File name:

factura.doc

Full analysis: https://app.any.run/tasks/7e38e91d-5c7c-4fc2-bb45-f81fa9fae1ca
Verdict: Malicious activity
Analysis date: July 14, 2024, 19:39:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
cve-2017-11882
MIME: text/rtf
File info: Rich Text Format data, version 7
MD5:

05C137D8E79CE59ED6E4B7CD78E5B8A2

SHA1:

3A41DE3774B6A17A34A8BEDF1A0881A3F08D492D

SHA256:

5A31C77293AF2920D7020D5D0236691ADCEA2C57C2716658CE118A5CBA9D4913

SSDEEP:

192:TMv9/nrxOgNIVk04Pre4VqPuc+17rf14g/gjXKSDxX8VxrdPJH:Yv9/rsok+Prz1dZKXDsjtJH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3264)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3264)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3264)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3264)

  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3264)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3264)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3264)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3264)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3884)
      • WINWORD.EXE (PID: 324)
      • WINWORD.EXE (PID: 1828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\spanishjobs.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1828"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\screenapproach.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3264"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
3221225547
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3380"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\factura.doc.rtfC:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3884"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\addmiddle.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
24 274
Read events
21 996
Write events
1 074
Delete events
1 204

Modification events

(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:0<2
Value:
303C3200340D0000010000000000000000000000
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3380) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
23
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3380WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE480.tmp.cvr
MD5:
SHA256:
3884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR179C.tmp.cvr
MD5:
SHA256:
1828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3863.tmp.cvr
MD5:
SHA256:
324WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5A72.tmp.cvr
MD5:
SHA256:
3884WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:CC5F8FF0D2F008EECF2294D3E4ECA0EA
SHA256:CB287357A0FA20A783BA81891B1526D8378FC62A01ADAD0E61B6B3531B1C3B82
3380WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C1EF68B12A6ED73F8F23ACC292393101
SHA256:8C94FBE8CD43B93AF1F7FFB012AC8E540B345C07472DC4C31A8F76AC7CA97C3B
3380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{11442F75-23F8-453F-9AE9-BD9BE0EEFD2B}.tmpbinary
MD5:5AC6FEA1042BFCC24BCA58339484EA2C
SHA256:99B7D337BCE8C51A5E064274B30413B2DFB9A5EA85DD67CDE9F8EDC6FAA51B8C
3884WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\addmiddle.rtf.LNKbinary
MD5:B060FEE53E594302A2F9C1314CBC8156
SHA256:EDE2BECFA7663F6B890C29495794C3D18960E884780A8E1EB121433D961AB81B
3884WINWORD.EXEC:\Users\admin\Desktop\~$dmiddle.rtfbinary
MD5:DB7AE994F397609D0E5BB78E5C7EDD6B
SHA256:CF42C26F7AF62040E1C13D786544F98317BBD47935A98F736762642BDCA4E8C5
3380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6E327AB3-3366-4C3A-B762-B92424542695}.tmpbinary
MD5:87B084D5B447E610FBB9A8141FF2CB94
SHA256:973C438C0F95D2FF636AB5542F623C915C9AF0207793E0277B3F3B8AD01D75BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1060
svchost.exe
GET
304
217.20.57.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
whitelisted
3264
EQNEDT32.EXE
GET
404
185.36.74.48:80
http://seed-bc.com/juop4/plwr/mklo/rbn/jan2.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
3264
EQNEDT32.EXE
185.36.74.48:80
seed-bc.com
Fastweb
IT
unknown
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
seed-bc.com
  • 185.36.74.48
malicious
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 217.20.57.18
  • 217.20.57.34
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
3264
EQNEDT32.EXE
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
factura.doc