analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

example.rtf

Full analysis: https://app.any.run/tasks/c033e8dd-c4ba-47eb-95f9-5fff864bd3aa
Verdict: Malicious activity
Analysis date: February 19, 2019, 05:51:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

48F31C6F2619441F9150C5182F33FED4

SHA1:

2D82997F01C11B1BE9AE0151613C7C6DA5F74DF3

SHA256:

68BB3E0D6AB40A2B59C19B7B1A88BC55C16932484E88D6FD000FA9AF68B5787E

SSDEEP:

48:rOjNsP06EOWBgj5eaqJ6TDJT/hfJT/wJT/RVzwBrUQcQK49246JT/vWtp:rl06Lqgj5eaqW/mJwZ3Kw60P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2804)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2804)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs calc.exe no specs calc.exe no specs dw20.exe no specs dwwin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\example.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3708"C:\Windows\System32\calc.exe" C:\Windows\System32\calc.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1948"C:\Windows\System32\calc.exe" C:\Windows\System32\calc.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2580"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1348C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.6015.1000
3680C:\Windows\system32\dwwin.exe -x -s 1348C:\Windows\system32\dwwin.exeDW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
732
Read events
695
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR98CB.tmp.cvr
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{188F40FB-AC26-4613-AC04-CFFF591997D3}.tmp
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFBC896C97DB180C2E.TMP
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$xample.rtfpgc
MD5:66122630B9F1C83355B71F2B66ABA8AC
SHA256:933A9D5AD0748C30D1F0F6123907607E03AA76352360ABAC1C49E9997A167E8A
2804WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\~WRL0001.tmpdocument
MD5:1DB02927677882422054DEA30CAC63D0
SHA256:70F036AA5467FE29B36E34D76DC2E85DED212CF9D8EA45D68E304ED14B5683A6
2804WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\~WRD0000.tmpdocument
MD5:CE5011779E62B7754977BAFB8BB874B8
SHA256:4079E1BA08BC84A3EF31F37013CD0D780D4E233360FC83D174E50B50056A9AC1
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E01AAB1-1ADC-47F5-92E6-6DDF87BF159B}.tmpbinary
MD5:2694FCC1EE99A834292EC5DB89D58C90
SHA256:8B5B56E20A874E0587785C9BB757FC58184BBA3332B4FA4CB4F8999A8E5C32A5
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1696312.cvrsqm
MD5:FD91D23EEE8C351409DD434CE88E5BBB
SHA256:3877C404BD467D0192C90C223DD972E6D6358BAC6EF117567AC6247A00864154
2804WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7B8D8F0F22BFFE8C9210FB71869EA470
SHA256:E46B2111FFFB8ED0961B6BEF60B74A9814DD3570D8D6F7DF2CA84869ABA557ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
example.rtf