File name:

ST007 SWIFT confirmation.docx

Full analysis: https://app.any.run/tasks/80c976ab-4287-4399-840d-b65ae92102d3
Verdict: Malicious activity
Analysis date: October 24, 2024, 13:31:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
cve-2017-11882
exploit
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

8AE0873976DB80ED87C45FB1C3BAE104

SHA1:

CFF11D56BEFEF537B793E835E9A2861B54322641

SHA256:

66FE51D70891005923B3CC0B22E1044AB5537F00145A02EC63A46C1DBA30D10F

SSDEEP:

24576:EOiGjt1xs7UPS16j9t44f5LD463VSPSJlOH:EOiGjt1xs7UPS16j9t44f5X463VySJlW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • WINWORD.EXE (PID: 3008)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:10:24 13:09:12
ZipCRC: 0x29502273
ZipCompressedSize: 425
ZipUncompressedSize: 2492
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 1 minute
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
Company: Grizli777
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
Keywords: -
LastModifiedBy: 91974
RevisionNumber: 2
CreateDate: 2024:10:24 07:27:00Z
ModifyDate: 2024:10:24 07:28:00Z

XMP

Title: -
Subject: -
Creator: 91974
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #EXPLOIT winword.exe ai.exe no specs splwow64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ST007 SWIFT confirmation.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4684"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "AC7F1C02-2468-408E-94CA-0496DC610CF7" "057157E4-62A3-42E9-AB31-A817B7F2A01E" "3008"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
7420C:\WINDOWS\splwow64.exe 8192C:\Windows\splwow64.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Print driver host for applications
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\splwow64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
16 352
Read events
15 920
Write events
393
Delete events
39

Modification events

(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3008
Operation:writeName:0
Value:
0B0E1036F16C4A93B14940BACE5B804D5F5959230046EAADF48491C3C9ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C017D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3008) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
33
Suspicious files
166
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
3008WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:21EF1C85F7E2CD78FB908AB4D5C89031
SHA256:62D1EFBCC8E54E3C63C968E80594FB17BB437AAB38BB0C464B529739B7B198DE
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3F4739DD-ACEC-4B46-BC64-BFF88DAF5D58xml
MD5:120B77744F9E72AE5EF415374BCDC0A0
SHA256:A5DCD873B877194BDAE3E6FE9B9942A20E708D13E161FC932EED1172B2A8ACD4
3008WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
3008WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:67E486B2F148A3FCA863728242B6273E
SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB
3008WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:28536B06E47A452067ADD185A819F1AA
SHA256:1BFD5CF86C6C74DDCB3D7A59379630B376B3DBE8A43D63E5E074AB53D765B45C
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB58FE72.emfemf
MD5:BAC26D44041A62848E76DF33A12DC6DE
SHA256:ACF3F2AEFF8ABD7AC1FA635B5D9431DA2B26A968F150A1160B3C80A1DF0E33D9
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\weseeingthebestthingswithentirethinsgshoudbegood_______everythingveryfineforgreatthignstobeinthelinefor_______somethignnewthignswrwarecomingforgoodthings[1].doctext
MD5:86157210CF13494BBEB9D4808652A687
SHA256:BA2A2DF52CD4C726184D39828A4A4F91EE521C291341B390F3C2647732D6714C
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{34E648B8-7D5B-41D3-9EA1-B8A91D9DEE35}.tmpbinary
MD5:830FBF83999E052538EAF156AB6ECB17
SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1E612AF9-8150-4A92-87E8-37B8D21A1F66}.tmpbinary
MD5:E82ACEA1C3E8B3AB470BD50E65077295
SHA256:05FB87774D9F4E698597EAA97E199E617412001E1849CA0E9D46B9FFB1739078
3008WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\CloudFonts\MS Mincho\37327920121.ttf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
119
DNS requests
27
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3008
WINWORD.EXE
GET
200
142.250.185.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
3008
WINWORD.EXE
GET
200
142.250.185.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
3008
WINWORD.EXE
HEAD
200
85.215.206.82:80
http://85.215.206.82/380/nnb/nn/weseeingthebestthingswithentirethinsgshoudbegood_______everythingveryfineforgreatthignstobeinthelinefor_______somethignnewthignswrwarecomingforgoodthings.doc
unknown
unknown
3008
WINWORD.EXE
GET
200
85.215.206.82:80
http://85.215.206.82/380/nnb/nn/weseeingthebestthingswithentirethinsgshoudbegood_______everythingveryfineforgreatthignstobeinthelinefor_______somethignnewthignswrwarecomingforgoodthings.doc
unknown
unknown
4700
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3008
WINWORD.EXE
HEAD
200
85.215.206.82:80
http://85.215.206.82/380/nnb/nn/weseeingthebestthingswithentirethinsgshoudbegood_______everythingveryfineforgreatthignstobeinthelinefor_______somethignnewthignswrwarecomingforgoodthings.doc
unknown
unknown
3008
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
864
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3008
WINWORD.EXE
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
3008
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3008
WINWORD.EXE
2.19.126.160:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
3008
WINWORD.EXE
188.114.96.3:443
qrisni.me
CLOUDFLARENET
NL
unknown
3008
WINWORD.EXE
142.250.185.99:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 2.19.126.160
  • 2.19.126.151
whitelisted
qrisni.me
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 142.250.185.99
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.73
whitelisted
www.bing.com
  • 2.23.209.144
  • 2.23.209.161
  • 2.23.209.154
  • 2.23.209.156
  • 2.23.209.149
  • 2.23.209.158
  • 2.23.209.143
  • 2.23.209.150
  • 2.23.209.160
  • 2.23.209.142
  • 2.23.209.162
  • 2.23.209.141
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fs.microsoft.com
  • 184.28.90.27
whitelisted

Threats

PID
Process
Class
Message
3008
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
3008
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
3008
WINWORD.EXE
Potentially Bad Traffic
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
3008
WINWORD.EXE
Misc Attack
EXPLOIT [ANY.RUN] Obfuscated RTF document including the CLSID of the Equation Editor (CVE-2017-11882)
3008
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
3008
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ST007 SWIFT confirmation.docx