File name:

information_03.26.doc

Full analysis: https://app.any.run/tasks/d17ff438-1c68-4ea0-8ac1-eaa3a461899b
Verdict: Malicious activity
Analysis date: May 15, 2025, 17:19:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
macros
macros-on-open
maldoc-3
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

067A81A0426DCEFEE0869B05AD6786A2

SHA1:

6A163B472A7A2EAC32064311F63C6E6A60BB31B0

SHA256:

62ECC8950E8BE104E250304FDC32748FCADAEAA677F7C066BE1BAA17F940EDA8

SSDEEP:

3072:ibww2mwowlU2plrOpD1YF+0kLlciBKBw2eYEtTdm0Fht50xJaXlb8vxVxN1E:ibEmH4UMlOB1YF1wlcXofNhtIsVbKk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WINWORD.EXE (PID: 4880)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1184)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 1184)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WINWORD.EXE (PID: 1184)

    • Reads Microsoft Outlook installation path

      • microsoft.com (PID: 5064)

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 1184)

    • Reads security settings of Internet Explorer

      • microsoft.com (PID: 5064)

    • Reads Internet Explorer settings

      • microsoft.com (PID: 5064)

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 1184)
      • microsoft.com (PID: 5064)

  • INFO

    • Reads mouse settings

      • WINWORD.EXE (PID: 1184)

    • Creates files in the program directory

      • WINWORD.EXE (PID: 1184)

    • Manual execution by a user

      • WINWORD.EXE (PID: 1184)

    • The sample compiled with english language support

      • WINWORD.EXE (PID: 1184)

    • Checks supported languages

      • microsoft.com (PID: 5064)

    • Reads the computer name

      • microsoft.com (PID: 5064)

    • Reads Environment values

      • microsoft.com (PID: 5064)

    • Checks proxy server information

      • microsoft.com (PID: 5064)

    • Creates files or folders in the user directory

      • microsoft.com (PID: 5064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x0c0cc35b
ZipCompressedSize: 400
ZipUncompressedSize: 1505
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: 3
Paragraphs: -
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Manager: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: admin
RevisionNumber: 2
CreateDate: 2020:03:26 01:41:00Z
ModifyDate: 2020:03:26 01:41:00Z
Category: -

XMP

Title: -
Subject: -
Creator: ohubnaqj
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe sppextcomobj.exe no specs slui.exe no specs ai.exe no specs winword.exe microsoft.com no specs ai.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1184"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\information_03.26.doc" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4880"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\information_03.26.doc.docx /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5064c:\programdata\microsoft.com c:\programdata\index.htmlC:\ProgramData\microsoft.comWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\microsoft.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
7352"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "1B56E67C-3681-4306-BDF1-4685B3ABEA26" "5C8222CD-EF0A-4209-9284-CF0057C28F4D" "1184"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
7788C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7828"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8028"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "FA574D83-2A07-450B-845A-8D14544FCDF2" "924D3AEF-210B-4299-B4B8-83C6E4A6073D" "4880"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
21 094
Read events
19 859
Write events
1 128
Delete events
107

Modification events

(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4880
Operation:writeName:0
Value:
0B0E101EC21B7E32274340AAB1C44013D977CF230046A3BEF1E1D7B7F1ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5119026D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(4880) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
35
Suspicious files
143
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
4880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:6BE4E7AEF13AE0E0C14BE7363431F1EE
SHA256:B6624BA1F1FAA09EC712F7FA340A1B169E19F863D447E8A44BD4826C012C67E2
4880WINWORD.EXEC:\Users\admin\Desktop\~$formation_03.26.doc.docxbinary
MD5:EB28F18B883C51600CA519BBB484256E
SHA256:9ECAD84FBFDB72F1B3EFCA930803A8138A6CECBFFE6A9E1755E3C6E2EE5285B0
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:76D4B8A76C2B2CBC53C9C30DC5915BEC
SHA256:D1ADE45E538EA9A248B33D817764CB0B1FAF7BAE7D2F52F63C1E1666CAE11AFA
4880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Diagnostics\WINWORD\App1747329556280551300_7E1BC21E-2732-4043-AAB1-C44013D977CF.log
MD5:
SHA256:
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:D804E1A4FC6D202C1871B450767871CD
SHA256:50EF760162DED4220287444DDA377E8D01E5E206A2DC96837CC98014ACBFDA12
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.jsonbinary
MD5:66924D8FE574D68E89D147A36B4A43FC
SHA256:4D7282D39BA7A610FBE2293DFED1CA4BC6903B4AEE1FAF87624B6994AB4A6FD5
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
4880WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:4535282698D197BDF3FF9ED89179D06C
SHA256:A7BB6ED5016A595C5B8A7C0E9C8F0A05D46FF7F9CC790842B419DA41E8607BF1
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E021D45B-2DED-4D47-9894-974E12D28F42}.tmpbinary
MD5:830FBF83999E052538EAF156AB6ECB17
SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
4880WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonbinary
MD5:F5A0FBF6DB5254A1E882E09C78B6A0EB
SHA256:C3338F7C5CD465788643D4A5D5EB920A8411DBF2A1C9CDC8EFA361D277E3AC49
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
79
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4880
WINWORD.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5056
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5056
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1184
WINWORD.EXE
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1184
WINWORD.EXE
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5024
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4880
WINWORD.EXE
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
omex.cdn.office.net
  • 2.16.168.119
  • 2.16.168.101
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
roaming.officeapps.live.com
  • 52.109.89.19
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
information_03.26.doc