT32.EXE
GET
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/educr.exe
US
executable
801 Kb
malicious
2540
WINWORD.EXE
GET
304
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2540
WINWORD.EXE
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
2920
EQNEDT32.EXE
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
860
svchost.exe
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
2960
vbc.exe
96.125.164.155:443
evershinebd.net
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
steeleassociates.com.au
  • 69.195.124.141
malicious
steeleassociates-com-au.88angel.com.au
unknown
evershinebd.net
  • 96.125.164.155
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2920
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2920
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
P.O.docx