analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

P.O.docx

Full analysis: https://app.any.run/tasks/af53a460-f1ac-48b8-b9a6-32dd64df6ed2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 07:37:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

C0D2EB0027375B50061631D76A5E98BD

SHA1:

72F5EB4CA91ABCF6F4ABC53F70BEB3E4FDC2ADB8

SHA256:

5648FC2B6D3ED7402B985EBDC9FCE8088D5FFD5F0010149E3BABAF51F8EC7EC6

SSDEEP:

192:B5yKGi65y4ZXuyMtWNRai0mqQTnhr5OzQT1QUP55D4LbFTB8GoA6avkW9mpTd:B5ypnQ8uyMtiRLLOzQT1QUDDQdrDmpZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2920)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2920)

    • Application was dropped or rewritten from another process

      • educr.exe (PID: 2148)

    • Loads dropped or rewritten executable

      • vbc.exe (PID: 2960)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2960)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2920)
      • educr.exe (PID: 2148)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2540)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2920)
      • educr.exe (PID: 2148)
      • vbc.exe (PID: 2960)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2920)

    • Reads the cookies of Google Chrome

      • vbc.exe (PID: 2960)

    • Executes scripts

      • educr.exe (PID: 2148)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2540)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2540)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: Microsoft

XML

ModifyDate: 2017:09:24 17:27:00Z
CreateDate: 2017:09:24 17:26:00Z
RevisionNumber: 1
LastModifiedBy: Microsoft
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 7
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 7
Words: 1
Pages: 1
TotalEditTime: 1 minute
Template: dotm.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1422
ZipCompressedSize: 358
ZipCRC: 0x82872409
ZipModifyDate: 2019:09:19 02:24:04
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe educr.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2540"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\P.O.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2920"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2148"C:\Users\admin\AppData\Roaming\educr.exe"C:\Users\admin\AppData\Roaming\educr.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2960"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
educr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Total events
782
Read events
680
Write events
0
Delete events
0

Modification events

No data
Executable files
51
Suspicious files
24
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8065.tmp.cvr
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{9D2A1CD8-03E5-482B-B19A-EDFFEB3210F0}
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{59BE77C8-B801-4FDB-A6A5-C3CC7D91019A}
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\edu[1].doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23D58F9C.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5D1440A.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3A0C089.doc
MD5:
SHA256:
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:604D20679FCE34020347F4941D072153
SHA256:2EBF8F7B98FDD5E55B6EFA2BBBB290C4C902043CB7B07FB93EC358E2D7D83D89
2540WINWORD.EXEC:\Users\admin\Desktop\~$P.O.docxpgc
MD5:B9F74980E2058665F9755ACB9E177C43
SHA256:FCD4141038CD95ADDBA27E04FF58F52D4391876DBB2BCCD690C4F54C7A253287
2540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:F6B5A61C0BED9B88010827133115B91C
SHA256:C55152C9A4616AD3F16557D3A2D18D05C37CAE188CB52DF06C7CEBBE0CB117A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2540
WINWORD.EXE
OPTIONS
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/
US
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
860
svchost.exe
OPTIONS
301
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu
US
html
386 b
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
malicious
2540
WINWORD.EXE
GET
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
malicious
2540
WINWORD.EXE
GET
304
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
HEAD
200
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
2540
WINWORD.EXE
GET
304
69.195.124.141:80
http://steeleassociates.com.au/wordpress/wp-content/plugins/upspy/sank/edu/edu.doc
US
text
5.29 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2540
WINWORD.EXE
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
860
svchost.exe
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
2920
EQNEDT32.EXE
69.195.124.141:80
steeleassociates.com.au
Unified Layer
US
malicious
2960
vbc.exe
96.125.164.155:443
evershinebd.net
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
steeleassociates.com.au
  • 69.195.124.141
malicious
steeleassociates-com-au.88angel.com.au
unknown
evershinebd.net
  • 96.125.164.155
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2920
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2920
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
P.O.docx